Edit tour

Windows Analysis Report
cDtHMoEHO4.exe

Overview

General Information

Sample Name:	cDtHMoEHO4.exe
Analysis ID:	593413
MD5:	52f85f5842d8de0c13b4e7ed08f4f46f
SHA1:	3f34701e1b6c1a27d9db15865fc4fc6de1f450c3
SHA256:	fc45aada4dd0fd54fea4854bd07276881f46b469cc248146d1772188a5704384
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Writes to foreign memory regions

Found potential dummy code loops (likely to delay analysis)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64

cDtHMoEHO4.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\cDtHMoEHO4.exe" MD5: 52F85F5842D8DE0C13B4E7ED08F4F46F)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 6464 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "185.252.215.138:80", "Bot Id": "oxxi", "Authorization Header": "56fedf2c36ea8006dc3aee544d6e6c31"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.529276105.0000000000402000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 6464	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.AppLaunch.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xd20:$pat14: , CommandLine: 0x13980:$v2_1: ListOfProcesses 0x13740:$v4_3: base64str 0x144b1:$v4_4: stringKey 0x11e82:$v4_5: BytesToStringConverted 0x10931:$v4_6: FromBase64 0x123cf:$v4_8: procName
0.3.cDtHMoEHO4.exe.38a0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.cDtHMoEHO4.exe.38a0000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xd20:$pat14: , CommandLine: 0x13980:$v2_1: ListOfProcesses 0x13740:$v4_3: base64str 0x144b1:$v4_4: stringKey 0x11e82:$v4_5: BytesToStringConverted 0x10931:$v4_6: FromBase64 0x123cf:$v4_8: procName
0.2.cDtHMoEHO4.exe.1848b8.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.cDtHMoEHO4.exe.1848b8.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x11b80:$v2_1: ListOfProcesses 0x11940:$v4_3: base64str 0x126b1:$v4_4: stringKey 0x10082:$v4_5: BytesToStringConverted 0xeb31:$v4_6: FromBase64 0x105cf:$v4_8: procName
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "185.252.215.138:80", "Bot Id": "oxxi", "Authorization Header": "56fedf2c36ea8006dc3aee544d6e6c31"}

Multi AV Scanner detection for submitted file

Source: cDtHMoEHO4.exe	Virustotal: Detection: 57%	Perma Link
Source: cDtHMoEHO4.exe	Metadefender: Detection: 20%	Perma Link
Source: cDtHMoEHO4.exe	ReversingLabs: Detection: 65%

Source: cDtHMoEHO4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Code function: 0_2_0041CA44 FindFirstFileExW,

0_2_0041CA44

Source: Joe Sandbox View

ASN Name: AIRMOBFR AIRMOBFR

Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.215.138
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.215.138
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.215.138

Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: cDtHMoEHO4.exe, 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp, cDtHMoEHO4.exe, 00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.529276105.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.cDtHMoEHO4.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.cDtHMoEHO4.exe.1848b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: cDtHMoEHO4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.cDtHMoEHO4.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.cDtHMoEHO4.exe.1848b8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: cDtHMoEHO4.exe, 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDeed.exe4 vs cDtHMoEHO4.exe
Source: cDtHMoEHO4.exe, 00000000.00000003.264615412.0000000002190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs cDtHMoEHO4.exe
Source: cDtHMoEHO4.exe, 00000000.00000003.264615412.0000000002190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSV vs cDtHMoEHO4.exe
Source: cDtHMoEHO4.exe, 00000000.00000002.281308987.00000000021F1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs cDtHMoEHO4.exe
Source: cDtHMoEHO4.exe, 00000000.00000002.281308987.00000000021F1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSV vs cDtHMoEHO4.exe
Source: cDtHMoEHO4.exe, 00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDeed.exe4 vs cDtHMoEHO4.exe

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_00422853	0_2_00422853
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0041F06E	0_2_0041F06E
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0040E975	0_2_0040E975
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_004122F5	0_2_004122F5
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_00411300	0_2_00411300
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_00420C10	0_2_00420C10
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0041ACC9	0_2_0041ACC9
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0040E743	0_2_0040E743
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_00422733	0_2_00422733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 2_2_0562EF68	2_2_0562EF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 2_2_0A1C0040	2_2_0A1C0040

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Code function: String function: 00409FB0 appears 43 times

Source: cDtHMoEHO4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: cDtHMoEHO4.exe	Static PE information: Section: aH9d5muW ZLIB complexity 1.00042941046
Source: cDtHMoEHO4.exe	Static PE information: Section: phfIucPg ZLIB complexity 1.00036756227
Source: cDtHMoEHO4.exe	Static PE information: Section: 3W7giXfX ZLIB complexity 1.00062144886
Source: cDtHMoEHO4.exe	Static PE information: Section: 27Xievbd ZLIB complexity 1.0107421875
Source: cDtHMoEHO4.exe	Static PE information: Section: oeUIkpVp ZLIB complexity 1.004296875

Source: cDtHMoEHO4.exe	Virustotal: Detection: 57%
Source: cDtHMoEHO4.exe	Metadefender: Detection: 20%
Source: cDtHMoEHO4.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cDtHMoEHO4.exe "C:\Users\user\Desktop\cDtHMoEHO4.exe"
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: 0.3.cDtHMoEHO4.exe.38a0000.0.unpack, MicrosoftSqlServerServerSmiContextY.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 2.2.AppLaunch.exe.400000.0.unpack, MicrosoftSqlServerServerSmiContextY.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_01

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Command line argument: EB

0_2_00424540

Source: classification engine

Classification label: mal92.troj.evad.winEXE@4/0@0/1

Source: cDtHMoEHO4.exe

Static PE information: real checksum: 0x9319 should be: 0x976b9

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_00409796 push ecx; ret	0_2_004097A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 2_2_05626AD0 push 5D5F5E5Bh; ret	2_2_05626ABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 2_2_0A1CBF28 push esp; retf	2_2_0A1CBF29

Source: cDtHMoEHO4.exe	Static PE information: section name: aH9d5muW
Source: cDtHMoEHO4.exe	Static PE information: section name: phfIucPg
Source: cDtHMoEHO4.exe	Static PE information: section name: 3W7giXfX
Source: cDtHMoEHO4.exe	Static PE information: section name: 27Xievbd
Source: cDtHMoEHO4.exe	Static PE information: section name: oeUIkpVp
Source: cDtHMoEHO4.exe	Static PE information: section name: .qwecqwe
Source: cDtHMoEHO4.exe	Static PE information: section name: .adata

Source: initial sample

Static PE information: section where entry point is pointing to: aH9d5muW

Source: initial sample	Static PE information: section name: aH9d5muW entropy: 7.99746217862
Source: initial sample	Static PE information: section name: phfIucPg entropy: 7.9986616801
Source: initial sample	Static PE information: section name: 3W7giXfX entropy: 7.99428989719
Source: initial sample	Static PE information: section name: 27Xievbd entropy: 7.80173931198
Source: initial sample	Static PE information: section name: oeUIkpVp entropy: 7.92968871561
Source: initial sample	Static PE information: section name: .qwecqwe entropy: 7.92210775709

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-17858

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Code function: 0_2_0041CA44 FindFirstFileExW,

0_2_0041CA44

Source: AppLaunch.exe, 00000002.00000002.530190806.00000000054D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0041307E mov eax, dword ptr fs:[00000030h]		0_2_0041307E
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0041DB7A mov eax, dword ptr fs:[00000030h]		0_2_0041DB7A

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_004098AE SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004098AE
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_0040D203 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040D203
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: 0_2_00409D82 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409D82

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4FA4008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: EnumSystemLocalesW,	0_2_0041F85F
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: EnumSystemLocalesW,	0_2_004160E7
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: EnumSystemLocalesW,	0_2_0041F8AA
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: EnumSystemLocalesW,	0_2_0041F945
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0041F9D0
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: GetLocaleInfoW,	0_2_0041FC23
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_0041FD49
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: _wcschr,_wcschr,GetLocaleInfoW,	0_2_0041F5BD
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: GetLocaleInfoW,	0_2_0041FE4F
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: GetLocaleInfoW,	0_2_00416609
Source: C:\Users\user\Desktop\cDtHMoEHO4.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_0041FF1E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.cDtHMoEHO4.exe.38a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cDtHMoEHO4.exe.1848b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.529276105.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6464, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.cDtHMoEHO4.exe.38a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cDtHMoEHO4.exe.1848b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.529276105.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6464, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	311 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cDtHMoEHO4.exe	57%	Virustotal		Browse
cDtHMoEHO4.exe	20%	Metadefender		Browse
cDtHMoEHO4.exe	66%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1234971	Download File
0.0.cDtHMoEHO4.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.cDtHMoEHO4.exe.38a0000.0.unpack	100%	Avira	HEUR/AGEN.1234971	Download File
0.2.cDtHMoEHO4.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

URLs

Source	Detection	Scanner	Label
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18Response	0%	URL Reputation	safe
http://tempuri.org/Entity/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14Response	0%	URL Reputation	safe

Domains and IPs

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/Entity/Id10Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	cDtHMoEHO4.exe, 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp, cDtHMoEHO4.exe, 00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.529276105.0000000000402000.00000020.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id11Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id20	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id3Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14Response	AppLaunch.exe, 00000002.00000002.530820855.0000000007121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.252.215.138	unknown	Russian Federation		49619	AIRMOBFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	593413
Start date and time:	2022-03-21 15:58:39 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cDtHMoEHO4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@4/0@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 5.5% (good quality ratio 4.9%) Quality average: 71.2% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 91% Number of executed functions: 169 Number of non-executed functions: 57
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.203.70.208, 20.49.150.241, 23.35.237.194, 23.211.6.115, 20.54.89.106
Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, storeedgefd.xbetservices.akadns.net, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, settings-prod-uks-2.uksouth.cloudapp.azure.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, sls.update.microsoft.com, e16646.dscg.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target AppLaunch.exe, PID 6464 because it is empty
Not all processes where analyzed, report is missing behavior information

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.96664720256634
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cDtHMoEHO4.exe
File size:	566784
MD5:	52f85f5842d8de0c13b4e7ed08f4f46f
SHA1:	3f34701e1b6c1a27d9db15865fc4fc6de1f450c3
SHA256:	fc45aada4dd0fd54fea4854bd07276881f46b469cc248146d1772188a5704384
SHA512:	6d4980aad001a55ed1f374724ed3eb0c9b6bb25be58d22ff87df51645d396fdb08adab8b457e33bf0c547b1801d8abb20e5b09f3e0b722d16753cd8379ec3cd4
SSDEEP:	12288:HSCbqVGuZG8hqUJVFhDQS03ULaHNqrxlKIQNo8djfmZd+0EJf2lnp8zTA5g:HSCbqEuZdEUthDkEaHNYK3jzCoVcTg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D85b.................T...>...............p....@.............#..........................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	aH9d5muW
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x62353844 [Sat Mar 19 01:56:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	445554923421947cbff896012e27345a

Entrypoint Preview

Instruction
push 0050A001h
call 00007F91ACA7EE66h
ret
ret
leave
leave
jnp 00007F91ACA7EE08h
test ecx, ebx
salc
lds ebp, fword ptr [edx-29h]
pushfd
and dword ptr [ecx], ecx
and eax, 08646516h
int 40h
pop esi
xchg eax, edi
sar ah, 00000032h
retf 6DE3h
rcl al, cl
outsd
mov eax, dword ptr [9C47E743h]
cmp dh, byte ptr [eax+03E2E16Bh]
add byte ptr [eax-4Ah], cl
jne 00007F91ACA7EE67h
inc ecx
scasd
dec ebx
mov eax, 8B74B931h
add al, A8h
push eax
inc eax
cmp eax, BA6C550Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10ac7c	0xdc	.qwecqwe
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x100000

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
aH9d5muW	0x1000	0x24000	0x11a00	False	1.00042941046	data	7.99746217862	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
phfIucPg	0x25000	0xd2000	0x21e00	False	1.00036756227	data	7.9986616801	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
3W7giXfX	0xf7000	0x10000	0x8400	False	1.00062144886	data	7.99428989719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
27Xievbd	0x107000	0x2000	0x400	False	1.0107421875	data	7.80173931198	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
oeUIkpVp	0x109000	0x1000	0xa00	False	1.004296875	data	7.92968871561	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.qwecqwe	0x10a000	0x4e000	0x4d800	False	0.987758316532	data	7.92210775709	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.adata	0x158000	0x1000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
kernel32.dll	GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll	GetSysColorBrush
oleaut32.dll	VariantChangeTypeEx
kernel32.dll	RaiseException

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2022 17:01:00.152164936 CET	49765	80	192.168.2.3	185.252.215.138
Mar 21, 2022 17:01:00.179469109 CET	80	49765	185.252.215.138	192.168.2.3
Mar 21, 2022 17:01:00.179641008 CET	49765	80	192.168.2.3	185.252.215.138
Mar 21, 2022 17:01:05.196698904 CET	49765	80	192.168.2.3	185.252.215.138
Mar 21, 2022 17:01:05.224158049 CET	80	49765	185.252.215.138	192.168.2.3

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49765	185.252.215.138	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2022 17:01:05.196698904 CET	3238	OUT	Data Raw: 00 01 00 01 02 02 1d 6e 65 74 2e 74 63 70 3a 2f 2f 31 38 35 2e 32 35 32 2e 32 31 35 2e 31 33 38 3a 38 30 2f 03 08 0c Data Ascii: net.tcp://185.252.215.138:80/

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: cDtHMoEHO4.exePID: 6384, Parent PID: 5668COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	87

Executed Functions

Function 0041307E Relevance: 1.5, APIs: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 004130B9

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b69248e36c6d9a2cac846a1f6b81c467adbf3acbcf51eb32f736d521c6dfd217
Instruction ID: 5a8e1fc8461e1d0dcddf4d429d68b556a7ab49c41856437ad3a01d36d9820934
Opcode Fuzzy Hash: b69248e36c6d9a2cac846a1f6b81c467adbf3acbcf51eb32f736d521c6dfd217
Instruction Fuzzy Hash: 68E0DF34001108EFCF217F64EA59BD93FA5EF40705F104046F8084B229CA2EEE81D969

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB7A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e38685e0da0132220f423c3237d4d2fcfbe87924d6334e5886816783ad52055
Instruction ID: 0f93becb308a3cfb5bbdfd8b51e816a73ceb9f0de852b16d3138c714939a54ff
Opcode Fuzzy Hash: 1e38685e0da0132220f423c3237d4d2fcfbe87924d6334e5886816783ad52055
Instruction Fuzzy Hash: 46E08672915128EBC714DBC9C904D8AF3FCE744B04B12009BF506D3200C274DE40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00402730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00402730(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebp;
				void* _t39;

				_t39 = __edx;
				_push(__ecx);
				_v8 = __ecx;
				E00407104(_v8, 0);
				E00402310(_v8 + 4);
				E00402310(_v8 + 0xc);
				E00402330(_v8 + 0x14);
				E00402330(_v8 + 0x1c);
				E00402310(_v8 + 0x24);
				E00402310(_v8 + 0x2c);
				if(_a4 == 0) {
					E004072DC(__eflags, "bad locale name");
				} else {
					E00407592(_v8, _t39, _v8, _a4); // executed
				}
				return _v8;
			}

0x00402730
0x00402733
0x00402734
0x0040273c
0x00402747
0x00402752
0x0040275d
0x00402768
0x00402773
0x0040277e
0x00402787
0x004027a0
0x00402789
0x00402791
0x00402796
0x004027ab

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040273C
_Yarn.LIBCPMTD ref: 00402747
_Yarn.LIBCPMTD ref: 00402752
_Yarn.LIBCPMTD ref: 0040275D
_Yarn.LIBCPMTD ref: 00402768
_Yarn.LIBCPMTD ref: 00402773
_Yarn.LIBCPMTD ref: 0040277E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00402791

Part of subcall function 00407592: _Yarn.LIBCPMT ref: 004075B1
Part of subcall function 00407592: _Yarn.LIBCPMT ref: 004075D5

Strings

bad locale name, xrefs: 0040279B

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3904239083-1405518554
Opcode ID: 6a3d28ceafa237363d5d04ab4c2798d85c151e4b0417cb775accec00ec4453bc
Instruction ID: 02bb1fb0aa97c30f3f70ca77555402ebb821eb81aecfdd46d8cc419351332750
Opcode Fuzzy Hash: 6a3d28ceafa237363d5d04ab4c2798d85c151e4b0417cb775accec00ec4453bc
Instruction Fuzzy Hash: 2A01BF70904108EBCB0CEBA5CAA6BAD7365AF44308F54447EE9077B3C2D9786F50D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00407A5C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00407A5C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t36;
				void* _t41;
				intOrPtr* _t64;
				void* _t71;
				intOrPtr* _t75;
				intOrPtr* _t76;
				void* _t78;

				_t58 = __ebx;
				_push(8);
				E004097B9(0x424dfc, __ebx, __edi, __esi);
				E00407104(_t78 - 0x14, 0);
				_t75 =  *0x5080dc; // 0x0
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				 *((intOrPtr*)(_t78 - 0x10)) = _t75;
				_t36 = E004044C0( *((intOrPtr*)(_t78 + 8)), E00403420(0x5080d0));
				_t73 = _t36;
				if(_t36 != 0) {
					L5:
					E0040715C(_t78 - 0x14);
					return E00409796(_t73);
				} else {
					if(_t75 == 0) {
						_push( *((intOrPtr*)(_t78 + 8)));
						_push(_t78 - 0x10);
						_t41 = E00407F6B(__ebx, _t71, _t73, _t75, __eflags);
						_pop(_t64);
						__eflags = _t41 - 0xffffffff;
						if(__eflags == 0) {
							E00405140();
							asm("int3");
							_push(8);
							E004097B9(0x424e3a, __ebx, _t73, _t75);
							_t76 = _t64;
							 *((intOrPtr*)(_t78 - 0x14)) = _t76;
							 *((intOrPtr*)(_t78 - 0x10)) = 0;
							__eflags =  *((intOrPtr*)(_t78 + 0x10));
							if( *((intOrPtr*)(_t78 + 0x10)) != 0) {
								 *_t76 = 0x4f9594;
								 *((intOrPtr*)(_t76 + 0x10)) = 0;
								 *((intOrPtr*)(_t76 + 0x30)) = 0;
								 *((intOrPtr*)(_t76 + 0x34)) = 0;
								 *((intOrPtr*)(_t76 + 0x38)) = 0;
								 *((intOrPtr*)(_t76 + 8)) = 0x4f9588;
								 *(_t78 - 4) = 0;
								 *((intOrPtr*)(_t78 - 0x10)) = 1;
							}
							 *((intOrPtr*)(_t76 +  *((intOrPtr*)( *_t76 + 4)))) = 0x4f9590;
							_t28 =  *((intOrPtr*)( *_t76 + 4)) - 8; // -8
							 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 4)) + _t76 - 4)) = _t28;
							__eflags =  *((intOrPtr*)( *_t76 + 4)) + _t76;
							E0040826F(_t58,  *((intOrPtr*)( *_t76 + 4)) + _t76, _t71, _t73,  *((intOrPtr*)( *_t76 + 4)) + _t76,  *((intOrPtr*)(_t78 + 8)),  *((intOrPtr*)(_t78 + 0xc))); // executed
							return E00409796(_t76);
						} else {
							_t73 =  *((intOrPtr*)(_t78 - 0x10));
							 *((intOrPtr*)(_t78 - 0x10)) = _t73;
							 *(_t78 - 4) = 1;
							E00407460(__eflags, _t73);
							 *0x4f7154();
							 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 4))))();
							 *0x5080dc = _t73;
							goto L5;
						}
					} else {
						_t73 = _t75;
						goto L5;
					}
				}
			}

0x00407a5c
0x00407a5c
0x00407a63
0x00407a6d
0x00407a72
0x00407a7d
0x00407a81
0x00407a8d
0x00407a92
0x00407a96
0x00407adb
0x00407ade
0x00407aea
0x00407a98
0x00407a9a
0x00407aa0
0x00407aa6
0x00407aa7
0x00407aad
0x00407aae
0x00407ab1
0x00407aeb
0x00407af0
0x00407af1
0x00407af8
0x00407afd
0x00407aff
0x00407b04
0x00407b07
0x00407b0a
0x00407b0c
0x00407b12
0x00407b15
0x00407b18
0x00407b1b
0x00407b1e
0x00407b25
0x00407b28
0x00407b28
0x00407b3a
0x00407b46
0x00407b49
0x00407b52
0x00407b54
0x00407b60
0x00407ab3
0x00407ab3
0x00407ab6
0x00407aba
0x00407abe
0x00407acb
0x00407ad3
0x00407ad5
0x00000000
0x00407ad5
0x00407a9c
0x00407a9c
0x00000000
0x00407a9c
0x00407a9a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00407A6D
int.LIBCPMTD ref: 00407A84

Part of subcall function 00403420: std::_Lockit::_Lockit.LIBCPMT ref: 00403436
Part of subcall function 00403420: std::_Lockit::~_Lockit.LIBCPMT ref: 00403460

codecvt.LIBCPMT ref: 00407AA7
std::_Facet_Register.LIBCPMT ref: 00407ABE
std::_Lockit::~_Lockit.LIBCPMT ref: 00407ADE
Concurrency::cancel_current_task.LIBCPMTD ref: 00407AEB

Strings

X}@, xrefs: 00407B1E
.}@, xrefs: 00407B3A

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID: .}@$X}@
API String ID: 3595785899-1276369571
Opcode ID: 87dc5a4d49da654d2ccea8d9697ffb1fb299ea5727cef3ed14801a021c74c1a7
Instruction ID: 1587e220d6f198c1b4ae33d941ebc4be6dd1904de967c9898c344f1dacf98034
Opcode Fuzzy Hash: 87dc5a4d49da654d2ccea8d9697ffb1fb299ea5727cef3ed14801a021c74c1a7
Instruction Fuzzy Hash: 38318C75A00615CFCB11DF65C844AAEBBF1FF48318F10882EE545AB381DB78AE04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004162B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ext-ms-, xrefs: 0041631B
api-ms-, xrefs: 00416307

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 044c2736cb6829943f5e19c24d3069c36715d8459a5bf366403d8353b25bf9ed
Instruction ID: 0c3113043b1b1088eda4acd9746260104244255de5742161ed68aee6fadd9b69
Opcode Fuzzy Hash: 044c2736cb6829943f5e19c24d3069c36715d8459a5bf366403d8353b25bf9ed
Instruction Fuzzy Hash: 06212C71E04219ABCB314B648D41BEB7754AF11764F260122ED26A7380DA38DD41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413CBC Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416B58: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00416B8A

_free.LIBCMT ref: 00413DCB
_free.LIBCMT ref: 00413DE2
_free.LIBCMT ref: 00413DFF
_free.LIBCMT ref: 00413E1A
_free.LIBCMT ref: 00413E31

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: a7e0ba073714df23198b62a91d1c32c70e322e8607eaf4d987d246b81231d8e1
Instruction ID: f1d8f94a53a17b8f9ef6e1b0f094d648909f8d1099feadfc71580ea629cc673c
Opcode Fuzzy Hash: a7e0ba073714df23198b62a91d1c32c70e322e8607eaf4d987d246b81231d8e1
Instruction Fuzzy Hash: 0F51D131A00704AFDB20DF69D881AAB77F5EF54725F14056FE809D7290E739EA81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00402070 Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402070(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _t31;
				void* _t37;
				void* _t60;

				E00407104( &_v28, 0);
				_t31 =  *0x507f10; // 0x8068f0
				_v8 = _t31;
				_v24 = E00403420(0x508000);
				_v16 = E004044C0(_a4, _v24);
				if(_v16 == 0) {
					if(_v8 == 0) {
						_t37 = E00404290(__ebx, _t60, __edi, __esi,  &_v8, _a4); // executed
						__eflags = _t37 - 0xffffffff;
						if(__eflags != 0) {
							_v12 = _v8;
							E00401330( &_v20, _v12);
							E00407460(__eflags, _v12);
							 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 4))))();
							 *0x507f10 = _v8;
							_v16 = _v8;
							E00406C00( &_v20);
							E00402EA0( &_v20);
						} else {
							E00405140();
						}
					} else {
						_v16 = _v8;
					}
				}
				_v32 = _v16;
				E0040715C( &_v28);
				return _v32;
			}

0x0040207b
0x00402080
0x00402085
0x00402092
0x004020a1
0x004020a8
0x004020ae
0x004020c0
0x004020c8
0x004020cb
0x004020d7
0x004020e1
0x004020ea
0x004020fd
0x00402102
0x0040210a
0x00402110
0x00402118
0x004020cd
0x004020cd
0x004020cd
0x004020b0
0x004020b3
0x004020b3
0x004020ae
0x00402120
0x00402126
0x00402131

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040207B
int.LIBCPMTD ref: 0040208D

Part of subcall function 00403420: std::_Lockit::_Lockit.LIBCPMT ref: 00403436
Part of subcall function 00403420: std::_Lockit::~_Lockit.LIBCPMT ref: 00403460

Concurrency::cancel_current_task.LIBCPMTD ref: 004020CD
std::_Lockit::~_Lockit.LIBCPMT ref: 00402126

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 5da7fe98940c53df49caacc7f13302e548d342832bdd207baa95236868607332
Instruction ID: b87f1b5ce6a936d9ea8d07c24ed8d9553456cee071d1802f99ee60667d550bcf
Opcode Fuzzy Hash: 5da7fe98940c53df49caacc7f13302e548d342832bdd207baa95236868607332
Instruction Fuzzy Hash: E7212874D00109EBCB08EFA5D981AEEB7B4AF48304F1081AAE5167B3D1DB386E44CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00402140 Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402140(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _t31;
				void* _t37;
				void* _t60;

				E00407104( &_v28, 0);
				_t31 =  *0x507f14; // 0x8167d0
				_v8 = _t31;
				_v24 = E00403420(0x507f08);
				_v16 = E004044C0(_a4, _v24);
				if(_v16 == 0) {
					if(_v8 == 0) {
						_t37 = E00404310(__ebx, _t60, __edi, __esi,  &_v8, _a4); // executed
						__eflags = _t37 - 0xffffffff;
						if(__eflags != 0) {
							_v12 = _v8;
							E00401330( &_v20, _v12);
							E00407460(__eflags, _v12);
							 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 4))))();
							 *0x507f14 = _v8;
							_v16 = _v8;
							E00406C00( &_v20);
							E00402EA0( &_v20);
						} else {
							E00405140();
						}
					} else {
						_v16 = _v8;
					}
				}
				_v32 = _v16;
				E0040715C( &_v28);
				return _v32;
			}

0x0040214b
0x00402150
0x00402155
0x00402162
0x00402171
0x00402178
0x0040217e
0x00402190
0x00402198
0x0040219b
0x004021a7
0x004021b1
0x004021ba
0x004021cd
0x004021d2
0x004021da
0x004021e0
0x004021e8
0x0040219d
0x0040219d
0x0040219d
0x00402180
0x00402183
0x00402183
0x0040217e
0x004021f0
0x004021f6
0x00402201

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040214B
int.LIBCPMTD ref: 0040215D

Part of subcall function 00403420: std::_Lockit::_Lockit.LIBCPMT ref: 00403436
Part of subcall function 00403420: std::_Lockit::~_Lockit.LIBCPMT ref: 00403460

Concurrency::cancel_current_task.LIBCPMTD ref: 0040219D
std::_Lockit::~_Lockit.LIBCPMT ref: 004021F6

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 1e5d7c0c7a4a4ed520f8b2069fd41547638d248c9ae66d4cd2ec9069f0430667
Instruction ID: 966b09ef9c151f06a85fa2ecfb6654c9cc2c48142a8b638f2a0b4037d0f8c826
Opcode Fuzzy Hash: 1e5d7c0c7a4a4ed520f8b2069fd41547638d248c9ae66d4cd2ec9069f0430667
Instruction Fuzzy Hash: 00212A74D00109EBCB04EF95D9819EEB7B4AF48304F1081AAE5157B3D1DA386F41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404830 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00404830(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char* _a28, intOrPtr _a32) {
				signed int _v8;
				char _v32;
				char _v56;
				intOrPtr _v60;
				char* _v64;
				signed char _v65;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				char _v104;
				char _v112;
				char _v120;
				char _v128;
				char _v136;
				char _v144;
				char _v152;
				char _v160;
				signed int _t147;
				intOrPtr* _t172;
				intOrPtr* _t177;
				intOrPtr* _t188;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t198;
				void* _t200;
				signed int _t202;
				intOrPtr _t215;
				void* _t218;
				char _t280;
				void* _t312;
				void* _t313;
				signed int _t314;
				intOrPtr _t331;

				_t313 = __esi;
				_t312 = __edi;
				_t218 = __ebx;
				_t147 =  *0x507024; // 0x590d03f3
				_v8 = _t147 ^ _t314;
				if(_a32 <= 0 ||  *_a28 != 0x2b &&  *_a28 != 0x2d) {
					_v80 = 0;
				} else {
					_v80 = 1;
				}
				_v60 = _v80;
				if((E00406680(_a20) & 0x00000e00) == 0x800 && _v60 + 2 <= _a32 &&  *((char*)(_a28 + _v60)) == 0x30 && ( *((char*)(_a28 + _v60 + 1)) == 0x78 ||  *((char*)(_a28 + _v60 + 1)) == 0x58)) {
					_t215 = _v60 + 2;
					_t331 = _t215;
					_v60 = _t215;
				}
				_v88 = E00402070(_t218, _t312, _t313, _t331, E00406710(_a20,  &_v104));
				E00403080( &_v104);
				E00402410( &_v32, _t331, _a32, 0);
				E00406EC0(_v88, _a28, _a28 + _a32, E00403400( &_v32, 0));
				_v84 = E00402210(_t218, _t312, _t313, _t331, E00406710(_a20,  &_v112));
				E00403080( &_v112);
				E00406760(_v84,  &_v56);
				_v64 = E00403400( &_v56, 0);
				_t280 =  *_v64;
				if(_t280 == 0x7f ||  *_v64 <= 0) {
					L20:
					_a32 = E00406870( &_v32);
					_v96 = E00406F30(_a20);
					_v92 = _t280;
					__eflags = _v92;
					if(__eflags < 0) {
						L24:
						_v72 = 0;
						L26:
						_v76 = E00406680(_a20) & 0x000001c0;
						__eflags = _v76 - 0x40;
						if(_v76 == 0x40) {
							L29:
							__eflags = _v76 - 0x100;
							if(_v76 != 0x100) {
								_t172 = E00404F00(_a4,  &_v152, _a12, _a16, E00403400( &_v32, 0), _v60);
								_a12 =  *_t172;
								_a16 =  *((intOrPtr*)(_t172 + 4));
							} else {
								_t188 = E00404F00(_a4,  &_v136, _a12, _a16, E00403400( &_v32, 0), _v60);
								_a12 =  *_t188;
								_a16 =  *((intOrPtr*)(_t188 + 4));
								_t191 = E00404F50(_a4,  &_v144, _a12, _a16, _a24 & 0x000000ff, _v72);
								_a12 =  *_t191;
								_a16 =  *((intOrPtr*)(_t191 + 4));
								_v72 = 0;
							}
							L32:
							_t177 = E00404F00(_a4,  &_v160, _a12, _a16, E00403400( &_v32, _v60), _a32 - _v60); // executed
							_a12 =  *_t177;
							_a16 =  *((intOrPtr*)(_t177 + 4));
							E00406EF0(_a20, 0, 0);
							E00404F50(_a4, _a8, _a12, _a16, _a24 & 0x000000ff, _v72);
							E00402DE0( &_v56);
							E00402DE0( &_v32);
							__eflags = _v8 ^ _t314;
							return E004090D4(_a8, _t218, _v8 ^ _t314, _a4, _t312);
						}
						__eflags = _v76 - 0x100;
						if(_v76 == 0x100) {
							goto L29;
						}
						_t194 = E00404F50(_a4,  &_v120, _a12, _a16, _a24 & 0x000000ff, _v72);
						_a12 =  *_t194;
						_a16 =  *((intOrPtr*)(_t194 + 4));
						_v72 = 0;
						_t198 = E00404F00(_a4,  &_v128, _a12, _a16, E00403400( &_v32, 0), _v60);
						_a12 =  *_t198;
						_a16 =  *((intOrPtr*)(_t198 + 4));
						goto L32;
					}
					if(__eflags > 0) {
						L23:
						_t200 = E00406F30(_a20);
						__eflags = _t200 - _a32;
						if(_t200 > _a32) {
							_t202 = E00406F30(_a20) - _a32;
							__eflags = _t202;
							_v72 = _t202;
							goto L26;
						}
						goto L24;
					}
					__eflags = _v96;
					if(_v96 <= 0) {
						goto L24;
					}
					goto L23;
				} else {
					_v65 = E00406DA0(_v84);
					while(1) {
						_t280 = _v64;
						if( *_t280 == 0x7f) {
							goto L20;
						}
						_t280 =  *_v64;
						if(_t280 <= 0) {
							goto L20;
						}
						_t280 = _a32 - _v60;
						if( *_v64 >= _t280) {
							goto L20;
						}
						_a32 = _a32 -  *_v64;
						E00406790( &_v32, _a32, 1, _v65 & 0x000000ff);
						if( *((char*)(_v64 + (1 << 0))) > 0) {
							_v64 = _v64 + 1;
						}
					}
					goto L20;
				}
			}

0x00404830
0x00404830
0x00404830
0x00404839
0x00404840
0x00404847
0x00404868
0x0040485f
0x0040485f
0x0040485f
0x00404872
0x00404887
0x004048c3
0x004048c3
0x004048c6
0x004048c6
0x004048de
0x004048e4
0x004048f2
0x00404910
0x0040492a
0x00404930
0x0040493c
0x0040494b
0x00404951
0x00404957
0x004049d2
0x004049da
0x004049e5
0x004049e8
0x004049eb
0x004049ef
0x00404a06
0x00404a06
0x00404a1d
0x00404a2a
0x00404a2d
0x00404a31
0x00404aa6
0x00404aa6
0x00404aad
0x00404b3e
0x00404b4b
0x00404b4e
0x00404aaf
0x00404ad1
0x00404ade
0x00404ae1
0x00404b00
0x00404b0d
0x00404b10
0x00404b13
0x00404b13
0x00404b51
0x00404b78
0x00404b85
0x00404b88
0x00404b92
0x00404bb0
0x00404bbb
0x00404bc3
0x00404bce
0x00404bd8
0x00404bd8
0x00404a33
0x00404a3a
0x00000000
0x00000000
0x00404a55
0x00404a62
0x00404a65
0x00404a68
0x00404a8e
0x00404a9b
0x00404a9e
0x00000000
0x00404a9e
0x004049f1
0x004049f9
0x004049fc
0x00404a01
0x00404a04
0x00404a17
0x00404a17
0x00404a1a
0x00000000
0x00404a1a
0x00000000
0x00404a04
0x004049f3
0x004049f7
0x00000000
0x00000000
0x00000000
0x00404963
0x0040496b
0x0040496e
0x0040496e
0x00404977
0x00000000
0x00000000
0x0040497c
0x00404981
0x00000000
0x00000000
0x0040498c
0x00404991
0x00000000
0x00000000
0x0040499e
0x004049af
0x004049c5
0x004049cd
0x004049cd
0x004049d0
0x00000000
0x0040496e

APIs

ctype.LIBCPMTD ref: 00404910
task.LIBCPMTD ref: 00404BBB
task.LIBCPMTD ref: 00404BC3

Strings

@, xrefs: 00404A2D

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: task$ctype
String ID: @
API String ID: 325817495-2766056989
Opcode ID: 02f67c3f54ba1931a10d9c1f87a5f61b70ad7f8c0b8a972a21c9b0ef049cacbc
Instruction ID: 65dd70955f0a55f5970bbedacfa335a568b9b706ee7bd45aa0931de5f4c276eb
Opcode Fuzzy Hash: 02f67c3f54ba1931a10d9c1f87a5f61b70ad7f8c0b8a972a21c9b0ef049cacbc
Instruction Fuzzy Hash: 1BD16FB19001489FCB04DF98D891AEF7BB5AF88304F14816EFA19B7295DB38AD51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041D35E

Strings

(}A, xrefs: 0041D2EE

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free
String ID: (}A
API String ID: 269201875-1381349623
Opcode ID: 9e66d7ef480c3de43c37197eb5a1724b55287eb077c3c28e2d37f38efe17e97d
Instruction ID: 28e42944acee908496d0056709879c159d0fe437723cd0eab395bc72425d7ef8
Opcode Fuzzy Hash: 9e66d7ef480c3de43c37197eb5a1724b55287eb077c3c28e2d37f38efe17e97d
Instruction Fuzzy Hash: E031CFB1D0020DAFCB00DF69D880ADF77B5EF45314F15006AF8259B2A1EB39AD91CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6CD Relevance: 4.6, APIs: 3, Instructions: 141
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

_free.LIBCMT ref: 0040F77C
_free.LIBCMT ref: 0040F7AA
_free.LIBCMT ref: 0040F7ED

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 29c7392d6cba69e779d3211d4779b460b947d900780b69101b96827d4c900fc9
Instruction ID: 6ef551ccf6f05ff972f8af619eb03a6ae86cb0a9b18927fb71c999fd42e90dc1
Opcode Fuzzy Hash: 29c7392d6cba69e779d3211d4779b460b947d900780b69101b96827d4c900fc9
Instruction Fuzzy Hash: 0D418C32600106AFD764DFACC881AAAB3F8FF49314724067EE515D7791DB35EC149B94

Uniqueness

Uniqueness Score: -1.00%

Function 00412C37 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00412CC7
_free.LIBCMT ref: 00412CE2
_free.LIBCMT ref: 00412CED

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b014108933b202c930e244bbcd8b8fefd672bf655253a5d4d0c456890aa16cf9
Instruction ID: d89b400b6b28e222ac6ede456a2506794922511611711392952a942a049d81d3
Opcode Fuzzy Hash: b014108933b202c930e244bbcd8b8fefd672bf655253a5d4d0c456890aa16cf9
Instruction Fuzzy Hash: EA216E366082005BEF145F69A9457FF7B59DF85314F24005FEA41DB341F5AA4D8282D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F82C Relevance: 4.6, APIs: 3, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__cftoe.LIBCMT ref: 0040F858
__cftoe.LIBCMT ref: 0040F88A
_free.LIBCMT ref: 0040F8B0

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: d71764a6b455eab761276e706ac18a4de730ea11bee2736d5274b15531ab9ac0
Instruction ID: 5099a839b8c401d5f96556df1a0c01de1b0f3b24e118baa979c213f862350296
Opcode Fuzzy Hash: d71764a6b455eab761276e706ac18a4de730ea11bee2736d5274b15531ab9ac0
Instruction Fuzzy Hash: 9921C773804108BADF30AA96DC45EDF3BA8DF85364F20813BF915F61D1EB38CA448699

Uniqueness

Uniqueness Score: -1.00%

Function 0041D78E Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041D797
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041D805

Part of subcall function 0041C341: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0041875F,?,00000000,00000000), ref: 0041C3ED

Part of subcall function 00416B58: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00416B8A

_free.LIBCMT ref: 0041D7F6

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: ba46dbff2eedd77df30edb3367c4ae15e5e0402e0fc61bbf4f343b7cb7414a19
Instruction ID: 7e8c07b1448181220530b86c372345be45ad8fd070568a874d049fa4f0666605
Opcode Fuzzy Hash: ba46dbff2eedd77df30edb3367c4ae15e5e0402e0fc61bbf4f343b7cb7414a19
Instruction Fuzzy Hash: 0701D4F2E056157B273126AB4C88CFB696DCEC2B94315002AF930D2240EE688D8281B9

Uniqueness

Uniqueness Score: -1.00%

Function 00414B37 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00414BEA

Strings

RLA, xrefs: 00414BDA

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free
String ID: RLA
API String ID: 269201875-3446559427
Opcode ID: 3fb1d1f2f6ad5ea0600691a42323809ece0f69b31f7931ed4ecc779138d2dcdb
Instruction ID: bd8cbb632104dfb58f82128547e0c26f7371643ef189f3503df8959a6a06353f
Opcode Fuzzy Hash: 3fb1d1f2f6ad5ea0600691a42323809ece0f69b31f7931ed4ecc779138d2dcdb
Instruction Fuzzy Hash: E4317876A006109F8B04CF59C48499EB7F2AFCD32072682A6E529AB360D334FC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004193C6 Relevance: 3.2, APIs: 2, Instructions: 171
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000), ref: 00419516
__dosmaperr.LIBCMT ref: 00419555

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast__dosmaperr
String ID:
API String ID: 1659562826-0
Opcode ID: 279fc44ea96dc2dd19d650d3672927697c3b1df2984b0701677c57bb677cb17f
Instruction ID: be1100dd28a9c85008fe6325f41207a76ffea4fae1aea303363ec98a1ad6027a
Opcode Fuzzy Hash: 279fc44ea96dc2dd19d650d3672927697c3b1df2984b0701677c57bb677cb17f
Instruction Fuzzy Hash: 2351D571A0410ABADF11DFA5C854FEE7B79AF49314F14006BF400B7292D6389E82C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040826F Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040826F(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				char _t11;
				void* _t21;

				_t21 = __ecx;
				E0040808D(__ebx, __ecx, __edx, __edi, __ecx, __eflags);
				_t17 = __ecx;
				 *(__ecx + 0x3c) =  *(__ecx + 0x3c) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x38)) = _a4;
				_t11 = E00406E60(__ebx, __ecx, __edi, __ecx, __eflags, 0x20); // executed
				 *((char*)(_t21 + 0x40)) = _t11;
				if( *((intOrPtr*)(_t21 + 0x38)) == 0) {
					_t17 = _t21;
					_t11 = E00405990(_t21,  *(_t21 + 0xc) | 0x00000004, 0);
				}
				if(_a8 != 0) {
					return E00408F51(_t17, _t21);
				}
				return _t11;
			}

0x00408273
0x00408275
0x0040827d
0x0040827f
0x00408285
0x00408288
0x00408291
0x00408294
0x00408299
0x004082a1
0x004082a1
0x004082aa
0x00000000
0x004082b2
0x004082b5

APIs

std::ios_base::_Init.LIBCPMT ref: 00408275

Part of subcall function 0040808D: std::ios_base::clear.LIBCPMTD ref: 004080C5
Part of subcall function 0040808D: std::locale::_Init.LIBCPMT ref: 004080DD

Part of subcall function 00406E60: ctype.LIBCPMTD ref: 00406E85

std::ios_base::clear.LIBCPMTD ref: 004082A1

Part of subcall function 00405990: std::make_error_code.LIBCPMTD ref: 004059F9
Part of subcall function 00405990: std::ios_base::failure::failure.LIBCPMTD ref: 00405A09

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Initstd::ios_base::clear$ctypestd::ios_base::_std::ios_base::failure::failurestd::locale::_std::make_error_code
String ID:
API String ID: 472223081-0
Opcode ID: f6a8cd56fa249bac0b6e04f9e218a57d2c312217997c85573cc18665d9dbb15e
Instruction ID: 7ad6fb4812107210b29553a759a4f9420bc02b686b9122fd4cf1adcb77b93b82
Opcode Fuzzy Hash: f6a8cd56fa249bac0b6e04f9e218a57d2c312217997c85573cc18665d9dbb15e
Instruction Fuzzy Hash: 96F030315047545BE720AA76D649B5B7BD4AB00734F04482FF9C6677C2CABEF4848B98

Uniqueness

Uniqueness Score: -1.00%

Function 004082B8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b576483941f0eff95b9dac161a069ab88e33423e80b2be9e7c7f61c0d14630a
Instruction ID: 828e260cf2eb6666ec9651fada903224471c2580b0d872b49fb0fe6eb250f243
Opcode Fuzzy Hash: 5b576483941f0eff95b9dac161a069ab88e33423e80b2be9e7c7f61c0d14630a
Instruction Fuzzy Hash: 9631823290011AEBCB14CF65CA509EEB7B8BF49714B14026EE941B37D0DB3AF945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00416377 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cee387d251706dce1c071c4d50b67d85549bce8a8005ac707c7f1927775baa7
Instruction ID: 33e74764db78444695d23a8a29bf24b301fd40a311dc301e4288fb4ac235dd7c
Opcode Fuzzy Hash: 2cee387d251706dce1c071c4d50b67d85549bce8a8005ac707c7f1927775baa7
Instruction Fuzzy Hash: BE01F933A041295FDF169E29EC4099B33D6EBC93307154176FE24CB184DB34EC82A695

Uniqueness

Uniqueness Score: -1.00%

Function 00406120 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_swprintf.LIBCMTD ref: 00406160

Part of subcall function 00407060: __vswprintf_s_l.LIBCONCRTD ref: 0040707E

Part of subcall function 00404830: ctype.LIBCPMTD ref: 00404910

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: __vswprintf_s_l_swprintfctype
String ID:
API String ID: 1937283299-0
Opcode ID: 54dc8f2ff8c5cf83a8890da85f0a8c499ee17a03a4880357a7901dcaed1aa52a
Instruction ID: 25153c2c587cd325ebb488e7d33651999719539eaa7be6b1aa482f2c34244c8b
Opcode Fuzzy Hash: 54dc8f2ff8c5cf83a8890da85f0a8c499ee17a03a4880357a7901dcaed1aa52a
Instruction Fuzzy Hash: 100121B690410CABCB04DFD9DC91DAF77BDAF5C704F00861DBA19A7281DA74A910CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041336E Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415DB2: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00415DF3

_free.LIBCMT ref: 0041338E

Part of subcall function 00415E0F: HeapFree.KERNEL32(00000000,00000000,?,00414BEF), ref: 00415E25
Part of subcall function 00415E0F: GetLastError.KERNEL32(?,?,00414BEF), ref: 00415E37

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 8f3fce77a34ced50dfe63fe2719de65a9e1e6c92c4a02bf935500f97a6e3b087
Instruction ID: 0033bd0dd2c3b0a6f6e29548515aaa9f79b30f5e8990c9f5fe46f2225c08ac1f
Opcode Fuzzy Hash: 8f3fce77a34ced50dfe63fe2719de65a9e1e6c92c4a02bf935500f97a6e3b087
Instruction Fuzzy Hash: 68010CB6E00619AFCB10DFA9C441ADEFBB8FB48710F14412AE914E7340EB74AA54CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00404290 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

std::_Locinfo::~_Locinfo.LIBCPMTD ref: 00404301

Part of subcall function 004058F0: _Yarn.LIBCPMTD ref: 0040590B

Part of subcall function 00402730: std::_Lockit::_Lockit.LIBCPMT ref: 0040273C
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402747
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402752
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 0040275D
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402768
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402773
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 0040277E
Part of subcall function 00402730: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00402791

Part of subcall function 00402600: std::bad_exception::bad_exception.LIBCMTD ref: 0040260E
Part of subcall function 00402600: ctype.LIBCPMTD ref: 00402623

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Yarn$std::_$LocinfoLocinfo::_Locinfo::~_Locinfo_ctorLockitLockit::_ctypestd::bad_exception::bad_exception
String ID:
API String ID: 4070494121-0
Opcode ID: b01939334e79fb2018ba57f2871bdfa88797be361abebeebc0111a6da49aefc9
Instruction ID: f323a94b688305927c05ef2fe7d25615cbf435ed30d458c486c45539fd036e5c
Opcode Fuzzy Hash: b01939334e79fb2018ba57f2871bdfa88797be361abebeebc0111a6da49aefc9
Instruction Fuzzy Hash: 140148B0E00208EBDB04EFA5C95A79EB770AB40344F1081BAE9067B2D0DB795F45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00404310 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

std::_Locinfo::~_Locinfo.LIBCPMTD ref: 00404381

Part of subcall function 004058F0: _Yarn.LIBCPMTD ref: 0040590B

Part of subcall function 00402730: std::_Lockit::_Lockit.LIBCPMT ref: 0040273C
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402747
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402752
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 0040275D
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402768
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 00402773
Part of subcall function 00402730: _Yarn.LIBCPMTD ref: 0040277E
Part of subcall function 00402730: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00402791

Part of subcall function 00402640: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 0040264E

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Yarn$std::_$Topology$Concurrency::details::Core::GlobalLocinfoLocinfo::_Locinfo::~_Locinfo_ctorLockitLockit::_ObjectObject::
String ID:
API String ID: 895247952-0
Opcode ID: b452f440d6d0137c0496ed480a2d6dad4a1e257fec16dc397bd9677d2193f1ad
Instruction ID: 21df4b035d7fe75fe1050a43c37438c4c671c4ef78d81f8a4c2bfa02dc1629cb
Opcode Fuzzy Hash: b452f440d6d0137c0496ed480a2d6dad4a1e257fec16dc397bd9677d2193f1ad
Instruction Fuzzy Hash: EA010CB0A00208EBDB04EF65C95679EB774AB40314F10817EE9157B2D0DB795E45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00415DB2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00415DF3

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4b4cb80a736e024c5365e1ef0779c7da82cc0d5dcc1bbfe55af3cb8b597c757a
Instruction ID: 001ca31aa1e7430dcf5d67dfa9e5e421a7104d76defc0d61de6ee7ecb8ebb234
Opcode Fuzzy Hash: 4b4cb80a736e024c5365e1ef0779c7da82cc0d5dcc1bbfe55af3cb8b597c757a
Instruction Fuzzy Hash: 41F0BB31604A22D7DB215B62AC09BDB3759DFC1760B18C067F81A96190CF38D88283ED

Uniqueness

Uniqueness Score: -1.00%

Function 00416B58 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00416B8A

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ae67861471d33a2d7da082fde1d1efaca28878c349b5e4f438be611aac2ff57
Instruction ID: ebdd7246f55f9ba89ab1808c34364b9d92a0f5582031a902fb677e4ce5ca2760
Opcode Fuzzy Hash: 9ae67861471d33a2d7da082fde1d1efaca28878c349b5e4f438be611aac2ff57
Instruction Fuzzy Hash: A5E0A03150923156F6302A665C01BEB364C9B413B1F160123EC09D6291DF28FC81C1AD

Uniqueness

Uniqueness Score: -1.00%

Function 00403190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 004031C5

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: f6cff3c119219bb8e5e3188ddafa0c6c41b685196a396431183e664eef3a0755
Instruction ID: f890e9e53f6c2f551f24cc664b6672cfc41301e71c736ab1b4dfea665b043ee5
Opcode Fuzzy Hash: f6cff3c119219bb8e5e3188ddafa0c6c41b685196a396431183e664eef3a0755
Instruction Fuzzy Hash: 91F090B5D0410CFBCB04DFA5E9419DEBBB5AF05300F1481AAE8056B381EA38EF10DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00407020 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__vfwprintf_l.LIBCONCRTD ref: 00407041

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: __vfwprintf_l
String ID:
API String ID: 1051920573-0
Opcode ID: 9609b8646c1bd4076b11874998fb62df54f91af7ef24e4943d7ff2b9044681b4
Instruction ID: b84223426f3f6137566a8fa610be41f874ca6bb7e17e4b49fd12b851a1a87fd1
Opcode Fuzzy Hash: 9609b8646c1bd4076b11874998fb62df54f91af7ef24e4943d7ff2b9044681b4
Instruction Fuzzy Hash: F2E01AB5D0020CBBDB00EFA4D942B9EB7B8DB48304F1081A9F908A7281E671AB1487D1

Uniqueness

Uniqueness Score: -1.00%

Function 00406E60 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00402070: std::_Lockit::_Lockit.LIBCPMT ref: 0040207B
Part of subcall function 00402070: int.LIBCPMTD ref: 0040208D
Part of subcall function 00402070: std::_Lockit::~_Lockit.LIBCPMT ref: 00402126

ctype.LIBCPMTD ref: 00406E85

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_ctype
String ID:
API String ID: 2260400482-0
Opcode ID: 7e64165f679a919c619a97e812c2b2302fa5ec8a3281399b04fde3a13f4b684c
Instruction ID: a6697332b6128d4ccf8198b155edbfd935112f4cfc6eb62a12e836bb4a4ecf3b
Opcode Fuzzy Hash: 7e64165f679a919c619a97e812c2b2302fa5ec8a3281399b04fde3a13f4b684c
Instruction Fuzzy Hash: 6FE09275C0824826CF04EBE598118BFBB385910204F0005AEA84167282D9395624C7D9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420C10 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00420DCC

Strings

1#QNAN, xrefs: 004220BD
1#INF, xrefs: 004220C7
1#SNAN, xrefs: 004220B3
1#IND, xrefs: 004220A9

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b56e4f1345d65cdc3c2b01f00f33ee38958f8d836f067faddee2de97f2b48abf
Instruction ID: 3a4052b226a6724b338d69a989c5a300ad6e1b07fc32cbc5dec7dd883f3cac66
Opcode Fuzzy Hash: b56e4f1345d65cdc3c2b01f00f33ee38958f8d836f067faddee2de97f2b48abf
Instruction Fuzzy Hash: A8D24A71E042288FDB65CE28ED407EAB7B5EB98304F5441EBD80DE7250E778AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5BD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

_wcschr.LIBVCRUNTIME ref: 0041F73D
_wcschr.LIBVCRUNTIME ref: 0041F74B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,004133D4), ref: 0041F80C

Strings

utf8, xrefs: 0041F77B

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast_wcschr$InfoLocale
String ID: utf8
API String ID: 1661624442-905460609
Opcode ID: 8a3be43644f76d228e501b6e6efbf32ed586279acd7e91f7f3a576ac21d25162
Instruction ID: c446ef89c270b7e68671d8fabf5954b6fc3f1ed24caa015424faa0ba0343a5ed
Opcode Fuzzy Hash: 8a3be43644f76d228e501b6e6efbf32ed586279acd7e91f7f3a576ac21d25162
Instruction Fuzzy Hash: 13711A31A00306AAD724AB26CC81BE773A8EF44714F15043FF919972D1EB78E98B8658

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD49 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00420067,00000002,00000000,?,?,?,00420067,?,00000000), ref: 0041FDE2
GetLocaleInfoW.KERNEL32(?,20001004,00420067,00000002,00000000,?,?,?,00420067,?,00000000), ref: 0041FE0B

Strings

ACP, xrefs: 0041FD67
OCP, xrefs: 0041FD9D

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 2ad9fb0e0d60bf6b4c1dc76e7ba0c4017130b07e9824a09d2ce9f574e8116282
Instruction ID: 41e1e2a63e52a2aa1d0243d3886b62f45e7353fef0d6b40f26ee38eb8b9001c2
Opcode Fuzzy Hash: 2ad9fb0e0d60bf6b4c1dc76e7ba0c4017130b07e9824a09d2ce9f574e8116282
Instruction Fuzzy Hash: C0219571A00201A6DB348F55E901BF773A6EF54B64B168436E90BD7211F73ADD8BC358

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9D0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

Part of subcall function 00415B60: _free.LIBCMT ref: 00415BC2
Part of subcall function 00415B60: _free.LIBCMT ref: 00415BF8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FA24
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FA6E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FB34

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: abbd22dcee7f7c2e45ceca65efdbea7bc58009365939a6d05dfd2e5fa2a40264
Instruction ID: 68741d80a71999d3a98d2ff718a2af25fdb0258164a476d4b0dfec742e011678
Opcode Fuzzy Hash: abbd22dcee7f7c2e45ceca65efdbea7bc58009365939a6d05dfd2e5fa2a40264
Instruction Fuzzy Hash: 52617D7194420B9BDB249F25CC92BFAB7A8EF04304F14417BED05C6285E73CE99ADB58

Uniqueness

Uniqueness Score: -1.00%

Function 00411300 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 48%

			E00411300(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t209;
				intOrPtr _t215;
				void* _t218;
				signed int _t230;
				signed int _t233;
				signed int _t236;
				signed int* _t241;
				signed int _t242;
				signed int* _t243;
				signed int* _t244;
				signed int _t246;
				signed int _t247;
				void* _t248;
				intOrPtr* _t249;
				signed int _t250;
				unsigned int _t251;
				signed int _t253;
				signed int* _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t261;
				void* _t265;
				signed char _t271;
				signed int* _t274;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t286;
				signed int _t288;
				signed int _t289;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				intOrPtr* _t296;
				signed int _t301;
				signed int _t306;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				void* _t312;
				signed int _t313;
				signed int _t316;
				signed int _t320;
				signed int* _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				signed int _t331;
				signed int _t338;
				signed int* _t339;

				_t241 = _a4;
				_t322 =  *_t241;
				if(_t322 == 0) {
					L74:
					__eflags = 0;
					return 0;
				} else {
					_t286 = _a8;
					_t190 =  *_t286;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L74;
					} else {
						_t309 = _t190 - 1;
						_t5 = _t322 - 1; // 0x1cb
						_t250 = _t5;
						_v12 = _t250;
						if(_t309 != 0) {
							__eflags = _t309 - _t250;
							if(_t309 > _t250) {
								goto L74;
							} else {
								_t191 = _t250;
								_t288 = _t250 - _t309;
								__eflags = _t250 - _t288;
								if(_t250 < _t288) {
									L19:
									_t288 = _t288 + 1;
									__eflags = _t288;
								} else {
									_t274 =  &(_t241[_t250 + 1]);
									_t338 = _a8 + _t309 * 4 + 4;
									__eflags = _t338;
									while(1) {
										__eflags =  *_t338 -  *_t274;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t338 = _t338 - 4;
										_t274 = _t274 - 4;
										__eflags = _t191 - _t288;
										if(_t191 >= _t288) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t288;
								if(__eflags == 0) {
									goto L74;
								} else {
									_t192 = _a8;
									_t242 = _v56;
									_t323 =  *(_t192 + _t242 * 4);
									_t55 = _t242 * 4; // 0xfffef49b
									_t251 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t323;
									_v36 = _t251;
									if(__eflags == 0) {
										_t310 = 0x20;
									} else {
										_t310 = 0x1f - _t192;
									}
									_v16 = _t310;
									_v48 = 0x20 - _t310;
									__eflags = _t310;
									if(_t310 != 0) {
										_t271 = _t310;
										_v36 = _v36 << _t271;
										_v52 = _t323 << _t271 | _t251 >> _v48;
										__eflags = _t242 - 2;
										if(_t242 > 2) {
											_t68 = _t242 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t324 = 0;
									_v32 = 0;
									_t289 = _t288 + 0xffffffff;
									__eflags = _t289;
									_v28 = _t289;
									if(_t289 >= 0) {
										_t197 = _t289 + _t242;
										_t244 = _a4;
										_v60 = _t197;
										_v64 = _t244 + 4 + _t289 * 4;
										_t257 = _t244 - 4 + _t197 * 4;
										_v80 = _t257;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t257[2];
											}
											_t293 = _t257[1];
											_t258 =  *_t257;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t258;
											__eflags = _t310;
											if(_t310 != 0) {
												_t316 = _t258 >> _v48;
												0x424730();
												_t258 = _v16;
												_t198 = _v8;
												_t293 = _t316 | _t293;
												_t324 = _v24 << _t258;
												__eflags = _v60 - 3;
												_v8 = _t198;
												_v24 = _t324;
												if(_v60 >= 3) {
													_t258 = _v48;
													_t324 = _t324 |  *(_t244 + (_v56 + _v28) * 4 - 8) >> _t258;
													__eflags = _t324;
													_t198 = _v8;
													_v24 = _t324;
												}
											}
											0x424690(_t293, _t198, _v52, 0, _t244);
											_v40 = _t244;
											_t246 = _t198;
											_t325 = _t324 ^ _t324;
											_t199 = _t293;
											_v8 = _t246;
											_v20 = _t199;
											_t311 = _t258;
											_v72 = _t246;
											_v68 = _t199;
											_v40 = _t325;
											__eflags = _t199;
											if(_t199 != 0) {
												L37:
												_t247 = _t246 + 1;
												asm("adc eax, 0xffffffff");
												_t311 = _t311 + E004090F0(_t247, _t199, _v52, 0);
												asm("adc esi, edx");
												_t246 = _t247 | 0xffffffff;
												_t199 = 0;
												__eflags = 0;
												_v40 = _t325;
												_v8 = _t246;
												_v72 = _t246;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t246 - 0xffffffff;
												if(_t246 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t325;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L41;
												} else {
													__eflags = _t311 - 0xffffffff;
													if(_t311 <= 0xffffffff) {
														while(1) {
															L41:
															_v8 = _v24;
															_t218 = E004090F0(_v36, 0, _t246, _t199);
															__eflags = _t293 - _t311;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L44:
																_t199 = _v20;
																_t246 = _t246 + 0xffffffff;
																_v72 = _t246;
																asm("adc eax, 0xffffffff");
																_t311 = _t311 + _v52;
																__eflags = _t311;
																_v20 = _t199;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t199;
																if(_t311 == 0) {
																	__eflags = _t311 - 0xffffffff;
																	if(_t311 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t218 - _v8;
																if(_t218 <= _v8) {
																	break;
																} else {
																	goto L44;
																}
															}
															L48:
															_v8 = _t246;
															goto L49;
														}
														_t199 = _v20;
														goto L48;
													}
												}
											}
											L49:
											__eflags = _t199;
											if(_t199 != 0) {
												L51:
												_t259 = _v56;
												_t312 = 0;
												_t326 = 0;
												__eflags = _t259;
												if(_t259 != 0) {
													_t249 = _v64;
													_t209 = _a8 + 4;
													__eflags = _t209;
													_v40 = _t209;
													_v24 = _t259;
													do {
														_v12 =  *_t209;
														_t215 =  *_t249;
														_t265 = _t312 + _v72 * _v12;
														asm("adc esi, edx");
														_t312 = _t326;
														_t326 = 0;
														__eflags = _t215 - _t265;
														if(_t215 < _t265) {
															_t312 = _t312 + 1;
															asm("adc esi, esi");
														}
														 *_t249 = _t215 - _t265;
														_t249 = _t249 + 4;
														_t209 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t209;
													} while ( *_t153 != 0);
													_t246 = _v8;
													_t259 = _v56;
												}
												__eflags = 0 - _t326;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L60:
														__eflags = _t259;
														if(_t259 != 0) {
															_t248 = 0;
															_t296 = _v64;
															_t331 = _a8 + 4;
															__eflags = _t331;
															_t313 = _t259;
															do {
																_t261 =  *_t296;
																_t161 = _t331 + 4; // 0x8d8b5959
																_t331 = _t161;
																_t296 = _t296 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t296 - 4)) = _t261 +  *((intOrPtr*)(_t331 - 4)) + _t248;
																asm("adc eax, 0x0");
																_t248 = 0;
																_t313 = _t313 - 1;
																__eflags = _t313;
															} while (_t313 != 0);
															_t246 = _v8;
														}
														_t246 = _t246 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t312;
														if(_v76 < _t312) {
															goto L60;
														}
													}
												}
												_t203 = _v60 - 1;
												__eflags = _t203;
												_v12 = _t203;
											} else {
												__eflags = _t246;
												if(_t246 != 0) {
													goto L51;
												}
											}
											_t324 = _v32;
											_t244 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t295 = _v28 - 1;
											_t310 = _v16;
											_t257 = _v80 - 4;
											_v32 = 0 + _t246;
											_t197 = _v60 - 1;
											_v28 = _t295;
											_v60 = _t197;
											_v80 = _t257;
											__eflags = _t295;
										} while (_t295 >= 0);
									}
									_t243 = _a4;
									_t253 = _v12 + 1;
									_t195 = _t253;
									__eflags = _t195 -  *_t243;
									if(_t195 <  *_t243) {
										_t292 =  &(( &(_t243[1]))[_t195]);
										do {
											 *_t292 = 0;
											_t292 =  &(_t292[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t243;
										} while (_t195 <  *_t243);
									}
									 *_t243 = _t253;
									__eflags = _t253;
									if(_t253 != 0) {
										while(1) {
											__eflags = _t243[_t253];
											if(_t243[_t253] != 0) {
												goto L73;
											}
											_t253 = _t253 + 0xffffffff;
											__eflags = _t253;
											 *_t243 = _t253;
											if(_t253 != 0) {
												continue;
											}
											goto L73;
										}
									}
									L73:
									return _v32;
								}
							}
						} else {
							_t7 = _t286 + 4; // 0xfffff89c
							_t301 =  *_t7;
							_v12 = _t301;
							if(_t301 != 1) {
								__eflags = _t250;
								if(_t250 != 0) {
									_t320 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t250 - 0xffffffff;
									if(_t250 != 0xffffffff) {
										_t278 = _t250 + 1;
										__eflags = _t278;
										_t279 =  &(_t241[_t278]);
										_v32 = _t279;
										do {
											_t233 =  *_t279;
											0x424690(_t320, _t301, 0, _t241);
											_v28 = _t241;
											_t241 = _t233;
											_v68 = _t301;
											_t320 = _t279;
											_v16 = 0 + _t233;
											_t301 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t279 = _v32 - 4;
											_v32 = _t279;
											_t322 = _t322 - 1;
											__eflags = _t322;
										} while (_t322 != 0);
										_t241 = _a4;
									}
									_v544 = 0;
									_t339 =  &(_t241[1]);
									 *_t241 = 0;
									E004109B3(_t339, 0x1cc,  &_v540, 0);
									_t230 = _v28;
									__eflags = 0 - _t230;
									 *_t339 = _t320;
									_t241[2] = _t230;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t241 = 0xbadbae;
									return _v16;
								} else {
									_t321 =  &(_t241[1]);
									_v544 = _t250;
									 *_t241 = _t250;
									E004109B3(_t321, 0x1cc,  &_v540, _t250);
									_t236 = _t241[1];
									_t306 = _t236 % _v12;
									__eflags = 0 - _t306;
									 *_t321 = _t306;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t241 =  ~0x00000000;
									return _t236 / _v12;
								}
							} else {
								_v544 = _t309;
								 *_t241 = _t309;
								E004109B3( &(_t241[1]), 0x1cc,  &_v540, _t309);
								return _t241[1];
							}
						}
					}
				}
			}

0x0041130c
0x00411311
0x00411315
0x0041178f
0x00411791
0x00411797
0x0041131b
0x0041131b
0x0041131e
0x00411320
0x00411325
0x00000000
0x0041132b
0x0041132b
0x0041132e
0x0041132e
0x00411331
0x00411336
0x00411467
0x00411469
0x00000000
0x0041146f
0x00411471
0x00411473
0x00411475
0x00411477
0x0041149b
0x0041149b
0x0041149b
0x00411479
0x00411480
0x00411483
0x00411483
0x00411486
0x00411488
0x0041148a
0x00000000
0x00000000
0x0041148c
0x0041148d
0x00411490
0x00411493
0x00411495
0x00000000
0x00411497
0x00000000
0x00411497
0x00000000
0x00411495
0x00411499
0x00000000
0x00000000
0x00411499
0x0041149c
0x0041149c
0x0041149e
0x00000000
0x004114a4
0x004114a4
0x004114a7
0x004114aa
0x004114ad
0x004114ad
0x004114b1
0x004114b4
0x004114b7
0x004114ba
0x004114c5
0x004114bc
0x004114c1
0x004114c1
0x004114cf
0x004114d4
0x004114d7
0x004114d9
0x004114e2
0x004114e4
0x004114eb
0x004114ee
0x004114f1
0x004114f9
0x004114ff
0x004114ff
0x004114ff
0x004114ff
0x004114f1
0x00411502
0x00411504
0x0041150b
0x0041150b
0x0041150e
0x00411511
0x00411517
0x0041151a
0x0041151d
0x00411526
0x0041152c
0x0041152f
0x00411532
0x00411532
0x00411535
0x0041153c
0x0041153c
0x00411537
0x00411537
0x00411537
0x0041153e
0x00411541
0x00411543
0x00411546
0x0041154d
0x00411550
0x00411553
0x00411555
0x00411563
0x00411568
0x0041156d
0x00411574
0x00411579
0x0041157b
0x0041157d
0x00411581
0x00411584
0x00411587
0x0041158f
0x00411598
0x00411598
0x0041159a
0x0041159d
0x0041159d
0x00411587
0x004115a8
0x004115ad
0x004115b2
0x004115b4
0x004115b6
0x004115b8
0x004115bb
0x004115be
0x004115c0
0x004115c3
0x004115c6
0x004115c9
0x004115cb
0x004115d2
0x004115d7
0x004115da
0x004115e4
0x004115e6
0x004115e8
0x004115eb
0x004115eb
0x004115ed
0x004115f0
0x004115f3
0x004115f6
0x004115f9
0x004115cd
0x004115cd
0x004115d0
0x00000000
0x00000000
0x004115d0
0x004115fc
0x004115fe
0x00411600
0x00000000
0x00411602
0x00411602
0x00411605
0x00411607
0x00411607
0x00411615
0x00411618
0x0041161d
0x0041161f
0x00000000
0x00000000
0x00411621
0x00411628
0x00411628
0x0041162b
0x0041162e
0x00411631
0x00411634
0x00411634
0x00411637
0x0041163a
0x0041163e
0x00411641
0x00411643
0x00411646
0x00000000
0x00000000
0x00411648
0x00411646
0x00411623
0x00411623
0x00411626
0x00000000
0x00000000
0x00000000
0x00000000
0x00411626
0x0041164d
0x0041164d
0x00000000
0x0041164d
0x0041164a
0x00000000
0x0041164a
0x00411605
0x00411600
0x00411650
0x00411650
0x00411652
0x0041165c
0x0041165c
0x0041165f
0x00411661
0x00411663
0x00411665
0x0041166a
0x0041166d
0x0041166d
0x00411670
0x00411673
0x00411676
0x00411678
0x0041168d
0x0041168f
0x00411691
0x00411693
0x00411695
0x00411697
0x00411699
0x0041169b
0x0041169e
0x0041169e
0x004116a2
0x004116a4
0x004116aa
0x004116ad
0x004116ad
0x004116ad
0x004116b1
0x004116b1
0x004116b6
0x004116b9
0x004116b9
0x004116be
0x004116c0
0x004116c2
0x004116c9
0x004116c9
0x004116cb
0x004116d0
0x004116d2
0x004116d5
0x004116d5
0x004116d8
0x004116e0
0x004116e0
0x004116e2
0x004116e2
0x004116e7
0x004116ed
0x004116f1
0x004116f4
0x004116f7
0x004116f9
0x004116f9
0x004116f9
0x004116fe
0x004116fe
0x00411701
0x00411704
0x004116c4
0x004116c4
0x004116c7
0x00000000
0x00000000
0x004116c7
0x004116c2
0x0041170b
0x0041170b
0x0041170c
0x00411654
0x00411654
0x00411656
0x00000000
0x00000000
0x00411656
0x0041170f
0x0041171c
0x0041171f
0x00411722
0x00411726
0x00411727
0x0041172a
0x0041172d
0x00411733
0x00411734
0x00411737
0x0041173a
0x0041173d
0x0041173d
0x00411532
0x00411748
0x0041174b
0x0041174c
0x0041174e
0x00411750
0x00411755
0x00411760
0x00411760
0x00411766
0x00411769
0x0041176a
0x0041176a
0x00411760
0x0041176e
0x00411770
0x00411772
0x00411774
0x00411774
0x00411778
0x00000000
0x00000000
0x0041177a
0x0041177a
0x0041177d
0x0041177f
0x00000000
0x00000000
0x00000000
0x0041177f
0x00411774
0x00411781
0x0041178c
0x0041178c
0x0041149e
0x0041133c
0x0041133c
0x0041133c
0x0041133f
0x00411345
0x00411376
0x00411378
0x004113ba
0x004113bc
0x004113c3
0x004113ca
0x004113cd
0x004113d0
0x004113d2
0x004113d2
0x004113d3
0x004113d6
0x004113e0
0x004113e6
0x004113ea
0x004113ef
0x004113f2
0x004113f4
0x004113f7
0x00411400
0x00411403
0x00411406
0x00411409
0x0041140f
0x00411412
0x00411415
0x00411415
0x00411415
0x0041141a
0x0041141a
0x00411425
0x00411430
0x00411433
0x0041143f
0x00411444
0x0041144f
0x00411451
0x00411453
0x00411459
0x0041145e
0x00411460
0x00411466
0x0041137a
0x00411385
0x00411388
0x00411394
0x00411396
0x0041139d
0x0041139f
0x004113a7
0x004113a9
0x004113ab
0x004113b0
0x004113b3
0x004113b9
0x004113b9
0x00411347
0x00411355
0x00411361
0x00411363
0x00411375
0x00411375
0x00411345
0x00411336
0x00411325

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3524d87198f2aafc8cc0246be9be89dadb6f5ef0e6e99bb1751a24f03ca4f5ab
Instruction ID: 1dcac8553921f3716f1feb33846794e8c67cb5d1b7af94881de3c3b98ddebec8
Opcode Fuzzy Hash: 3524d87198f2aafc8cc0246be9be89dadb6f5ef0e6e99bb1751a24f03ca4f5ab
Instruction Fuzzy Hash: C4F15D71E002199FDF14CFA8C9806EEB7B1FF88314F25826AD919A7390D735AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF1E Relevance: 3.2, APIs: 2, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

Part of subcall function 00415B60: _free.LIBCMT ref: 00415BC2
Part of subcall function 00415B60: _free.LIBCMT ref: 00415BF8

GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004200CA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004200E9

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorInfoLastLocale_free
String ID:
API String ID: 2665345825-0
Opcode ID: fc2fab7ac8e5a95c9cafc36863166c235627946e08af18fa3afdbcbbe6fce218
Instruction ID: e04242eefb8505bf1b8f4a40b2a0284023e6bc402fb5259602f46c84485d2050
Opcode Fuzzy Hash: fc2fab7ac8e5a95c9cafc36863166c235627946e08af18fa3afdbcbbe6fce218
Instruction Fuzzy Hash: DC51D171A00219AEEB20EBA5EC41BFFB7F9AF08304F44006BE515E7281D7B89945C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040D203 Relevance: 3.1, APIs: 2, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E0040D203(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				char _v5;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t68;
				signed int _t69;

				_t67 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x507024; // 0x590d03f3
				_t41 = _t40 ^ _t68;
				_v8 = _t40 ^ _t68;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00409F47(_t41);
					_pop(_t60);
				}
				E0040A5B0(_t65,  &_v804, 0, 0x50);
				E0040A5B0(_t65,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t67;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x7
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_t53 = _v0;
				_v792 = _t53;
				0x3320000();
				_t69 =  &_v5;
				_t66 = _t53;
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -806
				if(UnhandledExceptionFilter(_t36) == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t56 = E00409F47(_t56);
				}
				return E004090D4(_t56, _t59, _v8 ^ _t69, _t64, _t66);
			}

0x0040d203
0x0040d203
0x0040d203
0x0040d20e
0x0040d213
0x0040d215
0x0040d21d
0x0040d21f
0x0040d222
0x0040d227
0x0040d227
0x0040d233
0x0040d246
0x0040d254
0x0040d25a
0x0040d260
0x0040d266
0x0040d26c
0x0040d272
0x0040d278
0x0040d27e
0x0040d284
0x0040d28a
0x0040d291
0x0040d298
0x0040d29f
0x0040d2a6
0x0040d2ad
0x0040d2b4
0x0040d2b5
0x0040d2be
0x0040d2c4
0x0040d2c4
0x0040d2c7
0x0040d2cd
0x0040d2da
0x0040d2e3
0x0040d2ec
0x0040d2f2
0x0040d2f5
0x0040d2fb
0x0040d300
0x0040d303
0x0040d305
0x0040d30b
0x0040d31a
0x0040d326
0x0040d329
0x0040d32e
0x0040d33b

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040D305
UnhandledExceptionFilter.KERNEL32(-00000326,?,?,?,?,?,00000000), ref: 0040D312

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: daea29105129e70342c9466291bfa0a4ea5b1cb3714a7fc5ac74b8bd1005a3fe
Instruction ID: 13276d04fa0094e14e3db08ed53e44b382ceded61fb2484d3d1fe8d8104e8243
Opcode Fuzzy Hash: daea29105129e70342c9466291bfa0a4ea5b1cb3714a7fc5ac74b8bd1005a3fe
Instruction Fuzzy Hash: DC31B474D0121CABCB21DF65D989B9DBBB4BF08310F5041EAE41CA6291E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 00409D82 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00409D82(void* __eax, signed int __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				char _v0;
				char _v5;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				signed char _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				void* _v1962576708;
				char* _t41;
				intOrPtr _t45;
				long _t50;
				intOrPtr _t52;
				void* _t55;
				signed char _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t63;

				_t60 = __edi;
				_t59 = __edx;
				0x3320000();
				_t57 = __ecx | __ecx;
				 *((intOrPtr*)(__edx + 3)) =  *((intOrPtr*)(__edx + 3)) -  &_v5;
				E00409F47(__eax);
				 *_t63 = 0x2cc;
				_v632 = E0040A5B0(__edi,  &_v808, 0, 0x17);
				_v636 = _t57;
				_v640 = _t59;
				_v644 = _t52;
				_v648 = __esi;
				_v652 = _t60;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t17);
				_v624 = _v0;
				_t41 =  &_v0;
				_v612 = _t41;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t41 - 4));
				E0040A5B0(_t60,  &_v92, 0, 0x50);
				_t45 = _v0;
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _t45;
				0x3320000();
				asm("out dx, al");
				_t30 = _t45 - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t55 =  ~_t30 + 1;
				SetUnhandledExceptionFilter(0);
				_t50 = UnhandledExceptionFilter( &_v12);
				if(_t50 == 0 && _t55 == 0) {
					_push(3);
					return E00409F47(_t50);
				}
				return _t50;
			}

0x00409d82
0x00409d82
0x00409d8e
0x00409d9a
0x00409d9c
0x00409d9f
0x00409da4
0x00409dbc
0x00409dc2
0x00409dc8
0x00409dce
0x00409dd4
0x00409dda
0x00409de0
0x00409de7
0x00409dee
0x00409df5
0x00409dfc
0x00409e03
0x00409e0a
0x00409e0b
0x00409e14
0x00409e1a
0x00409e1d
0x00409e23
0x00409e32
0x00409e3e
0x00409e43
0x00409e49
0x00409e50
0x00409e57
0x00409e5a
0x00409e5f
0x00409e62
0x00409e6a
0x00409e73
0x00409e75
0x00409e78
0x00409e7a
0x00409e84
0x00409e8c
0x00409e92
0x00000000
0x00409e99
0x00409e9c

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00409E7A
UnhandledExceptionFilter.KERNEL32(?), ref: 00409E84

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9e82a7455e044d252ade03dd8dded9dea0f84761bf0329ed0ad670152ee56659
Instruction ID: d899a4c516266bf9ef6d9174749fd313d806fa2219327ef3d15a0afe2630124d
Opcode Fuzzy Hash: 9e82a7455e044d252ade03dd8dded9dea0f84761bf0329ed0ad670152ee56659
Instruction Fuzzy Hash: 18312775D4531C9BDB20EF65D989BCDBBB8BF04304F1041EAE40CAB291EB759A888F45

Uniqueness

Uniqueness Score: -1.00%

Function 004098AE Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E004098AE(void* __eflags, struct _EXCEPTION_POINTERS* _a4) {
				intOrPtr _v0;
				void* _v808;
				long _t11;
				intOrPtr _t16;
				signed int _t17;
				signed int _t19;
				signed int _t21;
				signed int _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void* _t26;
				intOrPtr* _t27;
				intOrPtr* _t29;
				void* _t31;

				_t31 = __eflags;
				_t27 = _t29;
				SetUnhandledExceptionFilter(0);
				_t11 = UnhandledExceptionFilter(_a4);
				0x3320000(0xc0000409, _t26);
				if(_t31 != 0) {
					asm("adc dword [eax], 0x66");
					 *0x5082f0 = ds;
					 *0x5082ec = es;
					 *0x5082e8 = fs;
					goto L4;
				} else {
					0x3320000();
					if(_t31 < 0) {
						L4:
						0x6640e9b9();
						 *0x5082e4 = gs;
						asm("pushfd");
						_pop( *0x508318);
						 *0x50830c =  *_t27;
						 *0x508310 = _v0;
						 *0x50831c =  &_a4;
						 *0x508258 = 0x10001;
						_t16 =  *0x508310; // 0x0
						 *0x508214 = _t16;
						 *0x508208 = 0xc0000409;
						 *0x50820c = 1;
						 *0x508218 = 1;
						_t17 = 4;
						 *((intOrPtr*)(0x50821c + _t17 * 0)) = 2;
						_t19 = 4;
						_t24 =  *0x507024; // 0x590d03f3
						 *((intOrPtr*)(_t27 + _t19 * 0 - 8)) = _t24;
						_t21 = 4;
						_t22 = _t21 << 0;
						__eflags = _t22;
						_t25 =  *0x507020; // 0xa6f2fc0c
						 *((intOrPtr*)(_t27 + _t22 - 8)) = _t25;
						return E004098AE(_t22, 0x4f97a0);
					} else {
						return _t11;
					}
				}
			}

0x004098ae
0x004098af
0x004098b3
0x004098bc
0x004098c7
0x004098cc
0x0040991e
0x00409922
0x00409928
0x0040992f
0x00000000
0x004098ce
0x004098ce
0x004098d3
0x00409932
0x00409932
0x00409937
0x0040993d
0x0040993e
0x00409947
0x0040994f
0x00409957
0x00409962
0x0040996c
0x00409971
0x00409976
0x00409980
0x0040998a
0x00409996
0x0040999a
0x004099a6
0x004099aa
0x004099b0
0x004099b6
0x004099b7
0x004099b7
0x004099ba
0x004099c0
0x004099cf
0x004098d5
0x004098d5
0x004098d5
0x004098d3

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004099CE,004F97A0), ref: 004098B3
UnhandledExceptionFilter.KERNEL32(?,?,004099CE,004F97A0), ref: 004098BC

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b6950bc46c4bfce1d743b4abb8358c251e6488b7ccdb334e991e07bbcf328c5
Instruction ID: 939113e5313a499e4c267c883331feef7cfa29cb596eb96c63e2315b47a88398
Opcode Fuzzy Hash: 5b6950bc46c4bfce1d743b4abb8358c251e6488b7ccdb334e991e07bbcf328c5
Instruction Fuzzy Hash: 692159B85407059FDB04DF10ED95F6C3BA0FB68700F14842AE6848A3B1DBB46989DF88

Uniqueness

Uniqueness Score: -1.00%

Function 004122F5 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004122F0,?,?,00000008,?,?,00422BFF,00000000), ref: 00412522

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 54f38b7108e56a611a27bbc9b2e95b37ca81833ddd370fe0d5c5ee6214dd291a
Instruction ID: ef6183e47f2596c4f69ddb557e3da90c59c5184545d6cec24db2e04ff1c1adcc
Opcode Fuzzy Hash: 54f38b7108e56a611a27bbc9b2e95b37ca81833ddd370fe0d5c5ee6214dd291a
Instruction Fuzzy Hash: 06B16D31210609DFD718CF28C596BA57BE1FF04364F258659E89ACF3A1C379E9A2CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA44 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fd0d4f0538df3eda6364d63415643e6318b4263e80ad8cd9ae921c425e58cc
Instruction ID: 48e831656716bf529ee58a063cb391b4150e072e9f1d2bfa281748a00cf3bf90
Opcode Fuzzy Hash: b5fd0d4f0538df3eda6364d63415643e6318b4263e80ad8cd9ae921c425e58cc
Instruction Fuzzy Hash: 6D41827184421CAEDB20DF69CC89AEAB7B9EF45304F1442DEE45DD3211D6389E848F54

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC23 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

Part of subcall function 00415B60: _free.LIBCMT ref: 00415BC2
Part of subcall function 00415B60: _free.LIBCMT ref: 00415BF8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041FC77

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 8d64415e03b45b6b6311a5c99651aff19a3c2492bd1591c978113eb2f6a3b17f
Instruction ID: a016b6cc4a5691e1de2d95d8c055b136be6005435d0e03dab985d9e431e64072
Opcode Fuzzy Hash: 8d64415e03b45b6b6311a5c99651aff19a3c2492bd1591c978113eb2f6a3b17f
Instruction Fuzzy Hash: 96217472A4420A9BDB289A15DC51AFB73A8FF44314B14407FFD01D6241FB38ED85AB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8AA Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

EnumSystemLocalesW.KERNEL32(0041F9D0,00000001,00000000,?,-00000050,?,0041FFFE,00000000,?,?,?,00000055,?), ref: 0041F91C

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5d921868485b40143e640f6f7a35303ed7874e979b0c782f03b5da5c1cee2cf9
Instruction ID: 631dc1d8a2b0c6b1d0a3e989f7019b1ce492e87e844cf547dcf3e3d4d3d5c639
Opcode Fuzzy Hash: 5d921868485b40143e640f6f7a35303ed7874e979b0c782f03b5da5c1cee2cf9
Instruction Fuzzy Hash: 6D11E3762047055FDB18AF39C8916FAB791FF80368B18443EE58687740D7756987C744

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE4F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041FBEC,00000000,00000000,?), ref: 0041FE7B

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: fe0d88fe903eb86ebdb2b997caf3a47dfa7d2a32b5590e2e8161aadc4fa322bf
Instruction ID: b5dd2fa81199bb9027fd6e2ab0dd78226a395acc72df253bd5c887579a0e60c0
Opcode Fuzzy Hash: fe0d88fe903eb86ebdb2b997caf3a47dfa7d2a32b5590e2e8161aadc4fa322bf
Instruction Fuzzy Hash: 05F0F933A10215BBDB245A25C8057FB7768EF40754F08443AEC06A3291DB38FD86C59C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F945 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

EnumSystemLocalesW.KERNEL32(0041FC23,00000001,?,?,-00000050,?,0041FFC2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0041F98F

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b434e4a23715ac7fd9831296ae8446c88857a2eddb7685e660763ce7bcb0bb92
Instruction ID: 4ae2d687fc996e40090feffb1d57631306b1d2cf84f46ce6bc6904dbda2ab706
Opcode Fuzzy Hash: b434e4a23715ac7fd9831296ae8446c88857a2eddb7685e660763ce7bcb0bb92
Instruction Fuzzy Hash: A9F022722143086FCB146F399881BBABB91FF8032CB09443EF9054B690D6B9AC83C648

Uniqueness

Uniqueness Score: -1.00%

Function 004160E7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040F5F1: RtlEnterCriticalSection.NTDLL(?), ref: 0040F600

EnumSystemLocalesW.KERNEL32(004160DA,00000001,00506088,0000000C,00416505,00000000), ref: 0041611F

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 26a7123dfa16cd8327168a2567a6ef2135ad98984cbe0d749588d90ef46f9824
Instruction ID: dd42ead542d03655a938f57604ba2b13b04d3353ffb458736381396802133ace
Opcode Fuzzy Hash: 26a7123dfa16cd8327168a2567a6ef2135ad98984cbe0d749588d90ef46f9824
Instruction Fuzzy Hash: A1F03772A00204EFD700EF99E846BAD7BE0FB08725F10426AF410EB2A1CB799944DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0041F85F Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

EnumSystemLocalesW.KERNEL32(0041F7B8,00000001,?,?,?,00420020,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041F896

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bd72be9a20eb952386c7695377593e8c52bd3dd170cd96122151ef5f95a3a639
Instruction ID: 53f93712e8e92aee41a146c7ba62dc05271e8f62986c079ae2fe6a0a7e192967
Opcode Fuzzy Hash: bd72be9a20eb952386c7695377593e8c52bd3dd170cd96122151ef5f95a3a639
Instruction Fuzzy Hash: 3AF0EC3670020557CB04AF36D855BEB7F94EFC1714B4A4069EA058B290D6799887C798

Uniqueness

Uniqueness Score: -1.00%

Function 00416609 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00414509,?,20001004,00000000,00000002,?,?,00413B16), ref: 0041663D

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b0b02d5989af311c3d100a5b9e50c5196ecdd4aff6a18c1fd95f177630c7faf6
Instruction ID: f001274a20369d4b86e4165dd08c9214687757a905cb5ad99a40983dadaf9f05
Opcode Fuzzy Hash: b0b02d5989af311c3d100a5b9e50c5196ecdd4aff6a18c1fd95f177630c7faf6
Instruction Fuzzy Hash: 28E04F32500118BBCF126F61ED05AEE3F19EF44760F058026FD0665261CB79CE71EA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E975 Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0040EAF1

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5d6286a55b24d907d57ad4a316a01da082b90ffb06639fcad0db3f4f6d53a4b3
Instruction ID: 18b5660cacd2d7d2777f0fd5bb4cf4eb06c31f374df21ed787b704790cd93b57
Opcode Fuzzy Hash: 5d6286a55b24d907d57ad4a316a01da082b90ffb06639fcad0db3f4f6d53a4b3
Instruction Fuzzy Hash: 8D5168B031064856DB38966B8495BBF779AAB05304F180C3FE483F73C2C67DAD69860E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E743 Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0040E8BF

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c723a2709db214e7461a977e2312bdd4f94017996930e2b77c01380c044f68c3
Instruction ID: bd012752ca3f610efb4bdde8f170698cac4dc8780731537d2b60ca5b96f99fd0
Opcode Fuzzy Hash: c723a2709db214e7461a977e2312bdd4f94017996930e2b77c01380c044f68c3
Instruction Fuzzy Hash: 0651797160460896EB3CAA2B88957BF6B9A9F42304F184C3FD542F73C1C53DDD69825E

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACC9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47a7154d8ebcf5191994b00c2e611a1afbb7bf206b64465851ff46bc3b0169c
Instruction ID: 057f366dc77d875d257e0e41a92a105bfde5ec37c10ce1370a376f63ae8583b6
Opcode Fuzzy Hash: e47a7154d8ebcf5191994b00c2e611a1afbb7bf206b64465851ff46bc3b0169c
Instruction Fuzzy Hash: AE321132D68F014DD7239634C96233AA649EFB73C4F15D737E81AB5AA6EB29C4C38144

Uniqueness

Uniqueness Score: -1.00%

Function 0041F06E Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 7368b5c4db4649ade3a4a44bbd6fb0f2452ae29b688058555b36a48761bc7f78
Instruction ID: 835f35c94a11872853a2de42cca04fa0d98d469806857969389a478727cca025
Opcode Fuzzy Hash: 7368b5c4db4649ade3a4a44bbd6fb0f2452ae29b688058555b36a48761bc7f78
Instruction Fuzzy Hash: 66B108355007059BCB249F25CC92BF7B3A9EF44308F14457EE947C6681EA79ADCACB18

Uniqueness

Uniqueness Score: -1.00%

Function 00422853 Relevance: .1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186891539693a828caf1ac9bc50989f3fa5bc0a1788f50a6154dfcfd0247198e
Instruction ID: fa2f77aaef0e9744213b4adad36276f73df9fdccb4a36969d58cdf54dc5135f9
Opcode Fuzzy Hash: 186891539693a828caf1ac9bc50989f3fa5bc0a1788f50a6154dfcfd0247198e
Instruction Fuzzy Hash: 3021B673F204395B7B0CC57E8C5227DB6E1C78C501745423EE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00422733 Relevance: .1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea29f0b0ae7055e1b3728f8b4412e9487bf85a42e36d7cfca264defac1481cc
Instruction ID: 624886f941cd7dcb89b385dcbc518eb1767ed8281fdfe2dfa8d9e4bb001ab311
Opcode Fuzzy Hash: 8ea29f0b0ae7055e1b3728f8b4412e9487bf85a42e36d7cfca264defac1481cc
Instruction Fuzzy Hash: 50117723F30C356A675C81698C1727A95D2DBD825074F533AD826E7284E994DE13D294

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBA4 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041EBE8

Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DE6D
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DE7F
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DE91
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DEA3
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DEB5
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DEC7
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DED9
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DEEB
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DEFD
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DF0F
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DF21
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DF33
Part of subcall function 0041DE50: _free.LIBCMT ref: 0041DF45

_free.LIBCMT ref: 0041EBDD

Part of subcall function 00415E0F: HeapFree.KERNEL32(00000000,00000000,?,00414BEF), ref: 00415E25
Part of subcall function 00415E0F: GetLastError.KERNEL32(?,?,00414BEF), ref: 00415E37

_free.LIBCMT ref: 0041EBFF
_free.LIBCMT ref: 0041EC14
_free.LIBCMT ref: 0041EC1F
_free.LIBCMT ref: 0041EC41
_free.LIBCMT ref: 0041EC54
_free.LIBCMT ref: 0041EC62
_free.LIBCMT ref: 0041EC6D
_free.LIBCMT ref: 0041ECA5
_free.LIBCMT ref: 0041ECAC
_free.LIBCMT ref: 0041ECC9
_free.LIBCMT ref: 0041ECE1

Strings

\qP, xrefs: 0041EBBA

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: \qP
API String ID: 161543041-3349682053
Opcode ID: 569f4bae79cf08f8fc0737bdc25839028752d8174ac00da1a46b03f1e8e04e28
Instruction ID: 3fee0873faf2723972c24192dae9724b01382c45cbdabc986cd4ce0830abecbf
Opcode Fuzzy Hash: 569f4bae79cf08f8fc0737bdc25839028752d8174ac00da1a46b03f1e8e04e28
Instruction Fuzzy Hash: 57316D75A04705DFEB21AB3ADC05BD773E4AB80314F14541BE866D7291EB38AAD086A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF4E Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041DF96
_free.LIBCMT ref: 0041DFBA
_free.LIBCMT ref: 0041DFC7
_free.LIBCMT ref: 0041DFEC
_free.LIBCMT ref: 0041DFF9
_free.LIBCMT ref: 0041E002
_free.LIBCMT ref: 0041E2DC
_free.LIBCMT ref: 0041E2E4

Strings

\qP, xrefs: 0041DF7C, 0041E261

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free
String ID: \qP
API String ID: 269201875-3349682053
Opcode ID: 77001c1b63dc582e066ad0147c2b0b451a50aad5d21de8995b9f68f0a897c9c4
Instruction ID: 796177415ab35871222c0f69b29c8a5e27938d74a09c4a95bd2dda8e77050edc
Opcode Fuzzy Hash: 77001c1b63dc582e066ad0147c2b0b451a50aad5d21de8995b9f68f0a897c9c4
Instruction Fuzzy Hash: 31C14776E40208ABDB20DBA9CC46FDFB7F8AF48704F144159FE15FB282D5749A8187A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAB5 Relevance: 21.4, APIs: 14, Instructions: 358COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040FB24
_free.LIBCMT ref: 0040FB3A
_free.LIBCMT ref: 0040FB4D
_free.LIBCMT ref: 0040FB62
_free.LIBCMT ref: 0040FB77

Part of subcall function 00418300: _free.LIBCMT ref: 0041836B

_free.LIBCMT ref: 0040FE2C
_free.LIBCMT ref: 0040FE3F
_free.LIBCMT ref: 0040FE4D
_free.LIBCMT ref: 0040FE58
_free.LIBCMT ref: 0040FE9A
_free.LIBCMT ref: 0040FEA2
_free.LIBCMT ref: 0040FEA8
_free.LIBCMT ref: 0040FEB0
_free.LIBCMT ref: 0040FEBE

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a701f13677110d1c165a3410be28dfb16a729992245fcc820c995e1c4c1efb4d
Instruction ID: a96ca71ced0d3ef736322adbf236afece80f0f74f3dfd16c82cf565bb9ca81c5
Opcode Fuzzy Hash: a701f13677110d1c165a3410be28dfb16a729992245fcc820c995e1c4c1efb4d
Instruction Fuzzy Hash: 4BD19E71D003099FDB218F65C881BEEBBB5BF48304F14403EE9A5A7792D778A9498B64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E36D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E3DB
_free.LIBCMT ref: 0041E3E7
_free.LIBCMT ref: 0041E510
_free.LIBCMT ref: 0041E51B

Strings

`qP, xrefs: 0041E566
\qP, xrefs: 0041E398, 0041E54F

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free
String ID: \qP$`qP
API String ID: 269201875-3149702936
Opcode ID: 787d8322cd1865f69f668122d58e204f4a7a72f258bfce9412aa18bb44f6b83e
Instruction ID: 759110da0e4a8c7a22ef564d7fbdee6773e1c7d33438ced81344bd8c42e799d4
Opcode Fuzzy Hash: 787d8322cd1865f69f668122d58e204f4a7a72f258bfce9412aa18bb44f6b83e
Instruction Fuzzy Hash: 63610376900705EFD720DF66C841BEBB7E9AB84710F14441FEC66EB281EB74AD808B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C238 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E0040C238(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				void* _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				signed char _t242;
				signed int _t247;
				void* _t250;
				signed int* _t252;
				signed int _t253;
				intOrPtr _t254;
				signed int _t255;
				void* _t260;
				void* _t264;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t298;
				signed char* _t299;
				signed int _t300;
				signed int _t301;
				signed int* _t303;
				signed char* _t306;
				signed int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t328;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;

				_t298 = __edx;
				_push(_t317);
				_t303 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E0040D198(_a8, _a16, _t303);
				_t333 = _t332 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t303[1]) {
					L66:
					_t202 = E00411A99(_t201);
					asm("int3");
					_t330 = _t333;
					_t334 = _t333 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t202;
					} else {
						_t203 = E0040BEBC(_t271, _t275, _t298, _t317, _t303, _t317);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							_t317 =  *0x4f704c(0);
							_t224 = E0040BEBC(_t271, _t275, _t298, _t317);
							__eflags =  *((intOrPtr*)(_t224 + 8)) - _t317;
							if( *((intOrPtr*)(_t224 + 8)) != _t317) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t215 = E0040A8C5(_t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t334 = _t334 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E0040A7F8(_t271, _t275, 0, _t317,  &_v44,  &_v28, _a20, _a12, _t204);
							_t300 = _v40;
							_t335 = _t334 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t300;
							__eflags = _t300 - _v32;
							if(_t300 >= _v32) {
								goto L83;
							}
							_t277 = _t300 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t277, _t278 << 2);
								_t335 = _t335 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t221[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0040C1B8(_t300, _t271, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t300 = _v12;
										_t335 = _t335 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t300 = _t300 + 1;
								_t215 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t300;
								_v16 = _t277;
								__eflags = _t300 - _v32;
							} while (_t300 < _v32);
							goto L83;
						}
						E00411A99(_t204);
						asm("int3");
						_push(_t330);
						_t299 = _v184;
						_push(_t271);
						_push(_t317);
						_push(0);
						_t206 = _t299[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t276 = _t206 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L108;
							} else {
								__eflags =  *_t299 & 0x00000080;
								_t306 = _v0;
								if(( *_t299 & 0x00000080) == 0) {
									L90:
									_t272 = _t306[4];
									_t319 = 0;
									__eflags = _t206 - _t272;
									if(_t206 == _t272) {
										L100:
										__eflags =  *_t306 & 0x00000002;
										if(( *_t306 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t319 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t299 & 0x00000002;
													if(( *_t299 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t299 & 0x00000001;
												if(( *_t299 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t299 & 0x00000008;
											if(( *_t299 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t319;
									} else {
										_t185 = _t272 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t210;
											if(_t273 !=  *_t210) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L96:
												_t211 = _t319;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t210 + 1));
												if(_t274 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t210 = _t210 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t306 & 0x00000010;
									if(( *_t306 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t298 = _a12;
						_v8 = _t298;
						goto L24;
					} else {
						_t317 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t201 = E0040BEBC(_t270, _t275, _t298, 0);
							if( *((intOrPtr*)(_t201 + 0x10)) == 0) {
								L60:
								return _t201;
							} else {
								_t270 =  *(E0040BEBC(_t270, _t275, _t298, 0) + 0x10);
								_t260 = E0040BEBC(_t270, _t275, _t298, 0);
								_v28 = 1;
								_t201 =  *((intOrPtr*)(_t260 + 0x14));
								_v8 =  *((intOrPtr*)(_t260 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t317) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E0040BEBC(_t270, _t275, _t298, _t317) + 0x1c)) == _t317) {
										L23:
										_t298 = _v8;
										_t275 = _v12;
										L24:
										_t201 = 0;
										_v52 = _t303;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L56:
											__eflags = _t303[3] - _t201;
											if(_t303[3] <= _t201) {
												goto L59;
											} else {
												__eflags = _a24 - _t201;
												if(_a24 != _t201) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t303);
													_push(_a16);
													_push(_t298);
													_push(_a8);
													_push(_t270);
													L67();
													_t333 = _t333 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t317 = _a32;
													__eflags = _t303[3] - _t201;
													if(_t303[3] > _t201) {
														_push(_a28);
														E0040A7F8(_t270, _t275, _t303, _t317,  &_v68,  &_v52, _t275, _a16, _t303);
														_t298 = _v64;
														_t333 = _t333 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t298;
														__eflags = _t298 - _v56;
														if(_t298 < _v56) {
															_t290 = _t298 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t333 = _t333 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t252 =  *(_t270[0x1c] + 0xc);
																			_t301 =  *_t252;
																			_t253 =  &(_t252[1]);
																			__eflags = _t253;
																			_v36 = _t253;
																			_t254 = _v88;
																			_v40 = _t301;
																			_v24 = _t254;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t316 = _v36;
																				_t328 = _t301;
																				__eflags = _t328;
																				if(_t328 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t270[0x1c]);
																						_t255 =  &_v84;
																						_push( *_t316);
																						_push(_t255);
																						L86();
																						_t333 = _t333 + 0xc;
																						__eflags = _t255;
																						if(_t255 != 0) {
																							break;
																						}
																						_t328 = _t328 - 1;
																						_t316 = _t316 + 4;
																						__eflags = _t328;
																						if(_t328 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t254 = _v24;
																							_t301 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E0040C1B8(_t301, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t316,  &_v104, _a28, _a32);
																					_t333 = _t333 + 0x30;
																				}
																				L43:
																				_t298 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t254 = _t254 + 0x10;
																				_v20 = _t294;
																				_v24 = _t254;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t298 = _t298 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t298;
																_v32 = _t290;
																__eflags = _t298 - _v56;
															} while (_t298 < _v56);
															_t303 = _a20;
															_t317 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040ABC2(_t270, _t303, _t317, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t303 & 0x1fffffff) - 0x19930521;
													if(( *_t303 & 0x1fffffff) < 0x19930521) {
														L59:
														_t201 = E0040BEBC(_t270, _t275, _t298, _t317);
														__eflags =  *(_t201 + 0x1c);
														if( *(_t201 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t303[7];
														if(_t303[7] != 0) {
															L52:
															_t228 = _t303[8] >> 2;
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t303[7]);
																_t229 = E0040CC47(_t270, _t303, _t317, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E0040BEBC(_t270, _t275, _t298, _t317) + 0x10) = _t270;
																 *((intOrPtr*)(E0040BEBC(_t270, _t275, _t298, _t317) + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t242 = _t303[8] >> 2;
															__eflags = _t242 & 0x00000001;
															if((_t242 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E0040BEBC(_t270, _t275, _t298, _t317) + 0x1c));
										_t264 = E0040BEBC(_t270, _t275, _t298, _t317);
										_push(_v16);
										 *(_t264 + 0x1c) = _t317;
										if(E0040CC47(_t270, _t303, _t317, _t270) != 0) {
											goto L23;
										} else {
											_t303 = _v16;
											_t354 =  *_t303 - _t317;
											if( *_t303 <= _t317) {
												L61:
												0x414e4c();
											} else {
												while(E0040C8DB( *((intOrPtr*)(_t317 + _t303[1] + 4)), _t354, 0x507bc0) == 0) {
													_t317 = _t317 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t354 = _t269 -  *_t303;
													if(_t269 >=  *_t303) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t270);
											E0040ABC2(_t270, _t303, _t317, __eflags);
											_t275 =  &_v64;
											E0040C8C3( &_v64);
											E0040A78C( &_v64, 0x505cec);
											L63:
											 *(E0040BEBC(_t270, _t275, _t298, _t317) + 0x10) = _t270;
											_t231 = E0040BEBC(_t270, _t275, _t298, _t317);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t317;
											if(_t317 == 0) {
												_t317 = _a8;
											}
											E0040A9EB(_t275, _t317, _t270);
											E0040CB47(_a8, _a16, _t303);
											_t234 = E0040CD04(_t303);
											_t333 = _t333 + 0x10;
											_push(_t234);
											_t201 = E0040CABE(_t270, _t275, _t298, _t303, _t317, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040c238
0x0040c23f
0x0040c241
0x0040c24a
0x0040c250
0x0040c258
0x0040c25a
0x0040c25d
0x0040c263
0x0040c5dc
0x0040c5dc
0x0040c5e1
0x0040c5e3
0x0040c5e5
0x0040c5e8
0x0040c5e9
0x0040c5ec
0x0040c5f2
0x0040c711
0x0040c5f8
0x0040c5fa
0x0040c601
0x0040c604
0x0040c60d
0x0040c60f
0x0040c614
0x0040c617
0x0040c619
0x0040c61f
0x0040c621
0x0040c627
0x0040c63c
0x0040c641
0x0040c644
0x0040c646
0x0040c70d
0x00000000
0x0040c70e
0x0040c646
0x0040c627
0x0040c61f
0x0040c617
0x0040c64c
0x0040c64f
0x0040c652
0x0040c655
0x0040c658
0x0040c65e
0x0040c670
0x0040c675
0x0040c678
0x0040c67b
0x0040c67e
0x0040c681
0x0040c684
0x0040c687
0x00000000
0x00000000
0x0040c68d
0x0040c68d
0x0040c690
0x0040c693
0x0040c6a2
0x0040c6a3
0x0040c6a3
0x0040c6a5
0x0040c6a8
0x00000000
0x00000000
0x0040c6aa
0x0040c6ad
0x00000000
0x00000000
0x0040c6bb
0x0040c6bd
0x0040c6c0
0x0040c6c2
0x0040c6ca
0x0040c6ca
0x0040c6cd
0x0040c6cf
0x0040c6d1
0x0040c6ed
0x0040c6f2
0x0040c6f5
0x0040c6f5
0x00000000
0x0040c6cd
0x0040c6c4
0x0040c6c8
0x00000000
0x00000000
0x00000000
0x0040c6f8
0x0040c6fb
0x0040c6fc
0x0040c6ff
0x0040c702
0x0040c705
0x0040c708
0x0040c708
0x00000000
0x0040c693
0x0040c712
0x0040c717
0x0040c718
0x0040c71b
0x0040c71e
0x0040c71f
0x0040c720
0x0040c721
0x0040c724
0x0040c726
0x0040c79e
0x0040c7a0
0x0040c7a0
0x0040c728
0x0040c728
0x0040c72b
0x0040c72e
0x00000000
0x0040c730
0x0040c730
0x0040c733
0x0040c736
0x0040c73d
0x0040c73d
0x0040c740
0x0040c742
0x0040c744
0x0040c776
0x0040c776
0x0040c779
0x0040c780
0x0040c780
0x0040c783
0x0040c786
0x0040c78d
0x0040c78d
0x0040c790
0x0040c797
0x0040c799
0x0040c799
0x0040c792
0x0040c792
0x0040c795
0x00000000
0x00000000
0x0040c795
0x0040c788
0x0040c788
0x0040c78b
0x00000000
0x00000000
0x0040c78b
0x0040c77b
0x0040c77b
0x0040c77e
0x00000000
0x00000000
0x0040c77e
0x0040c79a
0x0040c746
0x0040c746
0x0040c746
0x0040c749
0x0040c749
0x0040c74b
0x0040c74d
0x00000000
0x00000000
0x0040c74f
0x0040c751
0x0040c765
0x0040c765
0x0040c753
0x0040c753
0x0040c756
0x0040c759
0x00000000
0x0040c75b
0x0040c75b
0x0040c75e
0x0040c761
0x0040c763
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c763
0x0040c759
0x0040c76e
0x0040c76e
0x0040c770
0x00000000
0x0040c772
0x0040c772
0x0040c772
0x00000000
0x0040c770
0x0040c769
0x0040c76b
0x0040c76b
0x00000000
0x0040c76b
0x0040c738
0x0040c738
0x0040c73b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c73b
0x0040c736
0x0040c72e
0x0040c7a1
0x0040c7a5
0x0040c7a5
0x0040c272
0x0040c272
0x0040c27b
0x0040c378
0x0040c378
0x0040c37b
0x00000000
0x0040c2aa
0x0040c2aa
0x0040c2af
0x00000000
0x0040c2b5
0x0040c2b5
0x0040c2bd
0x0040c576
0x0040c57a
0x0040c2c3
0x0040c2c8
0x0040c2cb
0x0040c2d0
0x0040c2d4
0x0040c2d7
0x0040c2dc
0x00000000
0x0040c314
0x0040c31c
0x0040c380
0x0040c380
0x0040c383
0x0040c386
0x0040c386
0x0040c388
0x0040c38b
0x0040c38e
0x0040c394
0x0040c545
0x0040c545
0x0040c548
0x00000000
0x0040c54a
0x0040c54a
0x0040c54d
0x00000000
0x0040c553
0x0040c553
0x0040c556
0x0040c559
0x0040c55a
0x0040c55b
0x0040c55e
0x0040c55f
0x0040c562
0x0040c563
0x0040c568
0x00000000
0x0040c568
0x0040c54d
0x0040c39a
0x0040c39a
0x0040c39e
0x00000000
0x0040c3a4
0x0040c3a4
0x0040c3ab
0x0040c3c3
0x0040c3c3
0x0040c3c6
0x0040c3c9
0x0040c3cf
0x0040c3df
0x0040c3e4
0x0040c3e7
0x0040c3ea
0x0040c3ed
0x0040c3f0
0x0040c3f3
0x0040c3f6
0x0040c3fc
0x0040c3fc
0x0040c3ff
0x0040c402
0x0040c411
0x0040c412
0x0040c412
0x0040c414
0x0040c417
0x0040c41d
0x0040c420
0x0040c426
0x0040c428
0x0040c42b
0x0040c42e
0x0040c437
0x0040c43a
0x0040c43c
0x0040c43c
0x0040c43f
0x0040c442
0x0040c445
0x0040c448
0x0040c44b
0x0040c450
0x0040c451
0x0040c452
0x0040c453
0x0040c454
0x0040c457
0x0040c459
0x0040c45b
0x00000000
0x0040c45d
0x0040c45d
0x0040c45d
0x0040c460
0x0040c463
0x0040c465
0x0040c466
0x0040c46b
0x0040c46e
0x0040c470
0x00000000
0x00000000
0x0040c472
0x0040c473
0x0040c476
0x0040c478
0x00000000
0x0040c47a
0x0040c47a
0x0040c47d
0x0040c480
0x00000000
0x0040c480
0x00000000
0x0040c478
0x0040c494
0x0040c49a
0x0040c4b7
0x0040c4bc
0x0040c4bc
0x0040c4bf
0x0040c4bf
0x00000000
0x0040c483
0x0040c483
0x0040c484
0x0040c487
0x0040c48a
0x0040c48d
0x0040c48d
0x00000000
0x0040c492
0x0040c42e
0x0040c420
0x0040c4c2
0x0040c4c5
0x0040c4c6
0x0040c4c9
0x0040c4cc
0x0040c4cf
0x0040c4d2
0x0040c4d2
0x0040c4db
0x0040c4de
0x0040c4de
0x0040c3f6
0x0040c4e1
0x0040c4e5
0x0040c4e7
0x0040c4ea
0x0040c4f0
0x0040c4f0
0x0040c4f8
0x0040c4fd
0x0040c56b
0x0040c56b
0x0040c570
0x0040c574
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4ff
0x0040c4ff
0x0040c503
0x0040c515
0x0040c518
0x0040c51b
0x0040c51d
0x0040c534
0x0040c538
0x0040c53e
0x0040c53f
0x0040c541
0x00000000
0x0040c543
0x00000000
0x0040c543
0x0040c51f
0x0040c524
0x0040c52f
0x00000000
0x0040c52f
0x0040c505
0x0040c508
0x0040c50b
0x0040c50d
0x00000000
0x0040c50f
0x0040c50f
0x0040c513
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c513
0x0040c50d
0x0040c503
0x0040c3ad
0x0040c3ad
0x0040c3b4
0x00000000
0x0040c3b6
0x0040c3b6
0x0040c3bd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c3bd
0x0040c3b4
0x0040c3ab
0x0040c39e
0x0040c31e
0x0040c326
0x0040c329
0x0040c32e
0x0040c332
0x0040c33e
0x00000000
0x0040c340
0x0040c340
0x0040c343
0x0040c345
0x0040c57b
0x0040c57b
0x00000000
0x0040c34b
0x0040c367
0x0040c36a
0x0040c36b
0x0040c36e
0x0040c370
0x00000000
0x0040c376
0x00000000
0x0040c376
0x00000000
0x0040c370
0x0040c34b
0x0040c580
0x0040c580
0x0040c582
0x0040c583
0x0040c58a
0x0040c58d
0x0040c59b
0x0040c5a0
0x0040c5a5
0x0040c5a8
0x0040c5ad
0x0040c5b0
0x0040c5b3
0x0040c5b5
0x0040c5b7
0x0040c5b7
0x0040c5bc
0x0040c5c8
0x0040c5ce
0x0040c5d3
0x0040c5d6
0x0040c5d7
0x00000000
0x0040c5d7
0x0040c33e
0x0040c31c
0x0040c2dc
0x0040c2bd
0x0040c2af
0x0040c27b

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0040C335
type_info::operator==.LIBVCRUNTIME ref: 0040C357
___TypeMatch.LIBVCRUNTIME ref: 0040C466
CatchIt.LIBVCRUNTIME ref: 0040C4B7
IsInExceptionSpec.LIBVCRUNTIME ref: 0040C538
_UnwindNestedFrames.LIBCMT ref: 0040C5BC
CallUnexpected.LIBVCRUNTIME ref: 0040C5D7

Strings

csm, xrefs: 0040C2E2
csm, xrefs: 0040C275
csm, xrefs: 0040C38E

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 6968e655a459fb8aac313ce18fc6ce9bd7ab3568aac2a0b113b4269c991327ac
Instruction ID: 2449beca96e8c04896dd943f3fff17f41856bb5e2ff4e1f2e52e2eca51ba70f6
Opcode Fuzzy Hash: 6968e655a459fb8aac313ce18fc6ce9bd7ab3568aac2a0b113b4269c991327ac
Instruction Fuzzy Hash: 27B16A75800219EFCF25DFA5C8819AFB7B5FF04314B14826AE8117B392D738EA51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A551 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 302COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0041A7D9

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: f61b8768da32fad8a10e00e97914657208e169597e76aeff55309f900fdf0390
Instruction ID: 3edb66382e26a8009af0392312ee9aeb3cc4571e8cd9fceedcd5d4a02a2668eb
Opcode Fuzzy Hash: f61b8768da32fad8a10e00e97914657208e169597e76aeff55309f900fdf0390
Instruction Fuzzy Hash: E5C1F470E05205AFDB15EF99C880BFE7BB0AF59304F04406BE551A7392C7389996CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00415A48 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00415A5E

Part of subcall function 00415E0F: HeapFree.KERNEL32(00000000,00000000,?,00414BEF), ref: 00415E25
Part of subcall function 00415E0F: GetLastError.KERNEL32(?,?,00414BEF), ref: 00415E37

_free.LIBCMT ref: 00415A6A
_free.LIBCMT ref: 00415A75
_free.LIBCMT ref: 00415A80
_free.LIBCMT ref: 00415A8B
_free.LIBCMT ref: 00415A96
_free.LIBCMT ref: 00415AA1
_free.LIBCMT ref: 00415AAC
_free.LIBCMT ref: 00415AB7
_free.LIBCMT ref: 00415AC5

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 749883711fa395fb8f6b3a4a02493a2f8fbdd8eae93d4c36965b2e0aaf30114a
Instruction ID: 7b10942d2e7851d0fc7af710119f33ec7bae4a1b6983f07a8fe2bc831551df89
Opcode Fuzzy Hash: 749883711fa395fb8f6b3a4a02493a2f8fbdd8eae93d4c36965b2e0aaf30114a
Instruction Fuzzy Hash: A321BA76900608EFCB01EFA5C881DDE7BB9BF48344F40816AF5269B521EB35DB94CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042294A Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 00422963

Strings

asin, xrefs: 00422A90
sqrt, xrefs: 00422AA2
log10, xrefs: 004229A5, 004229B4
exp, xrefs: 004229E2, 00422A47
acos, xrefs: 00422A99
pow, xrefs: 00422A01, 00422AAB, 00422AF8
log, xrefs: 004229C0, 004229CF

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 3e40202192d059b4d2668b87e3b0bd212c1dd2b1182b025ed15b8b5a44edaeb6
Instruction ID: e356c80536d877f766b21e943af50b542d3ee7f9ff4f1159b20c31336fe626a2
Opcode Fuzzy Hash: 3e40202192d059b4d2668b87e3b0bd212c1dd2b1182b025ed15b8b5a44edaeb6
Instruction Fuzzy Hash: 61518C70A0052EEBCB209F59EA481BEBF74FB19300F904157D580A6764CBFC896ACB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D812 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0041D83C
_free.LIBCMT ref: 0041D915
_free.LIBCMT ref: 0041D942

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 83e207aa29a9df475d62cde5a04caf633e96fe3b0f0b98305d34c329805d1eb1
Instruction ID: ad9a953579716566e81fdd704a1dad7106e2b7c554916e4f0bb6c04ce048464e
Opcode Fuzzy Hash: 83e207aa29a9df475d62cde5a04caf633e96fe3b0f0b98305d34c329805d1eb1
Instruction Fuzzy Hash: 7A5103F1E08201AFDB20EF759941AEE7BB4AF41354F04416FE551A7281DA398981CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00414147 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00415B60: GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
Part of subcall function 00415B60: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

_free.LIBCMT ref: 00414432
_free.LIBCMT ref: 0041444B
_free.LIBCMT ref: 00414489
_free.LIBCMT ref: 00414492
_free.LIBCMT ref: 0041449E

Strings

C, xrefs: 004142A3

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 1cdfae47e5fbb4ccdd44a385d758bea300d6b4ebd73779158f53de96b6e8c1dc
Instruction ID: d5c08c082a7e1421f515e7e20b400b443947d976f340053f6f1807142c213fd3
Opcode Fuzzy Hash: 1cdfae47e5fbb4ccdd44a385d758bea300d6b4ebd73779158f53de96b6e8c1dc
Instruction Fuzzy Hash: 67B14A75A016199BDB24DF18C884BEAB3B5FF88304F5045AEE81AA7390D734AED1CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040BCD0(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr* _t75;
				intOrPtr _t76;
				signed int _t79;
				char _t81;
				intOrPtr _t84;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr* _t96;
				void* _t97;
				void* _t100;
				void* _t102;
				void* _t110;

				_t87 = __edx;
				_t75 = _a4;
				_v5 = 0;
				_v16 = 1;
				0x424cc2( *_t75, __edi, __esi, __ebx, _t97);
				 *_t75 = __eax;
				_t76 = _a8;
				_t6 = _t76 + 0x10; // 0x11
				_t94 = _t6;
				_push(_t94);
				_v20 = _t94;
				_v12 =  *(_t76 + 8) ^  *0x507024;
				E0040BC90(_t76, __edx, __edi, _t94,  *(_t76 + 8) ^  *0x507024);
				E0040CD5C(_a12);
				_t52 = _a4;
				_t102 = _t100 - 0x1c + 0x10;
				_t91 =  *((intOrPtr*)(_t76 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t91 - 0xfffffffe;
					if(_t91 != 0xfffffffe) {
						_t87 = 0xfffffffe;
						E0040CEE0(_t76, 0xfffffffe, _t94, 0x507024);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t76 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t79 = _v12;
							_t59 = _t91 + (_t91 + 2) * 2;
							_t76 =  *((intOrPtr*)(_t79 + _t59 * 4));
							_t60 = _t79 + _t59 * 4;
							_t80 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t81 = _v5;
								goto L7;
							} else {
								_t87 = _t94;
								_t61 = E0040CE80(_t80, _t94);
								_t81 = 1;
								_v5 = 1;
								_t110 = _t61;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									_push(_t94);
									E0040BC90(_t76, _t87, _t91, _t94, _v12);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x4f97a8;
											if( *0x4f97a8 != 0) {
												0x424590(0x4f97a8);
												_t102 = _t102 + 4;
												__eflags = _t62;
												if(_t62 != 0) {
													_t96 =  *0x4f97a8; // 0x40abc2
													 *0x4f7154(_a4, 1);
													 *_t96();
													_t94 = _v20;
													_t102 = _t102 + 8;
												}
												_t62 = _a4;
											}
										}
										_t88 = _t62;
										E0040CEC0(_a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t91;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t91) {
											_t88 = _t91;
											E0040CEE0(_t64, _t91, _t94, 0x507024);
											_t64 = _a8;
										}
										_push(_t94);
										 *((intOrPtr*)(_t64 + 0xc)) = _t76;
										E0040BC90(_t76, _t88, _t91, _t94, _v12);
										_t84 =  *((intOrPtr*)(_v24 + 8));
										E0040CEA0();
										asm("int3");
										__eflags = E0040CEF7();
										if(__eflags != 0) {
											_t67 = E0040BF93(_t84, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E0040CF33();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t91 = _t76;
						} while (_t76 != 0xfffffffe);
						if(_t81 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x0040bcd0
0x0040bcd7
0x0040bcdc
0x0040bce2
0x0040bce9
0x0040bcee
0x0040bcf0
0x0040bcf6
0x0040bcf6
0x0040bcff
0x0040bd01
0x0040bd04
0x0040bd07
0x0040bd0f
0x0040bd14
0x0040bd17
0x0040bd1a
0x0040bd21
0x0040bd7d
0x0040bd80
0x0040bd88
0x0040bd8f
0x00000000
0x0040bd8f
0x00000000
0x0040bd23
0x0040bd23
0x0040bd29
0x0040bd2f
0x0040bd35
0x0040bda0
0x0040bda9
0x0040bd37
0x0040bd37
0x0040bd37
0x0040bd3d
0x0040bd40
0x0040bd43
0x0040bd46
0x0040bd49
0x0040bd4e
0x0040bd64
0x00000000
0x0040bd50
0x0040bd50
0x0040bd52
0x0040bd57
0x0040bd59
0x0040bd5c
0x0040bd5e
0x0040bd74
0x0040bd94
0x0040bd94
0x0040bd98
0x00000000
0x0040bd60
0x0040bd60
0x0040bdaa
0x0040bdad
0x0040bdb3
0x0040bdb5
0x0040bdbc
0x0040bdc3
0x0040bdc8
0x0040bdcb
0x0040bdcd
0x0040bdcf
0x0040bddc
0x0040bde2
0x0040bde4
0x0040bde7
0x0040bde7
0x0040bdea
0x0040bdea
0x0040bdbc
0x0040bdf0
0x0040bdf2
0x0040bdf7
0x0040bdfa
0x0040bdfd
0x0040be05
0x0040be09
0x0040be0e
0x0040be0e
0x0040be11
0x0040be15
0x0040be18
0x0040be25
0x0040be28
0x0040be2d
0x0040be33
0x0040be35
0x0040be3a
0x0040be3f
0x0040be41
0x0040be4c
0x0040be43
0x0040be43
0x00000000
0x0040be43
0x0040be37
0x0040be37
0x0040be37
0x0040be39
0x0040be39
0x0040bd62
0x00000000
0x0040bd62
0x0040bd60
0x0040bd5e
0x00000000
0x0040bd67
0x0040bd67
0x0040bd69
0x0040bd70
0x00000000
0x0040bd72
0x00000000
0x0040bd70
0x0040bd35
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 0040BD07
___except_validate_context_record.LIBVCRUNTIME ref: 0040BD0F
_ValidateLocalCookies.LIBCMT ref: 0040BD98
__IsNonwritableInCurrentImage.LIBCMT ref: 0040BDC3
_ValidateLocalCookies.LIBCMT ref: 0040BE18

Strings

csm, xrefs: 0040BDAD

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4b11e245ccadfa4f08218debd0b7a1de69521e854a653007374d5845f101d05c
Instruction ID: 2c72747457d5d4538f042c6a98050273f5b870057603fa1a5a4761dc3bfc4d79
Opcode Fuzzy Hash: 4b11e245ccadfa4f08218debd0b7a1de69521e854a653007374d5845f101d05c
Instruction Fuzzy Hash: A641B534A00208DBCF10DF69C884A9EBBB5EF44318F14817AE814AB3D2D739AD15CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E82F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041E57B: _free.LIBCMT ref: 0041E5A0

_free.LIBCMT ref: 0041E87D

Part of subcall function 00415E0F: HeapFree.KERNEL32(00000000,00000000,?,00414BEF), ref: 00415E25
Part of subcall function 00415E0F: GetLastError.KERNEL32(?,?,00414BEF), ref: 00415E37

_free.LIBCMT ref: 0041E888
_free.LIBCMT ref: 0041E893
_free.LIBCMT ref: 0041E8E7
_free.LIBCMT ref: 0041E8F2
_free.LIBCMT ref: 0041E8FD
_free.LIBCMT ref: 0041E908

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 68a78f4903bfc9ddd7aef4b1a329acef2264b2804d2c7df738c452a7e59b439e
Instruction ID: 94b6bff1b709e2d219de2998543a2dfbc119867bd1c86a146419d21ad0fa25b5
Opcode Fuzzy Hash: 68a78f4903bfc9ddd7aef4b1a329acef2264b2804d2c7df738c452a7e59b439e
Instruction Fuzzy Hash: 5E114571D40B08F6D560B7B3CC47FC7779E5F44708F80081E77AB66092E669B6A48698

Uniqueness

Uniqueness Score: -1.00%

Function 00408D67 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00408DB0
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00408E1B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408E38
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00408E77
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408ED6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00408EF9

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 95e080dacfa4421fc9462611ffbae2e460c05acb35b9b8b04a28254cee4ce568
Instruction ID: 35e70f15cd455292accbe221196c48bfd2ed4110e964d95cc2028dd1546cb5a8
Opcode Fuzzy Hash: 95e080dacfa4421fc9462611ffbae2e460c05acb35b9b8b04a28254cee4ce568
Instruction Fuzzy Hash: 2F518C7250020AAFDF205F61CD45FAB7BA9EF44754F15453AFA44E62D0DB399C10CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BECA(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x507040 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E0040D0BB(_t13, __eflags,  *0x507040);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E0040D0F6(_t14, __eflags,  *0x507040, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E0040D4EB();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E0040D0F6(_t18, __eflags,  *0x507040, 0);
								} else {
									_t8 = E0040D0F6(_t18, __eflags,  *0x507040, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E0040D4F6(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x0040beca
0x0040bed1
0x0040bee4
0x0040beeb
0x0040beed
0x0040beee
0x0040bef1
0x0040bf0a
0x0040bf0a
0x0040bef3
0x0040bef3
0x0040bef5
0x0040beff
0x0040bf06
0x0040bf08
0x0040bf0f
0x0040bf18
0x0040bf1b
0x0040bf1c
0x0040bf1e
0x0040bf32
0x0040bf32
0x0040bf3b
0x0040bf20
0x0040bf27
0x0040bf2d
0x0040bf2e
0x0040bf30
0x0040bf44
0x0040bf46
0x0040bf46
0x00000000
0x00000000
0x00000000
0x0040bf30
0x0040bf49
0x00000000
0x00000000
0x00000000
0x0040bf08
0x0040bef5
0x0040bf51
0x0040bf5b
0x0040bed3
0x0040bed5
0x0040bed5

APIs

GetLastError.KERNEL32(?,?,0040BEC1,0040AD6E,00409F35), ref: 0040BED8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040BEE6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040BEFF
SetLastError.KERNEL32(00000000,0040BEC1,0040AD6E,00409F35), ref: 0040BF51

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d8e87ba687470adb233f2f8d243b3385af4c0a8b3e8fb965c6a2fd2b5bd673ca
Instruction ID: e99095e50881f2a093e72ffdece53f1164a5b1c49f927787dffb3b92a53d4881
Opcode Fuzzy Hash: d8e87ba687470adb233f2f8d243b3385af4c0a8b3e8fb965c6a2fd2b5bd673ca
Instruction Fuzzy Hash: 6401D83291C7165ED63427B56C89A6B2644DB15778730033FFB14B22E0EF7D5C1AA98C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF62 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E0040CF62(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				signed int* _t21;
				signed int* _t25;
				struct HINSTANCE__* _t28;
				WCHAR* _t30;
				void* _t31;

				_t25 = _a4;
				while(_t25 != _a8) {
					_t11 =  *_t25;
					_t21 = 0x5085cc + _t11 * 4;
					_t28 =  *_t21;
					if(_t28 == 0) {
						_t12 =  *(0x4fa160 + _t11 * 4);
						_v8 = _t12;
						_t28 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t28 != 0) {
							L13:
							 *_t21 = _t28;
							if( *_t21 != 0) {
								0x3320000(_t28);
							}
							L15:
							_t16 = _t28;
							L12:
							return _t16;
						}
						_t17 = GetLastError();
						if(_t17 != 0x57) {
							L8:
							 *_t21 = _t17 | 0xffffffff;
							L9:
							_t25 =  &(_t25[1]);
							continue;
						}
						_t30 = _v8;
						0x4157e8(_t30, L"api-ms-", 7);
						_t31 = _t31 + 0xc;
						if(_t17 == 0) {
							goto L8;
						}
						_t17 = LoadLibraryExW(_t30, 0, 0);
						_t28 = _t17;
						if(_t28 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t28 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x0040cf69
0x0040cfdd
0x0040cf6e
0x0040cf70
0x0040cf77
0x0040cf7b
0x0040cf84
0x0040cf93
0x0040cf9c
0x0040cfa0
0x0040cfe9
0x0040cfeb
0x0040cfef
0x0040cff2
0x0040cff7
0x0040cff8
0x0040cff8
0x0040cfe4
0x0040cfe8
0x0040cfe8
0x0040cfa2
0x0040cfab
0x0040cfd5
0x0040cfd8
0x0040cfda
0x0040cfda
0x00000000
0x0040cfda
0x0040cfad
0x0040cfb8
0x0040cfbd
0x0040cfc2
0x00000000
0x00000000
0x0040cfc9
0x0040cfcf
0x0040cfd3
0x00000000
0x00000000
0x00000000
0x0040cfd3
0x0040cf80
0x00000000
0x00000000
0x00000000
0x0040cf82
0x0040cfe2
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0040D02D

Strings

api-ms-, xrefs: 0040CFB2

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: AddressProc
String ID: api-ms-
API String ID: 190572456-2084034818
Opcode ID: 7c4be594cfc6bb6c2eee6c9d965bf0f2ee72550a0dc8eb8ff35279dc328077b9
Instruction ID: c93b3abc7625cbe13ccf3ed9e24136b8c21cfd4f165a430e3b4c50c7819e323e
Opcode Fuzzy Hash: 7c4be594cfc6bb6c2eee6c9d965bf0f2ee72550a0dc8eb8ff35279dc328077b9
Instruction Fuzzy Hash: 2721A732A04227EBDF214BA89C80F5A37969F01774F140232F915F72C0DA78ED1196DA

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE1A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\cDtHMoEHO4.exe, xrefs: 0041CE1F

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\cDtHMoEHO4.exe
API String ID: 0-89690256
Opcode ID: 6e71b422b5213f92c702b767c44d3a33f642f72250bd560ec59bd9000e72000b
Instruction ID: 7ee310538c47e8b43e77ff6fe184daa3524315d70c7566ff0d0ad118dd90f751
Opcode Fuzzy Hash: 6e71b422b5213f92c702b767c44d3a33f642f72250bd560ec59bd9000e72000b
Instruction Fuzzy Hash: CF21D771284709AFDB206F628CC0DBB776DAF40368710452BF92597690E738EC9187A9

Uniqueness

Uniqueness Score: -1.00%

Function 004061B0 Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E004061B0(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				char _v32;
				char _v56;
				char _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr _v92;
				signed int _v96;
				signed int _v100;
				char _v108;
				char _v116;
				char _v124;
				void* __esi;
				signed int _t69;
				intOrPtr _t74;
				signed int _t81;
				void* _t83;
				intOrPtr* _t86;
				intOrPtr _t93;
				intOrPtr* _t97;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t147;
				void* _t158;
				signed int _t161;
				signed int _t162;
				void* _t163;
				void* _t164;

				_t157 = __edi;
				_t112 = __ebx;
				_t69 =  *0x507024; // 0x590d03f3
				_v8 = _t69 ^ _t162;
				_v84 = __ecx;
				if((E00406680(_a16) & 0x00004000) != 0) {
					_t74 = E00402210(__ebx, __edi, _t158, __eflags, E00406710(_a16,  &_v108));
					_t164 = _t163 + 4;
					_v92 = _t74;
					E00403080( &_v108);
					E00402530( &_v32);
					_t147 = _a24 & 0x000000ff;
					__eflags = _t147;
					if(_t147 == 0) {
						E00405720( &_v32, E00406630(_v92,  &_v80));
						E00402DE0( &_v80);
					} else {
						E00405720( &_v32, E00406DF0(_v92,  &_v56));
						E00402DE0( &_v56);
					}
					_v100 = E00406F30(_a16);
					_v96 = _t147;
					__eflags = _v96;
					if(__eflags < 0) {
						L9:
						_v88 = 0;
					} else {
						if(__eflags > 0) {
							L8:
							_t99 = E00406F30(_a16);
							_t100 = E00406870( &_v32);
							__eflags = _t99 - _t100;
							if(_t99 > _t100) {
								_t101 = E00406F30(_a16);
								_t161 = _t101 - E00406870( &_v32);
								__eflags = _t161;
								_v88 = _t161;
							} else {
								goto L9;
							}
						} else {
							__eflags = _v100;
							if(_v100 <= 0) {
								goto L9;
							} else {
								goto L8;
							}
						}
					}
					_t81 = E00406680(_a16);
					__eflags = (_t81 & 0x000001c0) - 0x40;
					if((_t81 & 0x000001c0) != 0x40) {
						_t97 = E00404F50(_v84,  &_v116, _a8, _a12, _a20 & 0x000000ff, _v88);
						_t164 = _t164 + 0x18;
						_a8 =  *_t97;
						_a12 =  *((intOrPtr*)(_t97 + 4));
						_v88 = 0;
					}
					_t83 = E00406870( &_v32);
					_t86 = E00404F00(_v84,  &_v124, _a8, _a12, E004058B0( &_v32), _t83);
					_a8 =  *_t86;
					_a12 =  *((intOrPtr*)(_t86 + 4));
					E00406EF0(_a16, 0, 0);
					_t151 = _a4;
					E00404F50(_v84, _a4, _a8, _a12, _a20 & 0x000000ff, _v88);
					E00402DE0( &_v32);
					_t93 = _a4;
				} else {
					_t151 =  *_v84;
					 *((intOrPtr*)( *((intOrPtr*)( *_v84 + 0x24))))(_a4, _a8, _a12, _a16, _a20 & 0x000000ff, _a24 & 0x000000ff);
					_t93 = _a4;
				}
				return E004090D4(_t93, _t112, _v8 ^ _t162, _t151, _t157);
			}

0x004061b0
0x004061b0
0x004061b6
0x004061bd
0x004061c1
0x004061d1
0x00406214
0x00406219
0x0040621c
0x00406222
0x0040622a
0x0040622f
0x00406233
0x00406235
0x00406266
0x0040626e
0x00406237
0x00406247
0x0040624f
0x0040624f
0x0040627b
0x0040627e
0x00406281
0x00406285
0x004062a5
0x004062a5
0x00406287
0x00406287
0x0040628f
0x00406292
0x0040629c
0x004062a1
0x004062a3
0x004062b1
0x004062c0
0x004062c0
0x004062c2
0x00000000
0x00000000
0x00000000
0x00406289
0x00406289
0x0040628d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040628d
0x00406287
0x004062c8
0x004062d2
0x004062d5
0x004062f0
0x004062f5
0x004062fd
0x00406300
0x00406303
0x00406303
0x0040630d
0x0040632c
0x00406339
0x0040633c
0x00406346
0x0040635c
0x00406364
0x0040636f
0x00406374
0x004061d3
0x004061f0
0x004061f8
0x004061fa
0x004061fa
0x00406385

APIs

shared_ptr.LIBCMTD ref: 00406247
task.LIBCPMTD ref: 0040624F

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: shared_ptrtask
String ID:
API String ID: 810089379-0
Opcode ID: f058f109faa0b27ec6b9012e758894dfe449b2a04c931fb2fc0890d91ea3fa77
Instruction ID: ccad8b54549edbcad7d8cf3f5a8e5271e50defe95a25995b34b776e18e58415e
Opcode Fuzzy Hash: f058f109faa0b27ec6b9012e758894dfe449b2a04c931fb2fc0890d91ea3fa77
Instruction Fuzzy Hash: 8F515EB19001099FCB04EF99D851EEF77B9AF48304F11812EF916BB2D5DA38AD15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402210 Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402210(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _t31;
				void* _t60;

				E00407104( &_v28, 0);
				_t31 =  *0x507f18; // 0x806850
				_v8 = _t31;
				_v24 = E00403420(0x507f0c);
				_v16 = E004044C0(_a4, _v24);
				if(_v16 == 0) {
					if(_v8 == 0) {
						__eflags = E00404390(__ebx, _t60, __edi, __esi,  &_v8, _a4) - 0xffffffff;
						if(__eflags != 0) {
							_v12 = _v8;
							E00401330( &_v20, _v12);
							E00407460(__eflags, _v12);
							 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 4))))();
							 *0x507f18 = _v8;
							_v16 = _v8;
							E00406C00( &_v20);
							E00402EA0( &_v20);
						} else {
							E00405140();
						}
					} else {
						_v16 = _v8;
					}
				}
				_v32 = _v16;
				E0040715C( &_v28);
				return _v32;
			}

0x0040221b
0x00402220
0x00402225
0x00402232
0x00402241
0x00402248
0x0040224e
0x00402268
0x0040226b
0x00402277
0x00402281
0x0040228a
0x0040229d
0x004022a2
0x004022aa
0x004022b0
0x004022b8
0x0040226d
0x0040226d
0x0040226d
0x00402250
0x00402253
0x00402253
0x0040224e
0x004022c0
0x004022c6
0x004022d1

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040221B
int.LIBCPMTD ref: 0040222D

Part of subcall function 00403420: std::_Lockit::_Lockit.LIBCPMT ref: 00403436
Part of subcall function 00403420: std::_Lockit::~_Lockit.LIBCPMT ref: 00403460

Concurrency::cancel_current_task.LIBCPMTD ref: 0040226D
std::_Lockit::~_Lockit.LIBCPMT ref: 004022C6

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: d0fafbf2ba706ccf9a2b5bd73c0a6c9f36c8a112194a142be320c68972e59055
Instruction ID: cc3bca57511aefe180c23691defb1a2dbc2b903182fe0dd5a81433f7568af0fc
Opcode Fuzzy Hash: d0fafbf2ba706ccf9a2b5bd73c0a6c9f36c8a112194a142be320c68972e59055
Instruction Fuzzy Hash: 9521E574D04109EBCB08EFE5C9819EEBBB4AF58304F1082AAE516773D1DB386A45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0041E304 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E31C

Part of subcall function 00415E0F: HeapFree.KERNEL32(00000000,00000000,?,00414BEF), ref: 00415E25
Part of subcall function 00415E0F: GetLastError.KERNEL32(?,?,00414BEF), ref: 00415E37

_free.LIBCMT ref: 0041E32E
_free.LIBCMT ref: 0041E340
_free.LIBCMT ref: 0041E352
_free.LIBCMT ref: 0041E364

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bdfefb34091b9b956df9872dfd0b86f8fba9c302f68ee0b4b952ee8aeb17730f
Instruction ID: ef375d1130fe08057dd37656ebd253bd4c5a2d25abdb6957576163ceace523fa
Opcode Fuzzy Hash: bdfefb34091b9b956df9872dfd0b86f8fba9c302f68ee0b4b952ee8aeb17730f
Instruction Fuzzy Hash: 5AF01836D08708E7C620DB56E885CDB73D9EA98714754580BF875D7641C738FDC096E8

Uniqueness

Uniqueness Score: -1.00%

Function 00403E10 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 370
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00403E10(void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char* _a28, intOrPtr _a32) {
				signed int _v8;
				char _v32;
				char _v56;
				signed int _v60;
				signed char _v61;
				char* _v68;
				signed int _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				signed int _v120;
				char _v128;
				char _v136;
				char _v144;
				char _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v184;
				void* __ebx;
				signed int _t171;
				signed int _t173;
				intOrPtr* _t209;
				intOrPtr* _t214;
				intOrPtr* _t226;
				intOrPtr* _t230;
				intOrPtr* _t233;
				intOrPtr* _t237;
				void* _t238;
				signed int _t240;
				char _t247;
				signed int _t253;
				short _t260;
				void* _t325;
				signed int _t337;
				void* _t361;
				void* _t364;
				void* _t365;
				signed int _t366;

				_t365 = __esi;
				_t364 = __edi;
				_t171 =  *0x507024; // 0x590d03f3
				_v8 = _t171 ^ _t366;
				if(_a32 <= 0 ||  *_a28 != 0x2b &&  *_a28 != 0x2d) {
					_v96 = 0;
				} else {
					_v96 = 1;
				}
				_v60 = _v96;
				_t173 = E00406680(_a20);
				_t380 = (_t173 & 0x00003000) - 0x3000;
				if((_t173 & 0x00003000) == 0x3000) {
					_v100 = 0x4f8944;
					__eflags = _v60 + 2 - _a32;
					if(_v60 + 2 > _a32) {
						goto L12;
					}
					__eflags =  *((char*)(_a28 + _v60)) - 0x30;
					if( *((char*)(_a28 + _v60)) != 0x30) {
						goto L12;
					}
					_t361 = _a28 + _v60;
					__eflags =  *((char*)(_t361 + 1)) - 0x78;
					if( *((char*)(_t361 + 1)) == 0x78) {
						L11:
						_t253 = _v60 + 2;
						__eflags = _t253;
						_v60 = _t253;
						goto L12;
					}
					_t325 = _a28 + _v60;
					__eflags =  *((char*)(_t325 + 1)) - 0x58;
					if( *((char*)(_t325 + 1)) != 0x58) {
						goto L12;
					}
					goto L11;
				} else {
					_v100 = 0x4f8940;
					L12:
					_v112 = E0040D410(_v100, 0 + _a28, _v100);
					_t260 =  *0x4f8948; // 0x2e
					_v76 = _t260;
					 *((char*)(_t366 + 0xffffffffffffffb8)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(E0040F588(_t177)))));
					_v80 = E0040D410(_t366 + 0xffffffffffffffb8, 0 + _a28, _t366 + 0xffffffffffffffb8);
					_v108 = E00402070(_t256, _t364, _t365, _t380, E00406710(_a20,  &_v128));
					E00403080( &_v128);
					E00402410( &_v32, _t380, _a32, 0);
					E00406EC0(_v108, _a28, _a28 + _a32, E00403400( &_v32, 0));
					_v88 = E00402210(_t256, _t364, _t365, _t380, E00406710(_a20,  &_v136));
					E00403080( &_v136);
					E00406760(_v88,  &_v56);
					_v61 = E00406DA0(_v88);
					if(_v80 != _a32) {
						_t247 = E00405AB0(_v88);
						_t256 = _t247;
						 *((char*)(E00403400( &_v32, _v80))) = _t247;
					}
					if(_v80 != _a32) {
						_v104 = _v80;
					} else {
						_v104 = _v112;
					}
					_v84 = _v104;
					_v68 = E00403400( &_v56, 0);
					while(1) {
						_t337 =  *_v68;
						if(_t337 == 0x7f ||  *_v68 <= 0) {
							break;
						}
						_t337 = _v68;
						if( *_t337 >= _v84 - _v60) {
							break;
						}
						_v84 = _v84 -  *_v68;
						E00406790( &_v32, _v84, 1, _v61 & 0x000000ff);
						if( *((char*)(_v68 + (1 << 0))) > 0) {
							_v68 = _v68 + 1;
						}
					}
					_a32 = E00406870( &_v32);
					_v120 = E00406F30(_a20);
					_v116 = _t337;
					__eflags = _v116;
					if(__eflags < 0) {
						L28:
						_v72 = 0;
						L30:
						_v92 = E00406680(_a20) & 0x000001c0;
						__eflags = _v92 - 0x40;
						if(_v92 == 0x40) {
							L33:
							__eflags = _v92 - 0x100;
							if(_v92 != 0x100) {
								_t209 = E00404F00(_a4,  &_v176, _a12, _a16, E00403400( &_v32, 0), _v60);
								_a12 =  *_t209;
								_a16 =  *((intOrPtr*)(_t209 + 4));
							} else {
								_t226 = E00404F00(_a4,  &_v160, _a12, _a16, E00403400( &_v32, 0), _v60);
								_a12 =  *_t226;
								_a16 =  *((intOrPtr*)(_t226 + 4));
								_t230 = E00404F50(_a4,  &_v168, _a12, _a16, _a24 & 0x000000ff, _v72);
								_a12 =  *_t230;
								_a16 =  *((intOrPtr*)(_t230 + 4));
								_v72 = 0;
							}
							L36:
							_t214 = E00404F00(_a4,  &_v184, _a12, _a16, E00403400( &_v32, _v60), _a32 - _v60);
							_a12 =  *_t214;
							_a16 =  *((intOrPtr*)(_t214 + 4));
							E00406EF0(_a20, 0, 0);
							E00404F50(_a4, _a8, _a12, _a16, _a24 & 0x000000ff, _v72);
							E00402DE0( &_v56);
							E00402DE0( &_v32);
							__eflags = _v8 ^ _t366;
							return E004090D4(_a8, _t256, _v8 ^ _t366, _a4, _t364);
						}
						__eflags = _v92 - 0x100;
						if(_v92 == 0x100) {
							goto L33;
						}
						_t233 = E00404F50(_a4,  &_v144, _a12, _a16, _a24 & 0x000000ff, _v72);
						_a12 =  *_t233;
						_a16 =  *((intOrPtr*)(_t233 + 4));
						_v72 = 0;
						_t237 = E00404F00(_a4,  &_v152, _a12, _a16, E00403400( &_v32, 0), _v60);
						_a12 =  *_t237;
						_a16 =  *((intOrPtr*)(_t237 + 4));
						goto L36;
					}
					if(__eflags > 0) {
						L27:
						_t238 = E00406F30(_a20);
						__eflags = _t238 - _a32;
						if(_t238 > _a32) {
							_t240 = E00406F30(_a20) - _a32;
							__eflags = _t240;
							_v72 = _t240;
							goto L30;
						}
						goto L28;
					}
					__eflags = _v120;
					if(_v120 <= 0) {
						goto L28;
					}
					goto L27;
				}
			}

0x00403e10
0x00403e10
0x00403e19
0x00403e20
0x00403e28
0x00403e49
0x00403e40
0x00403e40
0x00403e40
0x00403e53
0x00403e59
0x00403e63
0x00403e68
0x00403e73
0x00403e80
0x00403e83
0x00000000
0x00000000
0x00403e8e
0x00403e91
0x00000000
0x00000000
0x00403e96
0x00403e9d
0x00403ea0
0x00403eb1
0x00403eb4
0x00403eb4
0x00403eb7
0x00000000
0x00403eb7
0x00403ea5
0x00403eac
0x00403eaf
0x00000000
0x00000000
0x00000000
0x00403e6a
0x00403e6a
0x00403eba
0x00403ed2
0x00403ed5
0x00403edc
0x00403efa
0x00403f1f
0x00403f37
0x00403f3d
0x00403f4b
0x00403f69
0x00403f86
0x00403f8f
0x00403f9b
0x00403fa8
0x00403fb1
0x00403fb6
0x00403fbb
0x00403fc9
0x00403fc9
0x00403fd1
0x00403fde
0x00403fd3
0x00403fd6
0x00403fd6
0x00403fe4
0x00403ff1
0x00403ff4
0x00403ff7
0x00403ffd
0x00000000
0x00000000
0x00404009
0x00404017
0x00000000
0x00000000
0x00404024
0x00404035
0x0040404b
0x00404053
0x00404053
0x00404056
0x00404060
0x0040406b
0x0040406e
0x00404071
0x00404075
0x0040408c
0x0040408c
0x004040a3
0x004040b0
0x004040b3
0x004040b7
0x00404132
0x00404132
0x00404139
0x004041ca
0x004041d7
0x004041da
0x0040413b
0x0040415d
0x0040416a
0x0040416d
0x0040418c
0x00404199
0x0040419c
0x0040419f
0x0040419f
0x004041dd
0x00404204
0x00404211
0x00404214
0x0040421e
0x0040423c
0x00404247
0x0040424f
0x0040425b
0x00404265
0x00404265
0x004040b9
0x004040c0
0x00000000
0x00000000
0x004040de
0x004040eb
0x004040ee
0x004040f1
0x0040411a
0x00404127
0x0040412a
0x00000000
0x0040412a
0x00404077
0x0040407f
0x00404082
0x00404087
0x0040408a
0x0040409d
0x0040409d
0x004040a0
0x00000000
0x004040a0
0x00000000
0x0040408a
0x00404079
0x0040407d
0x00000000
0x00000000
0x00000000
0x0040407d

APIs

ctype.LIBCPMTD ref: 00403F69
task.LIBCPMTD ref: 00404247
task.LIBCPMTD ref: 0040424F

Strings

@, xrefs: 004040B3

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: task$ctype
String ID: @
API String ID: 325817495-2766056989
Opcode ID: 6ea6e1c10ea6cbd32c7bad60133e8720c5824d28a5eb827ddf0a0facf9e04821
Instruction ID: 0e531fa06b4275aca4555751754ec07c1ffaedae1f2f3ad67382951543ebdba1
Opcode Fuzzy Hash: 6ea6e1c10ea6cbd32c7bad60133e8720c5824d28a5eb827ddf0a0facf9e04821
Instruction Fuzzy Hash: 90E17FB19002499FCB04DF94D891AEF7BB9BF88304F14816EF509BB295D738AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5E2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E0040C5E2(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t74;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t97;
				signed char _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr* _t102;
				signed int _t103;
				signed int _t104;
				signed char _t109;
				signed char* _t112;
				signed int _t113;
				void* _t114;
				signed char* _t117;
				void* _t122;
				signed int _t124;
				void* _t131;
				void* _t132;

				_t101 = __ecx;
				_t97 = _a4;
				if( *_t97 == 0x80000003) {
					return _t74;
				} else {
					if( *((intOrPtr*)(E0040BEBC(_t97, __ecx, __edx, _t122, _t114, _t122) + 8)) != 0) {
						_t122 =  *0x4f704c(0);
						if( *((intOrPtr*)(E0040BEBC(_t97, __ecx, __edx, _t122) + 8)) != _t122 &&  *_t97 != 0xe0434f4d &&  *_t97 != 0xe0434352) {
							_t87 = E0040A8C5(_t97, _a8, _a12, _a16, _a20, _a28, _a32);
							_t131 = _t131 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E0040A7F8(_t97, _t101, 0, _t122,  &_v40,  &_v24, _a24, _a16, _t76);
						_t113 = _v36;
						_t132 = _t131 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t113;
						if(_t113 < _v28) {
							_t103 = _t113 * 0x14;
							_v12 = _t103;
							do {
								_t104 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t103, _t104 << 2);
								_t132 = _t132 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t109 = _t93[4];
									if(_t109 == 0 ||  *((char*)(_t109 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0040C1B8(_t113, _t97, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t113 = _v8;
											_t132 = _t132 + 0x30;
										}
									}
								}
								_t113 = _t113 + 1;
								_t87 = _v16;
								_t103 = _v12 + 0x14;
								_v8 = _t113;
								_v12 = _t103;
							} while (_t113 < _v28);
						}
						goto L16;
					}
					E00411A99(_t76);
					asm("int3");
					_t112 = _v68;
					_push(_t97);
					_push(_t122);
					_push(0);
					_t78 = _t112[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t102 = _t78 + 8;
						if( *_t102 == 0) {
							goto L41;
						} else {
							_t117 = _a4;
							if(( *_t112 & 0x00000080) == 0 || ( *_t117 & 0x00000010) == 0) {
								_t98 = _t117[4];
								_t124 = 0;
								if(_t78 == _t98) {
									L33:
									if(( *_t117 & 0x00000002) == 0 || ( *_t112 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t112 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t112 & 0x00000002) != 0) {
												_t124 = 1;
											}
										}
									}
									_t80 = _t124;
								} else {
									_t59 = _t98 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t99 =  *_t102;
										if(_t99 !=  *_t82) {
											break;
										}
										if(_t99 == 0) {
											L29:
											_t83 = _t124;
										} else {
											_t100 =  *((intOrPtr*)(_t102 + 1));
											if(_t100 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t102 = _t102 + 2;
												_t82 = _t82 + 2;
												if(_t100 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x0040c5e2
0x0040c5e9
0x0040c5f2
0x0040c711
0x0040c5f8
0x0040c604
0x0040c60d
0x0040c617
0x0040c63c
0x0040c641
0x0040c646
0x0040c70d
0x00000000
0x0040c70e
0x0040c646
0x0040c617
0x0040c64c
0x0040c64f
0x0040c652
0x0040c658
0x0040c65e
0x0040c670
0x0040c675
0x0040c678
0x0040c67b
0x0040c67e
0x0040c681
0x0040c687
0x0040c68d
0x0040c690
0x0040c693
0x0040c6a2
0x0040c6a3
0x0040c6a3
0x0040c6a8
0x0040c6bb
0x0040c6bd
0x0040c6c2
0x0040c6cd
0x0040c6cf
0x0040c6d1
0x0040c6ed
0x0040c6f2
0x0040c6f5
0x0040c6f5
0x0040c6cd
0x0040c6c2
0x0040c6fb
0x0040c6fc
0x0040c6ff
0x0040c702
0x0040c705
0x0040c708
0x0040c693
0x00000000
0x0040c687
0x0040c712
0x0040c717
0x0040c71b
0x0040c71e
0x0040c71f
0x0040c720
0x0040c721
0x0040c726
0x0040c79e
0x0040c7a0
0x0040c728
0x0040c728
0x0040c72e
0x00000000
0x0040c730
0x0040c733
0x0040c736
0x0040c73d
0x0040c740
0x0040c744
0x0040c776
0x0040c779
0x0040c780
0x0040c786
0x0040c790
0x0040c799
0x0040c799
0x0040c790
0x0040c786
0x0040c79a
0x0040c746
0x0040c746
0x0040c746
0x0040c749
0x0040c749
0x0040c74d
0x00000000
0x00000000
0x0040c751
0x0040c765
0x0040c765
0x0040c753
0x0040c753
0x0040c759
0x00000000
0x0040c75b
0x0040c75b
0x0040c75e
0x0040c763
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c763
0x0040c759
0x0040c76e
0x0040c770
0x00000000
0x0040c772
0x0040c772
0x0040c772
0x00000000
0x0040c770
0x0040c769
0x0040c76b
0x00000000
0x0040c76b
0x00000000
0x00000000
0x00000000
0x0040c736
0x0040c72e
0x0040c7a1
0x0040c7a5
0x0040c7a5

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0040C607
CatchIt.LIBVCRUNTIME ref: 0040C6ED

Strings

MOC, xrefs: 0040C619
RCC, xrefs: 0040C621

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 1b7fa2f1d0a5a07f1225744ad79363a78728d04c88e35370d07702cee2cd6a1f
Instruction ID: 5e4436aa689c5ef80dbf9752bc71aff26a1d9b939588bd995be8d31eed568e35
Opcode Fuzzy Hash: 1b7fa2f1d0a5a07f1225744ad79363a78728d04c88e35370d07702cee2cd6a1f
Instruction Fuzzy Hash: E9416771900209EFCF25DF98C881AAEBBB5FF48304F1481AAF914772A1D33A9950DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404C40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E00404C40(void* __ebx, void* __edi, intOrPtr _a4, char _a8, char _a16) {
				signed int _v8;
				char _v32;
				signed int _t13;
				signed char _t15;
				void* _t17;
				void* _t25;
				void* _t37;
				signed int _t38;

				_t37 = __edi;
				_t25 = __ebx;
				_t13 =  *0x507024; // 0x590d03f3
				_v8 = _t13 ^ _t38;
				_t2 =  &_a16; // 0x402832
				_t15 = E00406520(_t2);
				_t39 = _t15 & 0x000000ff;
				if((_t15 & 0x000000ff) == 0) {
					_t3 =  &_a16; // 0x402832
					E00405540(_t3, _t39, 0x4f8798);
				}
				_t17 = E004069D0( &_a8,  &_v32);
				_t6 =  &_a16; // 0x402832
				E00405470(_t6, _t17);
				E00402DE0( &_v32);
				_t8 =  &_a16; // 0x402832
				E00402360(_a4, _t8);
				_t10 =  &_a16; // 0x402832
				E00402DE0(_t10);
				return E004090D4(_a4, _t25, _v8 ^ _t38, _t8, _t37);
			}

0x00404c40
0x00404c40
0x00404c46
0x00404c4d
0x00404c50
0x00404c53
0x00404c5b
0x00404c5d
0x00404c64
0x00404c67
0x00404c67
0x00404c73
0x00404c79
0x00404c7c
0x00404c84
0x00404c89
0x00404c90
0x00404c95
0x00404c98
0x00404cad

APIs

std::ios_base::good.LIBCPMTD ref: 00404C53
task.LIBCPMTD ref: 00404C84
task.LIBCPMTD ref: 00404C98

Strings

2(@, xrefs: 00404C50, 00404C79, 00404C89, 00404C95, 00404C64, 00404C8C

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: task$std::ios_base::good
String ID: 2(@
API String ID: 683101471-4079945686
Opcode ID: 1afcfd1fac3fe82eb623df7a3d8ace0c980b358d27ad71e3878853e20783883c
Instruction ID: 51fecc1780c06f1d7742adc3d23b2e98550457e9f781d647910003ffed570ddb
Opcode Fuzzy Hash: 1afcfd1fac3fe82eb623df7a3d8ace0c980b358d27ad71e3878853e20783883c
Instruction Fuzzy Hash: 48F0443050010D9BCB04FF61DD969EF7368AF14305B40417EB9067B1D2EF78AE19CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 004130C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004130B5,00411ADC,?,0041307D,00411ADC,?,00411ADC), ref: 004130D5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004130E8

Strings

mscoree.dll, xrefs: 004130CE
CorExitProcess, xrefs: 004130E0

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 37fb9965231f7c37ffca1683f65ce8c2c9b03f6488eeeab814dcf0510b9c4193
Instruction ID: 1af2c0b0520dcd5c3bd371ba95745abc49b4447fcaa3c6341ee6cd6cca83cbf0
Opcode Fuzzy Hash: 37fb9965231f7c37ffca1683f65ce8c2c9b03f6488eeeab814dcf0510b9c4193
Instruction Fuzzy Hash: EEF08231A00218FBDB119B90CD4AFEE7F65DF00752F100061E500A12A0CB7C8F54DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00416FE6 Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417070

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 8f59172821d1f9a883ddc916b1a5f07b05fe9a147231d3bb9b97debe276b0d8f
Instruction ID: c1720e129456d36a74d4b3d25cc7216cec886f48d73076275c00d48ac9c5b5ca
Opcode Fuzzy Hash: 8f59172821d1f9a883ddc916b1a5f07b05fe9a147231d3bb9b97debe276b0d8f
Instruction Fuzzy Hash: FFB139319082859FDB118F68C8417EFBBF5EF45344F2481ABE845AB341D63D8D82CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFE1 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E0040BFE1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed char _t80;
				signed char _t83;
				signed int _t84;
				signed int _t85;
				signed int _t96;
				signed char _t98;
				signed int* _t99;
				signed char* _t102;
				signed int _t108;
				void* _t112;

				_push(0x10);
				_push(0x505cb0);
				E00409FB0(__ebx, __edi, __esi);
				_t74 = 0;
				_t52 =  *(_t112 + 0x10);
				_t80 = _t52[4];
				if(_t80 == 0 ||  *((intOrPtr*)(_t80 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t98 = _t52[8];
					if(_t98 != 0 ||  *_t52 < 0) {
						_t83 =  *_t52;
						_t108 =  *(_t112 + 0xc);
						if(_t83 >= 0) {
							_t108 = _t108 + 0xc + _t98;
						}
						 *(_t112 - 4) = _t74;
						_t102 =  *(_t112 + 0x14);
						if(_t83 >= 0 || ( *_t102 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t112 + 8));
							__eflags = _t83 & 0x00000008;
							if((_t83 & 0x00000008) == 0) {
								__eflags =  *_t102 & 0x00000001;
								if(( *_t102 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t102[0x18] - _t74;
									if(_t102[0x18] != _t74) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t108;
											if(_t108 == 0) {
												goto L32;
											} else {
												__eflags =  *_t102 & 0x00000004;
												_t78 = 0;
												_t74 = (_t78 & 0xffffff00 | ( *_t102 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t74;
												 *(_t112 - 0x20) = _t74;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t108;
											if(_t108 == 0) {
												goto L32;
											} else {
												E0040A030(_t108, E0040ACEE(_t84,  &(_t102[8])), _t102[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L32;
										} else {
											E0040A030(_t108,  *(_t54 + 0x18), _t102[0x14]);
											__eflags = _t102[0x14] - 4;
											if(_t102[0x14] == 4) {
												__eflags =  *_t108;
												if( *_t108 != 0) {
													_push( &(_t102[8]));
													_push( *_t108);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t96 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x508544; // 0x0
							 *((intOrPtr*)(_t112 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x4f7154();
								_t96 =  *((intOrPtr*)(_t112 - 0x1c))();
								L12:
								if(_t96 == 0 || _t108 == 0) {
									L32:
									E00411A99(_t54);
									asm("int3");
									_push(8);
									_push(0x505cd0);
									E00409FB0(_t74, _t102, _t108);
									_t99 =  *(_t112 + 0x10);
									_t85 =  *(_t112 + 0xc);
									__eflags =  *_t99;
									if(__eflags >= 0) {
										_t104 = _t85 + 0xc + _t99[2];
										__eflags = _t85 + 0xc + _t99[2];
									} else {
										_t104 = _t85;
									}
									 *(_t112 - 4) =  *(_t112 - 4) & 0x00000000;
									_t109 =  *(_t112 + 0x14);
									_push( *(_t112 + 0x14));
									_push(_t99);
									_push(_t85);
									_t76 =  *((intOrPtr*)(_t112 + 8));
									_push( *((intOrPtr*)(_t112 + 8)));
									_t58 = E0040BFE1(_t76, _t104, _t109, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E0040CCE1(_t104, _t109[0x18], E0040ACEE( *((intOrPtr*)(_t76 + 0x18)),  &(_t109[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E0040CCF1(_t104, _t109[0x18], E0040ACEE( *((intOrPtr*)(_t76 + 0x18)),  &(_t109[8])), 1);
										}
									}
									 *(_t112 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t112 - 0x10));
									return _t61;
								} else {
									 *_t108 = _t96;
									_push( &(_t102[8]));
									_push(_t96);
									L21:
									 *_t108 = E0040ACEE();
									L29:
									 *(_t112 - 4) = 0xfffffffe;
									_t53 = _t74;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t112 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x0040bfe1
0x0040bfe3
0x0040bfe8
0x0040bfed
0x0040bfef
0x0040bff2
0x0040bff7
0x0040c107
0x0040c107
0x0040c107
0x00000000
0x0040c006
0x0040c006
0x0040c00b
0x0040c015
0x0040c017
0x0040c01c
0x0040c021
0x0040c021
0x0040c023
0x0040c026
0x0040c02b
0x0040c04d
0x0040c04d
0x0040c050
0x0040c053
0x0040c071
0x0040c074
0x0040c0b3
0x0040c0b6
0x0040c0b9
0x0040c0de
0x0040c0e0
0x00000000
0x0040c0e2
0x0040c0e2
0x0040c0e4
0x00000000
0x0040c0e6
0x0040c0e6
0x0040c0eb
0x0040c0ef
0x0040c0ef
0x0040c0f0
0x00000000
0x0040c0f0
0x0040c0e4
0x0040c0bb
0x0040c0bb
0x0040c0bd
0x00000000
0x0040c0bf
0x0040c0bf
0x0040c0c1
0x00000000
0x0040c0c3
0x0040c0d4
0x00000000
0x0040c0d9
0x0040c0c1
0x0040c0bd
0x0040c076
0x0040c076
0x0040c07a
0x00000000
0x0040c080
0x0040c080
0x0040c082
0x00000000
0x0040c088
0x0040c08f
0x0040c097
0x0040c09b
0x0040c09d
0x0040c0a0
0x0040c0a5
0x0040c0a6
0x00000000
0x0040c0a6
0x0040c0a0
0x00000000
0x0040c09b
0x0040c082
0x0040c07a
0x0040c055
0x0040c055
0x00000000
0x0040c055
0x0040c032
0x0040c032
0x0040c037
0x0040c03c
0x00000000
0x0040c03e
0x0040c040
0x0040c049
0x0040c058
0x0040c05a
0x0040c119
0x0040c119
0x0040c11e
0x0040c11f
0x0040c121
0x0040c126
0x0040c12b
0x0040c12e
0x0040c131
0x0040c134
0x0040c13d
0x0040c13d
0x0040c136
0x0040c136
0x0040c136
0x0040c140
0x0040c144
0x0040c147
0x0040c148
0x0040c149
0x0040c14a
0x0040c14d
0x0040c156
0x0040c156
0x0040c159
0x0040c18f
0x0040c15b
0x0040c15b
0x0040c15b
0x0040c15e
0x0040c175
0x0040c175
0x0040c15e
0x0040c194
0x0040c19e
0x0040c1aa
0x0040c068
0x0040c068
0x0040c06d
0x0040c06e
0x0040c0a8
0x0040c0af
0x0040c0f3
0x0040c0f3
0x0040c0fa
0x0040c109
0x0040c10c
0x0040c118
0x0040c118
0x0040c05a
0x0040c03c
0x00000000
0x00000000
0x00000000
0x0040c00b

APIs

___AdjustPointer.LIBCMT ref: 0040C0A8
___AdjustPointer.LIBCMT ref: 0040C0CB
___AdjustPointer.LIBCMT ref: 0040C167

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ea54e2041c763e394a691ce0d59294843c890294f9e097885ac4c7641b46dfe8
Instruction ID: 042c138b8f56aab8b750efa5ffa4feacd76f57771158f49028955430a21e9952
Opcode Fuzzy Hash: ea54e2041c763e394a691ce0d59294843c890294f9e097885ac4c7641b46dfe8
Instruction Fuzzy Hash: F651CF71504202EFEB248F55C881B7A73A4FF44314F14423FE811AB2D2E739AC91DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F0 Relevance: 6.1, APIs: 4, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E004046F0(void* __ebx, char __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v52;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char* _v108;
				char _v112;
				void* __edi;
				signed int _t47;
				intOrPtr _t60;
				void* _t96;
				void* _t99;
				signed int _t100;
				void* _t101;
				void* _t104;

				_t68 = __ebx;
				_t47 =  *0x507024; // 0x590d03f3
				_v8 = _t47 ^ _t100;
				_v100 = __ecx;
				_v108 = E00404550(_a4);
				E00404470(__ebx, _a4, __eflags,  &_v52);
				 *((intOrPtr*)(_v100 + 8)) = 0;
				 *((intOrPtr*)(_v100 + 0x10)) = 0;
				 *((intOrPtr*)(_v100 + 0x14)) = 0;
				_v112 = _v100;
				_t110 = _a8 & 0x000000ff;
				if((_a8 & 0x000000ff) == 0) {
					_v104 =  *((intOrPtr*)(_v108 + 8));
				} else {
					_v104 = 0x4f87a8;
				}
				_push(E00404470(_t68, _a4, _t110,  &_v96));
				_push(0);
				 *((intOrPtr*)(_v100 + 8)) = E00401900(_t110, _v104);
				_push( &_v52);
				_push(0);
				 *((intOrPtr*)(_v100 + 0x10)) = E00401900(_t110, E00404540(_a4));
				_push( &_v52);
				_push(0);
				_t60 = E00401900(_t110, E00404560(_a4));
				_t104 = _t101 + 0x24;
				 *((intOrPtr*)(_v100 + 0x14)) = _t60;
				_v112 = 0;
				if((_a8 & 0x000000ff) == 0) {
					_t99 =  &_v52;
					memcpy(_t104 - 0x2c, _t99, 0xb << 2);
					_t96 = _t99 + 0x16;
					_t95 = _v108;
					_push(_v108);
					_push(0);
					E00401880(_v100);
				} else {
					_push( &_v52);
					_push(0);
					 *((char*)(_v100 + 0xc)) = E004018F0(0x2e);
					_t95 =  &_v52;
					_push( &_v52);
					_push(0);
					 *((char*)(_v100 + 0xd)) = E004018F0(0x2c);
				}
				return E004090D4(E00402DA0( &_v112), _t68, _v8 ^ _t100, _t95, _t96);
			}

0x004046f0
0x004046f6
0x004046fd
0x00404702
0x0040470d
0x00404717
0x0040471f
0x00404729
0x00404733
0x0040473d
0x00404744
0x00404746
0x00404757
0x00404748
0x00404748
0x00404748
0x00404766
0x00404767
0x00404778
0x0040477e
0x0040477f
0x00404795
0x0040479b
0x0040479c
0x004047a7
0x004047ac
0x004047b2
0x004047b5
0x004047c2
0x004047fa
0x004047ff
0x004047ff
0x00404801
0x00404804
0x00404805
0x0040480a
0x004047c4
0x004047c7
0x004047c8
0x004047d7
0x004047da
0x004047dd
0x004047de
0x004047ed
0x004047ed
0x00404826

APIs

std::_Locinfo::_Getcvt.LIBCPMTD ref: 00404717
std::_Locinfo::_Getcvt.LIBCPMTD ref: 00404761
_Getvals.LIBCPMTD ref: 0040480A
Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 00404812

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: GetcvtLocinfo::_std::_$Concurrency::cancellation_token_source::~cancellation_token_sourceGetvals
String ID:
API String ID: 272587748-0
Opcode ID: 7440d4bb96755cf2353ac4714fd4e95b92bcf1427d16bd2eae48617d798d6f2e
Instruction ID: 66b4281460f2e3059e550daff50d5321e72b2451c55d7dc4e65d7c72e75f59d1
Opcode Fuzzy Hash: 7440d4bb96755cf2353ac4714fd4e95b92bcf1427d16bd2eae48617d798d6f2e
Instruction Fuzzy Hash: 8B413DB5E00318ABDB04EF91D855BAEB776BF84304F14802EE5096F3D2DB759905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C786 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00411BC8: _free.LIBCMT ref: 00411BD6

Part of subcall function 0041C341: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0041875F,?,00000000,00000000), ref: 0041C3ED

GetLastError.KERNEL32 ref: 0041C7EE
__dosmaperr.LIBCMT ref: 0041C7F5
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C834
__dosmaperr.LIBCMT ref: 0041C83B

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 395badae55162b3bc88c8dda0d3baea727261d439d027f94a00e0486ea8686a6
Instruction ID: 0f4a1a23b9527d0b2833e47a33f676162f77182a9ef681a558299fd6d431cbbb
Opcode Fuzzy Hash: 395badae55162b3bc88c8dda0d3baea727261d439d027f94a00e0486ea8686a6
Instruction Fuzzy Hash: 47210D716446066FDB206F66CCC1DABB7ACEF40368710453FF92997680D778EC918798

Uniqueness

Uniqueness Score: -1.00%

Function 00415B60 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(004F7930,00000001,00000001,0040D525,0040127B,00000000), ref: 00415B65
_free.LIBCMT ref: 00415BC2
_free.LIBCMT ref: 00415BF8
SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00415C03

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b1636e21cdb555ed6165582ee7b979bed8e80a75d47949dbf84dd03d2816140e
Instruction ID: 1c4aa373b98f2b576a7676d75d594c2c79f83878e424761c5b370aa4890b9310
Opcode Fuzzy Hash: b1636e21cdb555ed6165582ee7b979bed8e80a75d47949dbf84dd03d2816140e
Instruction Fuzzy Hash: A1112972608A05FFC61027766C85DFF215FABC4378B25022BF228826D1ED2CDCCA915C

Uniqueness

Uniqueness Score: -1.00%

Function 00415CB7 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0040FFF0,00415E35,?,?,00414BEF), ref: 00415CBC
_free.LIBCMT ref: 00415D19
_free.LIBCMT ref: 00415D4F
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0040FFF0,00415E35,?,?,00414BEF), ref: 00415D5A

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 94a41fdfaf2f230b006251fa321e4006c7967c249d39d234f4256ef2acd5b4d1
Instruction ID: 474332798954fe0c8e226dbba7c8fc73fc8d6b47371be76967f6fe80f350cd44
Opcode Fuzzy Hash: 94a41fdfaf2f230b006251fa321e4006c7967c249d39d234f4256ef2acd5b4d1
Instruction Fuzzy Hash: 6F112972704A05EBC61027767C85DFF255AEBC5378B25022BF128826D1DE28CC9A9258

Uniqueness

Uniqueness Score: -1.00%

Function 00423CDC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,00422347,00000000,00000001,00000000,00000000,?,00418F30,?,00000000,00000000), ref: 00423CF3
GetLastError.KERNEL32(?,00422347,00000000,00000001,00000000,00000000,?,00418F30,?,00000000,00000000,?,00000000,?,0041947C,?), ref: 00423CFF

Part of subcall function 00423CC5: CloseHandle.KERNEL32(FFFFFFFE,00423D0F,?,00422347,00000000,00000001,00000000,00000000,?,00418F30,?,00000000,00000000,?,00000000), ref: 00423CD5

___initconout.LIBCMT ref: 00423D0F

Part of subcall function 00423C87: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00423CB6,00422334,00000000,?,00418F30,?,00000000,00000000,?), ref: 00423C9A

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,00422347,00000000,00000001,00000000,00000000,?,00418F30,?,00000000,00000000,?), ref: 00423D24

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d5f11fe659bbc98133b042a484fe71085f76111a0539d4d474d7129149206f58
Instruction ID: 0b78cb468e87653755736478fbc04e47d6cf630df4957fdf855fa527739c446d
Opcode Fuzzy Hash: d5f11fe659bbc98133b042a484fe71085f76111a0539d4d474d7129149206f58
Instruction Fuzzy Hash: 74F01236604128BFDF221FA2EC04D9E3F75EF083A1F404425FA1996160CA398E70EB95

Uniqueness

Uniqueness Score: -1.00%

Function 004128B4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\cDtHMoEHO4.exe, xrefs: 004128F7, 004128FE, 00412934

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\cDtHMoEHO4.exe
API String ID: 0-89690256
Opcode ID: bdd533f82f3c1132518891596a6840ed448ec49cec7c1c224a35ddd72b4dfb44
Instruction ID: 0bcdd553206e1f96b8cce0732468b8d65d6f50a2aa4c3e95a095dbf6590999af
Opcode Fuzzy Hash: bdd533f82f3c1132518891596a6840ed448ec49cec7c1c224a35ddd72b4dfb44
Instruction Fuzzy Hash: F341B1B1F10214ABCB21AB9E8D81DEFBBF8EF94310F14406BF544E7211D6B88A91D758

Uniqueness

Uniqueness Score: -1.00%

Function 00402800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00402800(void* __ebx, intOrPtr* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v32;
				intOrPtr* _v36;
				signed int _t17;
				intOrPtr _t39;
				signed int _t41;
				void* _t42;
				void* _t45;

				_t45 = __eflags;
				_t17 =  *0x507024; // 0x590d03f3
				_v8 = _t17 ^ _t41;
				_v36 = __ecx;
				E004023B0(_t42 - 0x18, _a12);
				_push(_a8);
				_push(_a4);
				E00402C10(_v36, _t45, E00404C40(__ebx, __edi));
				E00402DE0( &_v32);
				 *_v36 = 0x4f8790;
				_t39 = _v36;
				 *((intOrPtr*)(_t39 + 0xc)) = _a4;
				 *((intOrPtr*)(_t39 + 0x10)) = _a8;
				return E004090D4(_v36, __ebx, _v8 ^ _t41, _t39, __edi,  &_v32);
			}

0x00402800
0x00402806
0x0040280d
0x00402810
0x0040281c
0x00402824
0x00402828
0x00402839
0x00402841
0x00402849
0x0040284f
0x00402858
0x0040285b
0x0040286e

APIs

Part of subcall function 00404C40: std::ios_base::good.LIBCPMTD ref: 00404C53
Part of subcall function 00404C40: task.LIBCPMTD ref: 00404C84
Part of subcall function 00404C40: task.LIBCPMTD ref: 00404C98

std::runtime_error::runtime_error.LIBCPMTD ref: 00402839

Part of subcall function 00402C10: std::exception::exception.LIBCONCRTD ref: 00402C23

task.LIBCPMTD ref: 00402841

Strings

7@, xrefs: 00402849

Memory Dump Source

Source File: 00000000.00000002.279487309.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279460286.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cDtHMoEHO4.jbxd

Similarity

API ID: task$std::exception::exceptionstd::ios_base::goodstd::runtime_error::runtime_error
String ID: 7@
API String ID: 2891284423-48919864
Opcode ID: ff832f34a58307db7bc7c9e29900500dfc76297929cf710a00843732e47b28a1
Instruction ID: 346bdb88e04639a0e861907d4de92d5bb18948311afd6d10808e91a9e70b7410
Opcode Fuzzy Hash: ff832f34a58307db7bc7c9e29900500dfc76297929cf710a00843732e47b28a1
Instruction Fuzzy Hash: BB01DE75E0420C9BCF08EFA9D95599EB7F5BF4C304B00816EE905AB381DB38A940CB94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 6464, Parent PID: 6384COMMON

Executed Functions

Function 0A1C0040 Relevance: 6.2, Strings: 1, Instructions: 4952COMMON

Download Yara Rule

Strings

xQk, xrefs: 0A1C5441

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: xQk
API String ID: 0-224434507
Opcode ID: d426259188361eeb4e96042b3906709824d6c26f3937ed58622e0a9b8f4a1245
Instruction ID: f1a18b03013d13c1387340ff8bd79e377c72fcf6075767a200987255188a1bf4
Opcode Fuzzy Hash: d426259188361eeb4e96042b3906709824d6c26f3937ed58622e0a9b8f4a1245
Instruction Fuzzy Hash: 4CA32B31E90B1AA6EB20DB50CC41BD9F371AF95700F60C756A6597A5C0EBB0BAD5CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CCD00 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

Ds^, xrefs: 0A1CCD19
|p^, xrefs: 0A1CCDB2

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: Ds^$|p^
API String ID: 0-267396410
Opcode ID: 7f4cb33325d36027e40637c4cafbcb76967392d91a250dcaa84fbe4c469c7fba
Instruction ID: dc9ed0197efb0cdb840cd5b804e0a520c06ae6f37ec3e42bdf095ca8a374ee47
Opcode Fuzzy Hash: 7f4cb33325d36027e40637c4cafbcb76967392d91a250dcaa84fbe4c469c7fba
Instruction Fuzzy Hash: 9A31E7316083818FC769EF74D4401E97FB5EF92214B1549AEC54ECB162E7725E0A8BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0562D050 Relevance: 2.6, Strings: 2, Instructions: 51COMMON

Download Yara Rule

Strings

|6a, xrefs: 0562D05E
|6a, xrefs: 0562D0B4

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: |6a$|6a
API String ID: 0-2307294604
Opcode ID: 6a9e7531f6535110a90b18503fdab1cf3787057f8bbbee7a264985c5806339d8
Instruction ID: ad35e15892cf0f38848bff4f55ae895872dec8607d31f95c9694f3696456ee3c
Opcode Fuzzy Hash: 6a9e7531f6535110a90b18503fdab1cf3787057f8bbbee7a264985c5806339d8
Instruction Fuzzy Hash: B5015E303003519BCB28AB75A458A2AB7EBFBC4219F54482DE5478B754CBB1E80ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 05628818 Relevance: 2.0, Instructions: 1973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851fd50f15c95f6c8b6d6a644ad4d1d30642982887594445dbb457e8c54fb1c9
Instruction ID: 3110c15726416b46d450bd97d8b22bbf9b0ec3475371b7cb7d7e387097ff2a12
Opcode Fuzzy Hash: 851fd50f15c95f6c8b6d6a644ad4d1d30642982887594445dbb457e8c54fb1c9
Instruction Fuzzy Hash: C313ED38D45204EFCB269B70D451EA9B732FF9930AB10C4AEDC1526B56CB3B8992DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0562E6D8 Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

l3a, xrefs: 0562E721

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: l3a
API String ID: 0-1940074028
Opcode ID: bb3b32a4bb698200ff7609ad80916ae1364dbab0c622ec601ade26a18dacaec6
Instruction ID: a37d3f2e91c81f4c3c3d02a8240222ef07a9087618a68bf46cc99e5826f1070e
Opcode Fuzzy Hash: bb3b32a4bb698200ff7609ad80916ae1364dbab0c622ec601ade26a18dacaec6
Instruction Fuzzy Hash: C6E13934A00606DFCB14DF64D598AADBBB6FF88314F158869E9069B760DB31AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0562E6A0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

l3a, xrefs: 0562E721

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: l3a
API String ID: 0-1940074028
Opcode ID: 97b8f38be83b583bbedba01fbce51561862ba01e7e75d178281d7adbb9bd2fbd
Instruction ID: bd744665f1c564fa2823de0c862fb6d4c0e2f5427f23ec67df059500c2609633
Opcode Fuzzy Hash: 97b8f38be83b583bbedba01fbce51561862ba01e7e75d178281d7adbb9bd2fbd
Instruction Fuzzy Hash: FE914A34A00606DFCB14DF64D5989ADBBB2FF88314B158569E806EB761DB30ED46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0562D780 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

,ua, xrefs: 0562D7A3

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: ,ua
API String ID: 0-2627766115
Opcode ID: 16102c1407803721a14314f677cf4eb13fee9ccfff31a6aaea1bdb66533f74d7
Instruction ID: 4988929c9ce1276899e5941efb4f6ad99851464a8088b1940e7c701385da1460
Opcode Fuzzy Hash: 16102c1407803721a14314f677cf4eb13fee9ccfff31a6aaea1bdb66533f74d7
Instruction Fuzzy Hash: 3E717C34E006598FDB18DFA8C4546AEB7F2BF89304F258529D80AEB751EB709C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5D90 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

hr, xrefs: 0A1C5F39

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: hr
API String ID: 0-329510085
Opcode ID: 8428621988f414eb1d0fd59e0ba8c1dfa42bce67126d633659fced34ec26dab2
Instruction ID: 7ea60be76bcd9a715e1ad8e709acb62db8b7f18b8df3363e65bbbe9924d65dde
Opcode Fuzzy Hash: 8428621988f414eb1d0fd59e0ba8c1dfa42bce67126d633659fced34ec26dab2
Instruction Fuzzy Hash: 9A51CD31B046169FC718DF69C48486EFBF6FF942207168A6ED419DB6A1EB30BC418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05622DC8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

8c.g, xrefs: 05622EDA

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: 8c.g
API String ID: 0-2258339836
Opcode ID: 509c2ad923b700a4f4f2d805dfea78557d25346cc6455196d2ed3070686bd21c
Instruction ID: 557ab84213e78c097e6603e38393d77030e7d1807c315f6ed6ba6e28a4969405
Opcode Fuzzy Hash: 509c2ad923b700a4f4f2d805dfea78557d25346cc6455196d2ed3070686bd21c
Instruction Fuzzy Hash: 6841DF30B109488BCB08FBB9D45806DBBB6FFC9310B544659E162AB394DF31A848CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C7028 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

xC^, xrefs: 0A1C7114

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: xC^
API String ID: 0-2700586120
Opcode ID: ea6149bfc5ae047a6b08ff7557782319e961c603396a4aa76824c7bb4e904e1e
Instruction ID: 04458174f26d9c0f2e0c095bb84b258a10efb6fc84f796d74c98a6870596e976
Opcode Fuzzy Hash: ea6149bfc5ae047a6b08ff7557782319e961c603396a4aa76824c7bb4e904e1e
Instruction Fuzzy Hash: 8A3147357082405FC719DB7C94A466D77E2EFCA251B16047DD50ACB392EF21CC068BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05622719 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

(>^, xrefs: 056227B3

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: (>^
API String ID: 0-936597545
Opcode ID: 3d34af01ba900cf0079d7e19532c862d2984765a02d393d8f99edf998fbb1657
Instruction ID: 336dfb255e9ad677205c0b21af4e6f25882ab18efc4a11a24ca8e5807b89121d
Opcode Fuzzy Hash: 3d34af01ba900cf0079d7e19532c862d2984765a02d393d8f99edf998fbb1657
Instruction Fuzzy Hash: 74318D34B002009FCB1CEB76E45856EB7EAFBCC211715446DE90AEB350DF369C868B92

Uniqueness

Uniqueness Score: -1.00%

Function 0562D76F Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

,ua, xrefs: 0562D7A3

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: ,ua
API String ID: 0-2627766115
Opcode ID: 96233ef1fc4d0f0d7dfedc3f22f13b96b859369a86f0dbaee8dd40c8fb9104a9
Instruction ID: 7faa3d64f0070e83a04a4fdbecd37218d0c891e9a3169a2482f6d14c6e43f8f5
Opcode Fuzzy Hash: 96233ef1fc4d0f0d7dfedc3f22f13b96b859369a86f0dbaee8dd40c8fb9104a9
Instruction Fuzzy Hash: B2411671D00799CBCB15CFA9C8406DEBBF2BF89304F24856AD805AB711E770A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C6367 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

nt, xrefs: 0A1C63CD

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: nt
API String ID: 0-1536811786
Opcode ID: cc6f4004b22dd5f3a210ae461965fabd8d319016a3fd28064ec32932877083df
Instruction ID: 369b7ab507d68e7b5deb36368ac2743d7ff684b8205cd657ac27de6c2e489aaf
Opcode Fuzzy Hash: cc6f4004b22dd5f3a210ae461965fabd8d319016a3fd28064ec32932877083df
Instruction Fuzzy Hash: 36318B347082418FC764DF69D484959BBF6FF99204B1689ADD65ACB362EB31EC02CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0562460F Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

8c.g, xrefs: 056246ED

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: 8c.g
API String ID: 0-2258339836
Opcode ID: 99e4ab09bdc9de10199431de23cc3f03dec9b940078d3ab790769864983f31c4
Instruction ID: f408443d0fe413d3e27d06289dda307c9e02c171c8f910e29032b502b21d3a9e
Opcode Fuzzy Hash: 99e4ab09bdc9de10199431de23cc3f03dec9b940078d3ab790769864983f31c4
Instruction Fuzzy Hash: 4E31E5342087058FD729AF65D40469A7BF2FFC4315F04886DD14E8B664DB76A88ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 056286E8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

0^, xrefs: 056287CD

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: 0^
API String ID: 0-3394178545
Opcode ID: 113e8b404062badf930de4ba0c4a87d8a2803beff098b58291cb4f3b65fbbf73
Instruction ID: bd1efcf8443a1cbb7adab8228730cb3fefdc191454a775a67930aab877fd7bed
Opcode Fuzzy Hash: 113e8b404062badf930de4ba0c4a87d8a2803beff098b58291cb4f3b65fbbf73
Instruction Fuzzy Hash: AE31A031E0060A8BCB15EFB9D8141AEB3B5FFC5300B10862AD81AB7741EF35A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C6458 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

tut, xrefs: 0A1C64ED

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: tut
API String ID: 0-2779530810
Opcode ID: bc1f5f7b9f7b04c71d13c9aa6f51b60b0e633e2c10fd6d29781e8cdc15267850
Instruction ID: 2fb88865f11a84dd720571e4a64d2640ac877ab5be279b263f147e2108f4e4b8
Opcode Fuzzy Hash: bc1f5f7b9f7b04c71d13c9aa6f51b60b0e633e2c10fd6d29781e8cdc15267850
Instruction Fuzzy Hash: 57016974B042049FCB64DFA9E48889EFBF6EF88214B1581AED519DB314EB319901CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C6F9B Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

D+a, xrefs: 0A1C6FB5

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: D+a
API String ID: 0-68180789
Opcode ID: 5bba399899d9fbf58bc21346c681e61a1074436610c2a0f0f98c880a92ceb044
Instruction ID: 89f114ae59845bb20274e595795e2d13e77002ef5358d3224799d2f32e6ee4a1
Opcode Fuzzy Hash: 5bba399899d9fbf58bc21346c681e61a1074436610c2a0f0f98c880a92ceb044
Instruction Fuzzy Hash: 78012631B00355ABCB29EF71E44066E77B6FFC0615B01486CD5168B790EF71B8458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C6FA0 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

D+a, xrefs: 0A1C6FB5

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: D+a
API String ID: 0-68180789
Opcode ID: 1174b2c3fd8e418fabb6fc8205814cb7085fe6e3f80df924e8db2441a5a58eb5
Instruction ID: a51296ef6af7c75980e91534e611e38c0478b5eabbd82d26f1e84cee30be6486
Opcode Fuzzy Hash: 1174b2c3fd8e418fabb6fc8205814cb7085fe6e3f80df924e8db2441a5a58eb5
Instruction Fuzzy Hash: 3B012131B00356ABCB29EF31A40066E77A6EBC0615B01486CD4128B690EF71B8458B92

Uniqueness

Uniqueness Score: -1.00%

Function 056246D8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

8c.g, xrefs: 056246ED

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: 8c.g
API String ID: 0-2258339836
Opcode ID: 32d57633a1cf7a76fcf27e4502411c491ae6aae6067c0a32426e6ff59362acb1
Instruction ID: 896de7fbfe782b006332ab4e3b26a747e3f94fd3774a12d90ef91d2fc901e3bf
Opcode Fuzzy Hash: 32d57633a1cf7a76fcf27e4502411c491ae6aae6067c0a32426e6ff59362acb1
Instruction Fuzzy Hash: 7301B5342087048BD328EF76D10851A77E6FFC4319B008D2CC14A8B750DFB5AD099B92

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C7130 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

xC^, xrefs: 0A1C7114

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: xC^
API String ID: 0-2700586120
Opcode ID: f6f009f69e5b83848093f11ea3fea0e87cf0f648acdd0168e90e5d149f9e43ee
Instruction ID: 93aafef13c70689e422076d356ee90d7390e3e9991c3d30660b1b2c22b2e4f64
Opcode Fuzzy Hash: f6f009f69e5b83848093f11ea3fea0e87cf0f648acdd0168e90e5d149f9e43ee
Instruction Fuzzy Hash: C4F0E962B1D3D04FC31F5BBC28690783FA1E99B08130A44DFC081CF2F6FA45880A8762

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CCD80 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

|p^, xrefs: 0A1CCDB2

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID: |p^
API String ID: 0-163078166
Opcode ID: a97e96f9ff783ad61f9cedf01d582e452653f132a3a10b4df5c0d6fbe861e9a2
Instruction ID: fb479c947990d98e86ab68b3864a913225bad1b0212e14aa4e03cfc77e0e9942
Opcode Fuzzy Hash: a97e96f9ff783ad61f9cedf01d582e452653f132a3a10b4df5c0d6fbe861e9a2
Instruction Fuzzy Hash: 54E0E5323086014BC664FB76E88849FB79EFEC41683054D29D10ACB220CFB2BD0987E1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CD3E8 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fefd05e8a295499b9e41204703f8b8b21d242ef5fe1abd9d2d36e5d8965ce1
Instruction ID: 7a09b88d080b78d123de8d08cfd33aa35cf6f01d2070e28d0881f1f7344b207b
Opcode Fuzzy Hash: 56fefd05e8a295499b9e41204703f8b8b21d242ef5fe1abd9d2d36e5d8965ce1
Instruction Fuzzy Hash: 54325634B042459FCB15DB78D8946AE7BF2EF89204B1684BDD40ADB392EB35DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0562F3C8 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864e5fb96c30d4fa7770a58a8e790bcbd1a054c0bf77f2fb4a079cd1664d683d
Instruction ID: 506b3b3a9f15364e5bbc4a3ddec926d2100d7988d197c82db49a8ef2724f264d
Opcode Fuzzy Hash: 864e5fb96c30d4fa7770a58a8e790bcbd1a054c0bf77f2fb4a079cd1664d683d
Instruction Fuzzy Hash: 9AE1AC347042558FC718DF78C898A6ABBF6FF89204F1584A9E906CB3A2DB35DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0562DA60 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0be64103d59fe346d13fa640ed98152ca90e027125185f0e2631a0823c3faa9
Instruction ID: 9d23bc804ef5f9fe4302616ac991d500d0d02d600e3b1b86ac9987412c514d29
Opcode Fuzzy Hash: f0be64103d59fe346d13fa640ed98152ca90e027125185f0e2631a0823c3faa9
Instruction Fuzzy Hash: C5F12B74B041088FDB18DBA8C594AAEBBF6FF88304F118169D50AEB7A5DB319C42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056208D0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f205795188aaef70c5d073e1383ccd4996324a18af10d3eea398aac74544ed
Instruction ID: 2127746b1c39d77fc8329af9ce7f3c3d527ddf4d7cc7700b815b980e496fe2fd
Opcode Fuzzy Hash: 05f205795188aaef70c5d073e1383ccd4996324a18af10d3eea398aac74544ed
Instruction Fuzzy Hash: 9BE1AE32600615EFCF169FA0C948EAD7BB2FF88314F0645A9E20A9B672DB31D955DF40

Uniqueness

Uniqueness Score: -1.00%

Function 056208C1 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6832518935952c2036030a62b9cb8f1f06061d6b84876944d3c74c0f88948b1
Instruction ID: 7e9ebffe1672f626185f2fce302aa1b448c093c4e893ef551e4579ff0fbbc3b9
Opcode Fuzzy Hash: e6832518935952c2036030a62b9cb8f1f06061d6b84876944d3c74c0f88948b1
Instruction Fuzzy Hash: E6D1C036600215EFCF168FA0C948EA97BB2FF48314F0544A9E60A9F672DB31D995EF40

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CC050 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fe2b4143893e07cc448677b8d11c2b656728d6322c52a71dfc6802d4c3a26a
Instruction ID: a2a3bef29bd54ed87bd916c8c446a1a7410449f0e08190a34cbdd8e76702d739
Opcode Fuzzy Hash: a4fe2b4143893e07cc448677b8d11c2b656728d6322c52a71dfc6802d4c3a26a
Instruction Fuzzy Hash: 51A1A0356086468FC764EB75C5406AAB7F2BF98208B018D2CC54ACBB65EB70FD45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CEDF8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b577e265c6dbd374ad7d1697be3749bfcef528dc85eb1addcd2eaaadf4cb46
Instruction ID: 0d6c36d87240819563d95bf504731477e386fd4fb9aba4bc9833adabd0d01cb7
Opcode Fuzzy Hash: 21b577e265c6dbd374ad7d1697be3749bfcef528dc85eb1addcd2eaaadf4cb46
Instruction Fuzzy Hash: 53B14E30E0065ACFDB24DF65D858B9DB7B2FF94300F118699D949A7250EB30AE89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CB5A0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557c6c21cf98daf0fcde7efe9075a9c53cee0bbd09d2fd5f1bd7d7e655ea7aac
Instruction ID: d00cb1a047873dfcba3846fccb0266e9fb9ab0a0a02032299bde8549e063fbcb
Opcode Fuzzy Hash: 557c6c21cf98daf0fcde7efe9075a9c53cee0bbd09d2fd5f1bd7d7e655ea7aac
Instruction Fuzzy Hash: 6A7132357082459BDB24EB74C454AAE7BE6EFC4308F11886DD509DB391EF71AC0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CDB68 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb670ff24f8c896c41e706bff24ed0a9d9e0810018877edca3edf68cef1f7648
Instruction ID: 788fc42fe35f3946f480ec4a29f7b725dcd23c3ce75955e5fea73e41976e9983
Opcode Fuzzy Hash: cb670ff24f8c896c41e706bff24ed0a9d9e0810018877edca3edf68cef1f7648
Instruction Fuzzy Hash: 73619C74B001059FDB18DFA8D585ABEBBB2EB94300F11856DD819DB396EB30DD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CEDE9 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff59c479b273c7f72f50b9ac0519dda83e4f18208d2a99ae14be5fdfae630ec
Instruction ID: 17c5845544f91e8bf161d1c784f5eccf8eaba0e419b0b9c1f7860dd93d61b4f9
Opcode Fuzzy Hash: 8ff59c479b273c7f72f50b9ac0519dda83e4f18208d2a99ae14be5fdfae630ec
Instruction Fuzzy Hash: F4916D30D1065ACFDB24DF64C858BADBBB2FF95300F118699D94967250EB30AE89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CE1B0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffdeae09c1c8851bb9818e3070ed255424afc10f4152e36ba19a18ab7675d76
Instruction ID: 337a0cd2eddd9e974cd84397314bfd05cce986f7ca940fa05c2fe7ec796b38be
Opcode Fuzzy Hash: 6ffdeae09c1c8851bb9818e3070ed255424afc10f4152e36ba19a18ab7675d76
Instruction Fuzzy Hash: C3512835B04111ABCB29A774D49896DB6E7AFCC254B1A4929D907EB3C4FF30AC0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 05627CD0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b47543a9964d56374a0fc6274b59b06243b6e72378be85b4dfe7683b11c3cfc
Instruction ID: a955c26878666cfde668288da1fb834cfe975e68da5e0a85039730eb6ea531da
Opcode Fuzzy Hash: 4b47543a9964d56374a0fc6274b59b06243b6e72378be85b4dfe7683b11c3cfc
Instruction Fuzzy Hash: B75118357082549FC7199B79D804AAD7FA6FBC6325F10C26AE515CF2E5CB318C06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0562D568 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e401214d056e809c0e6e33c312974f5dea524e984c68e230b017f139c5bd0e
Instruction ID: ec47f22187e7048a44970ef8d27b1c9f4613e6fb1890e88dd9cc13d63e6fc315
Opcode Fuzzy Hash: 19e401214d056e809c0e6e33c312974f5dea524e984c68e230b017f139c5bd0e
Instruction Fuzzy Hash: A351FE34A04219EFCF15DFA4E998EEDBBB6BF88314F148019E806A7360DB34A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5BE0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707e1c4a249bd28dfad82286b5d908fcaba7551cbe2be668e957fa5d64aaab98
Instruction ID: 8d9dcb47aeb64763ebfa74b82a34fe87f3b8c3cfa055cb824bade4b172f0a5f3
Opcode Fuzzy Hash: 707e1c4a249bd28dfad82286b5d908fcaba7551cbe2be668e957fa5d64aaab98
Instruction Fuzzy Hash: C94159357002015BDB25ABA8D49857EBBEBFBC5254B058469E909DF381EF30DC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0562EA99 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1e3747a733f0393ccb4298667782a45a10adafbba82235507ee6f7bd8affe9
Instruction ID: 44949ee98dfa97fe54c772cfec5664b45ebdfdd36ee53bafc85c38088d5d8098
Opcode Fuzzy Hash: 0c1e3747a733f0393ccb4298667782a45a10adafbba82235507ee6f7bd8affe9
Instruction Fuzzy Hash: 1151D734A00219DFCB14DFA4D598AADBBB6FF88310F158469E806AB760DB31EC46DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CCA18 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2ae1daff3df77358c8509068c28e2456eb30510003364a427de89da032553f
Instruction ID: 7ff70a3bbd6fd0f8b1ca3cc8cc0f31b5d748610a4ca0968094e8658ccd00bf6b
Opcode Fuzzy Hash: 0f2ae1daff3df77358c8509068c28e2456eb30510003364a427de89da032553f
Instruction Fuzzy Hash: B5518C346082848FDB58CFB9C158B9E7BF1AB58315F15445CD809AB3A2EB359C85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056275C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dbc3659e12ea963e54c4469052c568662b85fcae1b9a0bf72d06f1d970efb9
Instruction ID: 77fc958f0f8db6035ce557e3e3d2eb5cb5432970a5faa475d5daa3b96d9c7891
Opcode Fuzzy Hash: 73dbc3659e12ea963e54c4469052c568662b85fcae1b9a0bf72d06f1d970efb9
Instruction Fuzzy Hash: 3D413A387083908FC709AB78D42446E3BF6FF8A21570588AAD506CB396EF364C46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C9E20 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0481c61d74046108ac5d05128024449fd545901d90d61ca9d06a66fa7da7fb6b
Instruction ID: de755195b6ca75602f8114f33aba40c526e7cc8296acc90d7eee09351b390d04
Opcode Fuzzy Hash: 0481c61d74046108ac5d05128024449fd545901d90d61ca9d06a66fa7da7fb6b
Instruction Fuzzy Hash: 96419E71A042059FDB14DFB9C854AAEBBF6FF99300F15406AD109EB352DB35A885CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CCA08 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371cc686f9464336dae4dbfae7ea575dc3a19b6058b5b6123d45d691e8ddf555
Instruction ID: bf70d08654fecac85d2c06ef0dbf66e378263c334ca94b3e5374d7d92a5dfaa1
Opcode Fuzzy Hash: 371cc686f9464336dae4dbfae7ea575dc3a19b6058b5b6123d45d691e8ddf555
Instruction Fuzzy Hash: F8518C346082848FDB58CFB9C148B997BF1EF98315F15845CD809AB3A2EB359C85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C65F8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da65571ec2d22e0fc881dcb1f074c0968890294a0095c166090caf75de4fbc54
Instruction ID: 3caebc61d4ab1dee7c83f68846754f2dce612bf1f2b403635fca91ef47d8d18a
Opcode Fuzzy Hash: da65571ec2d22e0fc881dcb1f074c0968890294a0095c166090caf75de4fbc54
Instruction Fuzzy Hash: 64512A35A00224AFCB14DF68C594A9DF7F2BF88314F569469D465AB751EB30EC42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05627E70 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d368c43f04d2b182a014b11bf2469079cecdd10b897be7be9d53e426df1ae1d6
Instruction ID: e4924db0f2de2b96d2fa3596fbcc29fc21dd374b0af0aeb81117318dd2de6e4a
Opcode Fuzzy Hash: d368c43f04d2b182a014b11bf2469079cecdd10b897be7be9d53e426df1ae1d6
Instruction Fuzzy Hash: 0B41B23420CA418FC725DF78D084AAA7BE6FF882087048928D45BCB759EB34E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CC040 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7409d8aaba86e99bd7658ccfdd5d36b38d9c3fb7a0d24a94765eff6e3abe995d
Instruction ID: 8eab9c2ac60109733d4928b9d129c4535be56c86e634e9d4b206ca1f49a823bd
Opcode Fuzzy Hash: 7409d8aaba86e99bd7658ccfdd5d36b38d9c3fb7a0d24a94765eff6e3abe995d
Instruction Fuzzy Hash: 62417035208B429FC370EF25C680996BBF1BF94208B058E5DC18A8BE61E770FA55CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C8858 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96821b6bce7c6ad88227ffd27e092e2badc00ec5daab5b5c90a038b264b8342d
Instruction ID: c0418d997edc9c709e992177ec4001dfabed7e22f820b983bd9786eafa94a5ae
Opcode Fuzzy Hash: 96821b6bce7c6ad88227ffd27e092e2badc00ec5daab5b5c90a038b264b8342d
Instruction Fuzzy Hash: AC41DF35B042558FDB28CB79C4546AEBBF6AF8C318F154069D905E7394EB358C018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C9E48 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac5ac173934ff1394e1a196386b9ec66e738433010c4e056e50f1fbc3793c82
Instruction ID: 5c8a634a432ebdb3e8a530fa7043bf7bec940d408f9d4dca998586f506769611
Opcode Fuzzy Hash: fac5ac173934ff1394e1a196386b9ec66e738433010c4e056e50f1fbc3793c82
Instruction Fuzzy Hash: D2415C71A002159FDB14DFB8C898AAEBBF6FF8C310F158469E505E7351DB35A885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0562A888 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb960e215c493c01f4a9e163f5c9521af8a1a1975cca16ab058ec84af03b3496
Instruction ID: a31047ba65b663e778ac6f6880bed573827f5697829c04cb98e26ad656d5a650
Opcode Fuzzy Hash: bb960e215c493c01f4a9e163f5c9521af8a1a1975cca16ab058ec84af03b3496
Instruction Fuzzy Hash: 6041E030F042199FDB14DBB5D8147AE37F6EF85204F018469D602EB392DBB88D06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CB877 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ba0606f2f031d49bfe0c186cfc98b053032b7f8ee025d26b0649c5ed13a238
Instruction ID: d81fdf14df400fd141b64f8af56125f2677b40399f797c6d495d156857079887
Opcode Fuzzy Hash: a4ba0606f2f031d49bfe0c186cfc98b053032b7f8ee025d26b0649c5ed13a238
Instruction Fuzzy Hash: 3B41D031204242DFCB08DF64D4948AABBB2FFD52157048AA9D805CB3A5DB31EE41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 05625400 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4279613c57d4c0521891bd273dba1836499ea5b4b65fc14013fffe1271f36c24
Instruction ID: 4b4c61e29458b5d94830b5202d9807fbf28de76af036adff10f4e800c4a8c366
Opcode Fuzzy Hash: 4279613c57d4c0521891bd273dba1836499ea5b4b65fc14013fffe1271f36c24
Instruction Fuzzy Hash: CC41A235A04245EFCF15DFA1E84999CBFB2FF48301B014499E616EB272C73299A4DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CB883 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694f2e68b3c754202f039be9ded3b031fbe47adebb3e54bf51d9800297f71af0
Instruction ID: 0a12bd00cf7ae9bf9be9b6f41f377af0ec0398ec8b97f8bfcd4869ba2d45a686
Opcode Fuzzy Hash: 694f2e68b3c754202f039be9ded3b031fbe47adebb3e54bf51d9800297f71af0
Instruction Fuzzy Hash: 8541E235204242DFCB08DF74D4948AABBB2FFD53157008AA8D9059B7A5DB31EE81CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 05628068 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2278198b945be54860ef4f1525d538321db949239234a4c2c4d005f6cb5695f7
Instruction ID: df7a0a2864a851a37a3539c48969511e69f68d0b44ed657fabc02af101af9314
Opcode Fuzzy Hash: 2278198b945be54860ef4f1525d538321db949239234a4c2c4d005f6cb5695f7
Instruction Fuzzy Hash: 043137347042188FD718DF65C9A8AAA77B6BF88700F144468EA069B3A4CF369C45DF52

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C7DC0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a0e414c9c32be1a2c0bcd92559c98d06350eacfbdf9ee1d5c791731e053189
Instruction ID: 9d074a5af8c766a3f708593142a5d275356b23326d828cc0472ac61acfdbcfcc
Opcode Fuzzy Hash: 85a0e414c9c32be1a2c0bcd92559c98d06350eacfbdf9ee1d5c791731e053189
Instruction Fuzzy Hash: D83170353143019FC729DF35C854A6AB7E6BF94254B1A886DD946CB7A0EB70EC42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CB888 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4804b4d7c5a199e49fc10e45cedc66312d6adfba804a9d353b19d51726d7e5
Instruction ID: 92d4c0df55c131d605df473d01776c276f11ca20735f0d88abf75b9a5dec4b37
Opcode Fuzzy Hash: 1d4804b4d7c5a199e49fc10e45cedc66312d6adfba804a9d353b19d51726d7e5
Instruction Fuzzy Hash: 8531E235204242DFCB04DF64D49486ABBB2FFD42157008AA8D9058B7A5DB31FE41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CE1A0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0c9531d0ee5c371b764b28bb41b1a8427457c703d7556e17db1e5525b2eab2
Instruction ID: 4966cf3ce8dbd7a9a55d36088550b83be6aad8cdfae0c0d6afa0a2ae6e060961
Opcode Fuzzy Hash: 1c0c9531d0ee5c371b764b28bb41b1a8427457c703d7556e17db1e5525b2eab2
Instruction Fuzzy Hash: 6D310535B04515EBCB249B64D45889DF7E7FFD822070A4A19D903A7790EF30AD028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C7DD0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0d7441e9b7c576ddc5bc72d47a1046e83f9a751a54d3ecdea67d05fa9a1da0
Instruction ID: cd9a329151d53f34e9d18860868d266f842498904452fdb0a204cc71932c9b2b
Opcode Fuzzy Hash: 6e0d7441e9b7c576ddc5bc72d47a1046e83f9a751a54d3ecdea67d05fa9a1da0
Instruction Fuzzy Hash: 60314D363147019FC7259B29C444A6AB7E6AF94654715882DE946CB7A0EF70EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 056255A2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c30b31f05e8747efb03ce521d98023dd4c801c2d1bc034381d00bb69894c1d
Instruction ID: 47c16ffa031dab1728c3688be4336959205782efb28f3232aa03587c339dd6b1
Opcode Fuzzy Hash: b0c30b31f05e8747efb03ce521d98023dd4c801c2d1bc034381d00bb69894c1d
Instruction Fuzzy Hash: 302129362082059BC7249F24E8859DD77E3FF86258B018A69E04B8F266DB716997C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 056281C8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5b71a4e448e1f914491067889e48dbb38ccb6e9fefd07602ccae73208c8bbf
Instruction ID: 2be464a0433efc09e9338fadc9f38d2410bf7e4119321a2b7879ed5fe69f6300
Opcode Fuzzy Hash: 6f5b71a4e448e1f914491067889e48dbb38ccb6e9fefd07602ccae73208c8bbf
Instruction Fuzzy Hash: 8A218B343083414FC728F735945806E77E7AFC9105B018D79C60ACBB94EF71AC068B92

Uniqueness

Uniqueness Score: -1.00%

Function 05628058 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae757bd531eee4eb8f341c36feda7d3d0b43f1be1c29fbcde1b75284a5994c1e
Instruction ID: 05ab8d72e2c6200998c9fd2e7d28d1bbb5a945a483e8b6ebfaef3d0ba134c2e9
Opcode Fuzzy Hash: ae757bd531eee4eb8f341c36feda7d3d0b43f1be1c29fbcde1b75284a5994c1e
Instruction Fuzzy Hash: 1F315A307046198FDB18DF65C998AAA7BB2FF89700F144068E907AB3A1CB32AD41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0562B400 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8a6a4a73cda59480cfd869c6c284b6d40a4eafc20e0a7891b8dde715eadb4c
Instruction ID: dd9a72481ab664f5e9cd2dc8f221d6cfd7ab083d8e9515864a14ab81b81bf11f
Opcode Fuzzy Hash: eb8a6a4a73cda59480cfd869c6c284b6d40a4eafc20e0a7891b8dde715eadb4c
Instruction Fuzzy Hash: C1318832D00B469ACB20EF79D8002C9B3B1FF99320F259719E44977640EB70B6D4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CBE68 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e47194676bdec58085ab186ff1400a24a2ec45e4173e84759ea266530d18a67
Instruction ID: 41921c7c4350c1f98d2d80945862d6d522f1147183dca354a87fc7c6f4438aa6
Opcode Fuzzy Hash: 1e47194676bdec58085ab186ff1400a24a2ec45e4173e84759ea266530d18a67
Instruction Fuzzy Hash: A0216D35B146148F8B20DF6EC49596EB7FAFF8D611B04456AE60ADB320EB30DC008F90

Uniqueness

Uniqueness Score: -1.00%

Function 05625450 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a2a1c00c8755a194b0d2c72d95f52a75183d3b1c80788780772580f118a7b3
Instruction ID: 3624c88760b2d49f2608c18daff2f92e9858fbd7470aa58dc6dee244e5535460
Opcode Fuzzy Hash: b5a2a1c00c8755a194b0d2c72d95f52a75183d3b1c80788780772580f118a7b3
Instruction Fuzzy Hash: 6F313B35900245EFCF19EFA1E8499ACBBB2FF4C301F004458EA16AB361D73269A4DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C82C8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b402d448aece346dfaeb772d0f6390212de84e83d0258b61edd8fabba4d449
Instruction ID: df491103a48c0f542f66d009d7c98f215a2f488798c242ee66a9b1721cf42f18
Opcode Fuzzy Hash: 91b402d448aece346dfaeb772d0f6390212de84e83d0258b61edd8fabba4d449
Instruction Fuzzy Hash: B6316D35A002459FCB04DF64C9988ADBBF6FF99314B14819DD9059B362DB31ED06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C65E7 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b6935db52b6285e3f687d81465d12d4b15db66affbf6f2a976b14ab7c91201
Instruction ID: 013706c2b47828e1047d39ad9c83828c7fed881c08da497b8b12bb53408e1210
Opcode Fuzzy Hash: b3b6935db52b6285e3f687d81465d12d4b15db66affbf6f2a976b14ab7c91201
Instruction Fuzzy Hash: 9D216D34E152289FCB18CFA9D588ADEBBF2AF88210F15946DE415B7361EB309D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C82D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a78fb70644fb327b713bb2e26155f2b406912cc60b75b497b38c772f6607032
Instruction ID: 9efa366c88d172beb73b336627d164589fff87e216085ad0b51df7f12efd4a2e
Opcode Fuzzy Hash: 1a78fb70644fb327b713bb2e26155f2b406912cc60b75b497b38c772f6607032
Instruction Fuzzy Hash: 5F314C3570020A9FCB04DF65C99889DBBF6FF99214B208199DA059B361DB31ED06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0562F451 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9baf49d63662cb8f7cba407af753d3df9a6426178d806628ddd2bf64679bbe99
Instruction ID: 4fcd6987fd4375af7b9b5a1bb2d04780b8890ed1c556883860c4d8935746934e
Opcode Fuzzy Hash: 9baf49d63662cb8f7cba407af753d3df9a6426178d806628ddd2bf64679bbe99
Instruction Fuzzy Hash: 8A219A34A00619DFDB11CF64D895AAABBB2FF88310F148469E9029B3A1CB30D941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0553D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530374375.000000000553D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0553D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_553d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9921e56cb6f69af075bf78ad285b2fbfe2d77f6babaa9656660f2bb4755f0c43
Instruction ID: 6a814eca248b4678b191ce3b77cb773a9691fe2209ac9b0f2226538eb52dab73
Opcode Fuzzy Hash: 9921e56cb6f69af075bf78ad285b2fbfe2d77f6babaa9656660f2bb4755f0c43
Instruction Fuzzy Hash: D22137B6508244DFCB11CF10D9C1F26BBB6FB88368F248569E9094B246C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0553D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530374375.000000000553D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0553D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_553d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ada314d115f573a64aa3aa50fee56be5704faeb86f967370aebb6ff12e89b0
Instruction ID: 3e91e3917092924a281dd6c4f8df58d4d79bea8a6b6aaef0d06206f87e16eff1
Opcode Fuzzy Hash: 44ada314d115f573a64aa3aa50fee56be5704faeb86f967370aebb6ff12e89b0
Instruction Fuzzy Hash: D52103B1508244EFCB00DF50D9C1F26BB76FB88364F24C969E9094F246C37AE856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0562B7A8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d7ec6b48399ddc7b8676f264949863b1769b04b7bcffd57e27b6c35aacd14c
Instruction ID: 41f794401b5d233f2042de0e5389fe92180d18e53c41ff6f6903a605e979525c
Opcode Fuzzy Hash: 11d7ec6b48399ddc7b8676f264949863b1769b04b7bcffd57e27b6c35aacd14c
Instruction Fuzzy Hash: 1321B23070CAE08BC75E9732A02827D3BAAEB45705F04406DE50BCBE95CE3A8805DF53

Uniqueness

Uniqueness Score: -1.00%

Function 0562BED0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33f3ecbf39b06258272af488ea41ab56204d9c2b3ecfdd7b6dc43839ab1e30d
Instruction ID: f7423529602e9e08068bd8e388eff1f07d6aa561a7442446cbb8e2b2f65a4bcc
Opcode Fuzzy Hash: f33f3ecbf39b06258272af488ea41ab56204d9c2b3ecfdd7b6dc43839ab1e30d
Instruction Fuzzy Hash: 1831373470E3C1CFC71ADB7590192187FB5AB46205F1844AAD856CB397C63A8949EB63

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C8E90 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb3a8f17fd0f8bba9044127a55607b4cc9250d81d5e055e0fba222cf75b619d
Instruction ID: 724ed422f74105da0f3b7076974df26fb5b85f0faebb69aab2ffb115721708ec
Opcode Fuzzy Hash: aeb3a8f17fd0f8bba9044127a55607b4cc9250d81d5e055e0fba222cf75b619d
Instruction Fuzzy Hash: 392193353002509FC7259B69D498E7ABBEAFFD8221B10446DFA4687351CB32DC40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CB6A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a2dcca0458282a27ef36f90f1e8cfb091784c66e3af17f06151a28551bf04e
Instruction ID: ae3374d906d702906115b63502ff0c78672ef7f497b47cd9ef64fc83b7e74cce
Opcode Fuzzy Hash: e3a2dcca0458282a27ef36f90f1e8cfb091784c66e3af17f06151a28551bf04e
Instruction Fuzzy Hash: EB21083520C3419BD724EF25C940A9A77A6BFC0219F018829D5498B6A1DF75BE4ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CEC6B Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd2106de84f6270414acb4ca11ba0069268b3056a71836b7c4ca4fcddee7921
Instruction ID: 01493ed8be35da3ffa72bf79e3943dd569244544189b99fe14d9632517bf846d
Opcode Fuzzy Hash: fdd2106de84f6270414acb4ca11ba0069268b3056a71836b7c4ca4fcddee7921
Instruction Fuzzy Hash: 27217FB1D0025A9FCB00DFA9C8449EFBFF9FF99210B10056AE659E3211E7319906CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C9748 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf67799bc5fe6038291e2fe1254a1ed95854af37f88a44f34e7ee1a25ca741b
Instruction ID: 499884591642e1c8cd254db39e8b53f109e36bd478b479c22930e4ffbf6e7869
Opcode Fuzzy Hash: 2bf67799bc5fe6038291e2fe1254a1ed95854af37f88a44f34e7ee1a25ca741b
Instruction Fuzzy Hash: 2621AC352082479FCB15EF24C98489DBBE6BF843287018A59E619CB270EB30BE55CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0562BC70 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961944903d127515dd78e7973a740f816ca6245bb2cb307c6dcea65423679eb5
Instruction ID: c708fbecfdb0888fe05841455e006a33a172efec30a5e988bb420b5de4988b4b
Opcode Fuzzy Hash: 961944903d127515dd78e7973a740f816ca6245bb2cb307c6dcea65423679eb5
Instruction Fuzzy Hash: 2A115E35704707ABCB20EF24D491A9EB3B6FF84218B114D29D1059B670DB70BE9A8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0553D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530374375.000000000553D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0553D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_553d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4970787f2fda04949aac124d9468e0093009a6ce9120cc45a5e3f71d40d573
Instruction ID: cc12832c5ce012b50bc849831f7449ac67c3454a6626375b220f8e4f8b49c271
Opcode Fuzzy Hash: 0c4970787f2fda04949aac124d9468e0093009a6ce9120cc45a5e3f71d40d573
Instruction Fuzzy Hash: A811B676504284DFCF16CF14D9C4B26BF72FB84324F24C6A9D9094B656C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0553D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530374375.000000000553D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0553D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_553d000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4970787f2fda04949aac124d9468e0093009a6ce9120cc45a5e3f71d40d573
Instruction ID: d2b50162822a7ce3fefc393c5e3d2ef2117f4932ffd94c24f04d7fd4654bfbed
Opcode Fuzzy Hash: 0c4970787f2fda04949aac124d9468e0093009a6ce9120cc45a5e3f71d40d573
Instruction Fuzzy Hash: B611D376404284DFCB01CF10D9C4B26BF72FB84320F24C6A9D8490F656C37AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C9758 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9c8f078babf2013bea33652320114608d9c2a1776b15106518fec757bc9e3c
Instruction ID: 96cb4bebccc3e15cf2130db1e13963836b4a290bbafd0b8bddf2c03e588f907c
Opcode Fuzzy Hash: 0b9c8f078babf2013bea33652320114608d9c2a1776b15106518fec757bc9e3c
Instruction Fuzzy Hash: B3116A352046479FCB14EF24D58489E7BA6BF842197018A18E619CB270EB30BE55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05625660 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0390478150cc4554f1e76e9919046ec7af25cfd7d6731be4038380e7f9444e2e
Instruction ID: 7793c112d1245e0eb178c55dce1e5805105fb5f2c32f6577c22cfdf4e3ae59ef
Opcode Fuzzy Hash: 0390478150cc4554f1e76e9919046ec7af25cfd7d6731be4038380e7f9444e2e
Instruction Fuzzy Hash: DE1106352086074BC730EF29D5809CAB3E6BF8421D7018E28E5498B674DB70FE4587D0

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5AD8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe107c7ffba80a478cce6c35c5f28b6499a8befea8d4002f70f2710a3366c89
Instruction ID: f0149c992c2da17dfbfe0ef71dcc055a3dd0ee1be483b940283b2d0cbf8074df
Opcode Fuzzy Hash: abe107c7ffba80a478cce6c35c5f28b6499a8befea8d4002f70f2710a3366c89
Instruction Fuzzy Hash: C401B12601E3D14FC313A73864704D53FB24E5712C70A48EBC1D2CF5B3EA148989979A

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CEC80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bb4c6c7f907334e1d919d5464ffee811066e4fb847297a1149f3c2a4cea685
Instruction ID: 028d8aac01009a0b20b567957994def0ee052daee96b3b19bb6c0bd181921d9e
Opcode Fuzzy Hash: 11bb4c6c7f907334e1d919d5464ffee811066e4fb847297a1149f3c2a4cea685
Instruction Fuzzy Hash: 4C113071A002199FCB50DFA9C8449EFBBF9FF89310B10412AE659E3211D7319946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5BB0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d98f4cc4f15c7d36049cb0eb16d8890c4783df44d4872a4418ba89a2d0710d
Instruction ID: e59c0e67ad8e4ead7929d414973862b56f4af3e0a89f9fac9d3a294dfceea044
Opcode Fuzzy Hash: c0d98f4cc4f15c7d36049cb0eb16d8890c4783df44d4872a4418ba89a2d0710d
Instruction Fuzzy Hash: 5311E1362593805FC7221A689D18395BF77EB53265F0A81DAE548CF1A3E7306809C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0562BF08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466aea084afda3cef296ac1e7f6e70934538f78811f9ead622d35570ccf30724
Instruction ID: 7bb0bb067580b43929e2ce932396e168cb6e97bac7229fbc9ae149699458cdfb
Opcode Fuzzy Hash: 466aea084afda3cef296ac1e7f6e70934538f78811f9ead622d35570ccf30724
Instruction Fuzzy Hash: 1F21D33430A3C1DFCB1DDB75A01D21D7FB5BB49201F18446AE85A8A385CA3B894DEB67

Uniqueness

Uniqueness Score: -1.00%

Function 0562DA51 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5702bec091b2a769a4ad2add69d5544ed7edde587a791f9d3f66dbe9e0529d1d
Instruction ID: 5a1c831b31df7451337247468d4ec91941f1ce5965eec07641ebaea598af0ed2
Opcode Fuzzy Hash: 5702bec091b2a769a4ad2add69d5544ed7edde587a791f9d3f66dbe9e0529d1d
Instruction Fuzzy Hash: 4101C831B0D1545FD7158A24D854BBAFF71FFC1218F1982AAC50A8B692CB728847CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C8900 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf0410b4bf96ec41cc1382eb998af31bf8722aeedb2ed65ff32b5e60d366191
Instruction ID: d162b6d3a51671a9e21785c0774e97a2c551568cca71e45151d1ff90cd4169a5
Opcode Fuzzy Hash: faf0410b4bf96ec41cc1382eb998af31bf8722aeedb2ed65ff32b5e60d366191
Instruction Fuzzy Hash: A1113435A14245CFDB28CFA4C5586EEBBF2AF88314F154569D502B7390DB3A99408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05624298 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1911b7a5c73b22d793b0db4a9e70a1903b02962ac4039e14651dacd07c4789a5
Instruction ID: b74046a66f5586bdd08f3cecc8a25f50e4992a652ef4df3c3a06fbd2e217cd7c
Opcode Fuzzy Hash: 1911b7a5c73b22d793b0db4a9e70a1903b02962ac4039e14651dacd07c4789a5
Instruction Fuzzy Hash: 96019E353042464B8B18A736A2984AE37EBFED411A3464C2CD10ADF610DF32780A87D1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C8E81 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462a5fb7bf77053e29cafcecb89aed58441e1d14476ab81bc19c9843bf47577
Instruction ID: 26a12bb166a05cfbcd4ad4c70d224a7d317998a1c7f4685428fd251572cef3d5
Opcode Fuzzy Hash: 0462a5fb7bf77053e29cafcecb89aed58441e1d14476ab81bc19c9843bf47577
Instruction Fuzzy Hash: 8F01B531304680AFC7159B29D854A7ABFE9EF89211B04415DF99A87352CB35DC40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0562BC60 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef3ace0eaeee9c89f08774f2cacd007f844beb8801ae4b86cb4ab8183fe8e73
Instruction ID: d0c814a1d270555c451b2262237368a9b13b6478f2922490141ae4dde7fc3452
Opcode Fuzzy Hash: 0ef3ace0eaeee9c89f08774f2cacd007f844beb8801ae4b86cb4ab8183fe8e73
Instruction Fuzzy Hash: 3A012F30B043169FCB20EF24E88489EBBB2FF81208B10492AD0058B621DB70B94A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C87C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a4925cd365b086b2408c0718c8c6d81ad3b0f8d8478db64143cf06757bf62e
Instruction ID: a6e8b1946c86d3800b776a856a3cb3c099006c7dc517e2470461dd61d3410fb4
Opcode Fuzzy Hash: a4a4925cd365b086b2408c0718c8c6d81ad3b0f8d8478db64143cf06757bf62e
Instruction Fuzzy Hash: 450199723043556FC3258B79884456EBFEAFFDA210704406FE104CB710EB31A8018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C87D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302f511b66be7118e7b72028b3dde391658d2085f54f806f4e167b04c77d32ca
Instruction ID: 8b736c9b0d2a3dc95ff54d97714e0b3c2aa1f39a96dd85a3cffc7809fba1145a
Opcode Fuzzy Hash: 302f511b66be7118e7b72028b3dde391658d2085f54f806f4e167b04c77d32ca
Instruction Fuzzy Hash: 9401D1317002556BC7189B6AA85852EBFEBFBD9260700442EE606C7350EF71A8018791

Uniqueness

Uniqueness Score: -1.00%

Function 0562C7C0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e26a1dd97098b72d77473a5eecfbf63e40a42be4403b7c1716b49b2b410d71
Instruction ID: 7ee7063d8f3df55d4ae27de8ce8be93aaf5a3134813d4a5d75d2fec530f5c66f
Opcode Fuzzy Hash: 59e26a1dd97098b72d77473a5eecfbf63e40a42be4403b7c1716b49b2b410d71
Instruction Fuzzy Hash: 9D01BC392086018FC754DF28E584C9ABBF2BF84314716C4AAE406CBB32DBB0ED41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CBDC4 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47dd74e7ca585dcb9495c3983b3d9e37eb96f000211fd0413f7cceb505a24b6
Instruction ID: 0be11794117b1e4e7cbd4b12e537e2b623c2dad6156e21198f54e89f3e57859a
Opcode Fuzzy Hash: b47dd74e7ca585dcb9495c3983b3d9e37eb96f000211fd0413f7cceb505a24b6
Instruction Fuzzy Hash: 3C017C31E082588BDF28CBA5C5556EDBBF1AF88610F15442DC245F7350EB784E40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CAB60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce97204011949d462a42ebf5117865324509b316084a06d5cb09c7574d5a4d1
Instruction ID: 8b2059455e96ba31e6c05760de40168088fbfbc44d7e68fa9f9ed6c69f356eee
Opcode Fuzzy Hash: 7ce97204011949d462a42ebf5117865324509b316084a06d5cb09c7574d5a4d1
Instruction Fuzzy Hash: A30121313083969FC7119B28CA148AEBFAAAFD1204305406EE501CB361DFB0E901DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CD4E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a365d1f99138d193b9818c5dd8410f6fa24033e3c43b668376baacd19fd4e53
Instruction ID: d4b1395ceef7d1b6e1b968e2634c56b2fbd6afef7eb4d373bc51b608f24e9d71
Opcode Fuzzy Hash: 6a365d1f99138d193b9818c5dd8410f6fa24033e3c43b668376baacd19fd4e53
Instruction Fuzzy Hash: 16F090723142405FC3158A5EF8489AABBFEDBE965031A817EE109C7261EB21AC06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CBDD0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c49b5c12ce4196a2404999b44ec8b15a96985a17d9d5275f6e4b52c172edea
Instruction ID: 72a8c040685567fafffe57950678c272d5b964afd312184bcb53d0b0496e5cd1
Opcode Fuzzy Hash: c3c49b5c12ce4196a2404999b44ec8b15a96985a17d9d5275f6e4b52c172edea
Instruction Fuzzy Hash: B0018F31E082188BDB18CBA5C8556EEBBF5AF8C610F15402DC145F3350EB785E40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CBDCC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e05a3ee310fa496f985746dc797bdeab01acd0cf6ba111377d3033dea07ea7
Instruction ID: 0ad1549647d172a141cbc184cd9aeedb26e237f057dc9430974fb60617a19712
Opcode Fuzzy Hash: e4e05a3ee310fa496f985746dc797bdeab01acd0cf6ba111377d3033dea07ea7
Instruction Fuzzy Hash: 88017831E082598BDB18CBA5C9556EEBBF2BF8C610F15846DC145F7390EB784A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0562C7D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e60ab41ff6514970611a1c14b604765d3d71bbc600360ad172f7b2e9a39fe7f
Instruction ID: 0fa25fcf817cb7dea68a8ccb9093c21c8754963fdc82dfbfd40c28912990bb45
Opcode Fuzzy Hash: 3e60ab41ff6514970611a1c14b604765d3d71bbc600360ad172f7b2e9a39fe7f
Instruction Fuzzy Hash: D10146392046168FC754DB29D584C9AB7E6BF84219712C469E906CBB21DBB0FD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0562BB30 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd5abe961d69bca08ba3cc893f96447fbb2c758bc81777244258eb69e2cc21c
Instruction ID: fcc75801b8db63e10275f3f054ffed497c9c11cb3a71e5b535bc5d1310708d7c
Opcode Fuzzy Hash: edd5abe961d69bca08ba3cc893f96447fbb2c758bc81777244258eb69e2cc21c
Instruction Fuzzy Hash: 16012470A002199FCF94DFA8E9095DEBBF1FF88314B10862ED409E7210DB706A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C8848 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f811fed2e3ed43f2e8691d09c1cfdef47f09bc4e9715f62ab09323b5a4000c
Instruction ID: dc5531023de5193a7d5407a85293ae4209629bf3089016968c716d2e2e2d5406
Opcode Fuzzy Hash: e8f811fed2e3ed43f2e8691d09c1cfdef47f09bc4e9715f62ab09323b5a4000c
Instruction Fuzzy Hash: A7F0EC327043605BDB25452768C4957BFDD9F96560706803EE944C7566FB25890155B0

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CAB70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e64053dc7cf06ce0bb0bff964f3826c6c2a2a541b1036514ad194c576fafbd
Instruction ID: fe78b1bd5beac4e60ec80ff477c064bf9c61fe9192c29ac127150450ae5907ef
Opcode Fuzzy Hash: 46e64053dc7cf06ce0bb0bff964f3826c6c2a2a541b1036514ad194c576fafbd
Instruction Fuzzy Hash: 17F0CD313042569FC714AB28C5448AEBBAAAFC5208304842EE502CB320CFB0F901CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0562BD30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ea638fd3a08758d61f28d8a8b23d6f0fa62514aac63a0a67907c99960f7f6f
Instruction ID: 20286e001a7a138d4dc6f014b6c23892e10d02e772b0d1c381467b8d4414eb66
Opcode Fuzzy Hash: 98ea638fd3a08758d61f28d8a8b23d6f0fa62514aac63a0a67907c99960f7f6f
Instruction Fuzzy Hash: 46F0B43620A6919FC311DF28D444C89BBB9AF81624319819EE4488BB32CB65ED52C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 0562BAD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2cf9b9a1d6894503e009a650ce16768e0d0d5bb3070745e1296aec07d8d4b5
Instruction ID: 7f3e6e69df2fd6409d8e77803604c6130a93e16c8322cff7fb37e87b2fba5f89
Opcode Fuzzy Hash: 1e2cf9b9a1d6894503e009a650ce16768e0d0d5bb3070745e1296aec07d8d4b5
Instruction Fuzzy Hash: D2F027352092806FC7255B75A8594DA7FA9EFCA21171148BAE10ACB222CFB50C41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05623588 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993d9db154f0fa65a1fd39540b6b7a56a70487d8a9320743882917c9633d6686
Instruction ID: 96588fb1feaec16d346ef9b21764a7e1d1a98847f52fb6141bd5d701a78c02e5
Opcode Fuzzy Hash: 993d9db154f0fa65a1fd39540b6b7a56a70487d8a9320743882917c9633d6686
Instruction Fuzzy Hash: F5F08130A04249EFCB44FFB5E44849C7BF1FF45209F1044A9C4099B360DB312B98DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CBE63 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d295013d80596bb9eb43d895187e2c7b917d2e279619c1956a2744e279350ad
Instruction ID: 959dc39b0124c1b36f83a9e5f448ce35492d63e7ba905dcc823494062e28a1eb
Opcode Fuzzy Hash: 0d295013d80596bb9eb43d895187e2c7b917d2e279619c1956a2744e279350ad
Instruction Fuzzy Hash: E1F0E531B141158B8B24DB59944986FBBF9FFC9621B00456EE509D7220FB30D8058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0562D73D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74697631aa7ae694514d951354816b6e0ae3bc60380d1c17eecbecae0249679
Instruction ID: 62c93f2fece97771a3b1de3154ad0c5449afc67c88f42bfe98bec293f68d2d84
Opcode Fuzzy Hash: f74697631aa7ae694514d951354816b6e0ae3bc60380d1c17eecbecae0249679
Instruction Fuzzy Hash: CA01A434A05259AFDF01CB90D994FEDBB72BF48704F144015E902B72A0D7759945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0562BB40 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8010c7bdf1c2e18132ee2aa724bbffdb7240f4e8e65eb3941d3a1db2d2de79d
Instruction ID: ee7822c4c47b0911f94d4b2da1816461e91271f39191f5d8cedb80764d652da5
Opcode Fuzzy Hash: c8010c7bdf1c2e18132ee2aa724bbffdb7240f4e8e65eb3941d3a1db2d2de79d
Instruction Fuzzy Hash: 8BF0F475A006299FCF90EF69D8045DEBBF5FF88710B00462AD409E7210EB706A45CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 056282D4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738d8eb4ed3987e72b0502ab44f3db3db2f6d6d0d1fb123e50190de608b3068c
Instruction ID: d94440bb3d22c23d39ef641d570e47e89e0a96276896d652c321b83891a329a2
Opcode Fuzzy Hash: 738d8eb4ed3987e72b0502ab44f3db3db2f6d6d0d1fb123e50190de608b3068c
Instruction Fuzzy Hash: 43F0273510DBA28FC361EB75D98509A7BE1FD85205344CDAEC18ACF934DB20B54ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 05623418 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c7a4e770b770a037ff83ad3faeae9a24b2520699e50bdc872e828c193f355c
Instruction ID: b9f5c886892dd516b2489b7cf4cdf382ff709a7a7e03e97b97d27f65e61ca5b9
Opcode Fuzzy Hash: a8c7a4e770b770a037ff83ad3faeae9a24b2520699e50bdc872e828c193f355c
Instruction Fuzzy Hash: 3DE092323001415BC71867ABA498AEA7BDDFBC9225B10082CE20EDB250CB62284883E6

Uniqueness

Uniqueness Score: -1.00%

Function 0562BD40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a074acc9647ea92dbfff8ae4d0d512cacae727c998e89afba2aedf384a093f
Instruction ID: e1164c8b39a49b84d89588d84ccf5a1fd7b9bdff8e0ec8770b0c7f2de69f8829
Opcode Fuzzy Hash: 16a074acc9647ea92dbfff8ae4d0d512cacae727c998e89afba2aedf384a093f
Instruction Fuzzy Hash: 38F065367059669FC7149F29D444C99B7A9EF85624319816AE4499B731CB20ED81C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 056243A8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68241c1309c98a80108909de7858b87c18371fb3fd1b77681234a012e2e67884
Instruction ID: aa89dfe4ee64003e5dde7ca3ba867fcc4df08d85a2e034e7cf64f3b9fe26b19b
Opcode Fuzzy Hash: 68241c1309c98a80108909de7858b87c18371fb3fd1b77681234a012e2e67884
Instruction Fuzzy Hash: A6F09070900B058FD729DF27D508516BBF6FF88301B00862DE44B86A20DF71A449DF86

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C67C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53a0543172fca282f803b004f1c569657f45cb9cb0aa3853a4197dc6b14c6fe
Instruction ID: 5ad59ff074f66460ba8c1f9b5cafe1cdcc5e09062bf678c5784cae48fef396b8
Opcode Fuzzy Hash: c53a0543172fca282f803b004f1c569657f45cb9cb0aa3853a4197dc6b14c6fe
Instruction Fuzzy Hash: 10E09B32B102598B8B1577ACA8195FE7BB9EBC5111F004566E505E7240FE305949C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0562BAE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b532b0cdc1895fa174883c2221776c5d7fffbc1d747009971d8a984cfc7193
Instruction ID: 9af8b50decc1d57aa4ab482d22791e9e90cb3ea20cd0554b4572f3764c4a8e00
Opcode Fuzzy Hash: c5b532b0cdc1895fa174883c2221776c5d7fffbc1d747009971d8a984cfc7193
Instruction Fuzzy Hash: 40E0DF353042443BC724AAAAB84889A7B9EEBC9221B404839F50EC7201DEB21C4082B1

Uniqueness

Uniqueness Score: -1.00%

Function 05624348 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe240b645adc21e3d35ee1b9d2dad614c8f4f35ca63cd296e526c284ff93c8e8
Instruction ID: 2330df128955a8746490702a44de00cbdb90f5d424c90f97312cb235226bc700
Opcode Fuzzy Hash: fe240b645adc21e3d35ee1b9d2dad614c8f4f35ca63cd296e526c284ff93c8e8
Instruction Fuzzy Hash: 43E065312047918FC725E72BE45865A7BFAEBC131AF00082DD146CB611DBA36849C796

Uniqueness

Uniqueness Score: -1.00%

Function 0562A878 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517054f2cb4260a8e049ec18e0b86b39fe927c56c5cc2d7f028d631cf3d7c6a8
Instruction ID: 53c622427dbb2278630f0c56759af43aac33403c46d9e578ff0407c8c13fd827
Opcode Fuzzy Hash: 517054f2cb4260a8e049ec18e0b86b39fe927c56c5cc2d7f028d631cf3d7c6a8
Instruction Fuzzy Hash: 6BE09A30A442108FC718DBB8E80A8D97FF4AF4221030140BBE40ACBA72DA64CC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0562AA50 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d8993b36c52feaf74c67f07417f8f1148caab5fa65b93523fc9a52184080ee
Instruction ID: 6092b80e8f97b87c1602f1a42f943743fc8b498b249fd0cc65471c3c29848f70
Opcode Fuzzy Hash: 93d8993b36c52feaf74c67f07417f8f1148caab5fa65b93523fc9a52184080ee
Instruction Fuzzy Hash: B0E0863294C3545F87098FB894124DE7FE59A97134B0640FBC10ACB272DBB40A45C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C656C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef29dd0943d260efd7e9af42c4cd2cfb2377ac7a6e800bdbc7d153e40bb0029
Instruction ID: 1405299535bdbabc1314601d4ffa7427065ac5728ea6604c4704b90bef737580
Opcode Fuzzy Hash: 9ef29dd0943d260efd7e9af42c4cd2cfb2377ac7a6e800bdbc7d153e40bb0029
Instruction Fuzzy Hash: D8E09235E1420CABCB04EFB4E44549CBBB5EB85208F0085ECD459A7310EB302A04CF95

Uniqueness

Uniqueness Score: -1.00%

Function 056204BC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e681564844bbd12356b38f33871b3dee998492f74a668d0c7d791c3418521f4f
Instruction ID: ea6f5d44306fc67a7f0099971a6bb019be8ff4a8941c4fa68763684f0c9fadee
Opcode Fuzzy Hash: e681564844bbd12356b38f33871b3dee998492f74a668d0c7d791c3418521f4f
Instruction Fuzzy Hash: F7E0687550C151DFC721CB24C4A50B17B71EA0220430047CEE8468F632D6255A57EF00

Uniqueness

Uniqueness Score: -1.00%

Function 0562DB89 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5baaab04a49cfc3b2c24cefb4aede6ceabe17ab1978421e69db5e195ae4ad6
Instruction ID: 6884c9bf89310cfe1b7e4dcd314947e00bb2bffb0be2d355da16a94738d63425
Opcode Fuzzy Hash: 3e5baaab04a49cfc3b2c24cefb4aede6ceabe17ab1978421e69db5e195ae4ad6
Instruction Fuzzy Hash: 63F01CB4C042899F8F94DFA8C0125BEBFF0AB49304F2081AED828E3711E3310652CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056264A0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b40048dd10b1d523642c3f02a46ecfe571a50dad0b2e3647f8db09a8c450ed
Instruction ID: 0efa99fbb3232aa0fc9397bd958c7a08894318d313bb1898134bf0043b589e30
Opcode Fuzzy Hash: f2b40048dd10b1d523642c3f02a46ecfe571a50dad0b2e3647f8db09a8c450ed
Instruction Fuzzy Hash: 05E092312042519FCB65EA28F44458837E2FB86314B054A69D14F8B143C7311C86C751

Uniqueness

Uniqueness Score: -1.00%

Function 05627610 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d69fac85cf3f9d913ed2b71aa17d513f02ba2c295442d2a629d9892ad29d1e6
Instruction ID: ff18ce96bf7e04a7352938eebfcac5f50735905612123b2ca927095e33cf167a
Opcode Fuzzy Hash: 8d69fac85cf3f9d913ed2b71aa17d513f02ba2c295442d2a629d9892ad29d1e6
Instruction Fuzzy Hash: 9EE0C235708B518FC30AA779E4204E9BBA6EA8A160309C8A7D50ACFA81EB355806C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CA3F7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be901ec76a52f74a887b0ed795470beaf153c66c2f049d2f9c23e808e68fb1a2
Instruction ID: 23b826cdb12cf1680c51ee144f62e73e61624fd30183201d5f1df90b2dedaa77
Opcode Fuzzy Hash: be901ec76a52f74a887b0ed795470beaf153c66c2f049d2f9c23e808e68fb1a2
Instruction Fuzzy Hash: A1E0EDB0D0925D9ECB54EFA994065AEBFF1AF49210F24466ED919E3211F2304646CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0562045A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09992532904a22cd90740e93585b6cf03c36917367e1e05adc9179992f5a1cef
Instruction ID: b94f2eb4165afedcf403d7c7dbafac247d87f301602cb571770e6157592c4c70
Opcode Fuzzy Hash: 09992532904a22cd90740e93585b6cf03c36917367e1e05adc9179992f5a1cef
Instruction Fuzzy Hash: 2EE08672601109AFCF40DFB8DA8378CB7F5EB42108F5088A9D40AD7310DA717F05AB40

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5B70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dae2f3f10de26a41e6ce8d64a624f468bf9a0d42ebd8d805556b822869b30d
Instruction ID: 490a903bd487e6fb782f07b7834e16dc27c1448eb6b2c34a3141cf173570daa3
Opcode Fuzzy Hash: 33dae2f3f10de26a41e6ce8d64a624f468bf9a0d42ebd8d805556b822869b30d
Instruction Fuzzy Hash: 64E046312007108F8B20AB68D44486A77E9AB89618300885DE20ACB320DAA0EC008B84

Uniqueness

Uniqueness Score: -1.00%

Function 05624E68 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7c17d469589fe98833bb98f0884432feaf323e900728f496557dd93fb6fe97
Instruction ID: e081243fdeae951ab2ee026f72d87106b440a3c52bcc7937d63489f9c4a6e61a
Opcode Fuzzy Hash: 8e7c17d469589fe98833bb98f0884432feaf323e900728f496557dd93fb6fe97
Instruction Fuzzy Hash: 35E0DF342042A1AFD729DB24F09498937B2EF85315B1546ADD04B8B263C7305CCACB82

Uniqueness

Uniqueness Score: -1.00%

Function 056233D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76804aa6ff3fec6b87e501a24c1724e88a42897f68f66834311e603e27bab1c2
Instruction ID: cd07c1fde2e2a300e46aa5486fb934715cf7ce3154c06d81a2e249f4ab5846cd
Opcode Fuzzy Hash: 76804aa6ff3fec6b87e501a24c1724e88a42897f68f66834311e603e27bab1c2
Instruction Fuzzy Hash: BED02B317041505B8A0CA32AB4084AD37DAEEC452230504A9E307DB200CF331C0943DA

Uniqueness

Uniqueness Score: -1.00%

Function 0562BA88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d133d38e98c25e47321adf626a157ee9949c0f6c4e4300e0be4702779d7405f1
Instruction ID: 454919d4013e49292acc67cf62d12bda221c7065b799bb6bc027a2e7436727cd
Opcode Fuzzy Hash: d133d38e98c25e47321adf626a157ee9949c0f6c4e4300e0be4702779d7405f1
Instruction Fuzzy Hash: 7AE0D8303066805FC72ADF31D0A664577E2FF48310F428868E417C7A57D7789891CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C6570 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1302bff43c7af46256c343fe21161a49d5dd9775e1c4b62979d6d73e871c37da
Instruction ID: 4a994e6d8438ca1d35840d4b96c847af01b8c14a07ba98c7f02bf21d1a33508d
Opcode Fuzzy Hash: 1302bff43c7af46256c343fe21161a49d5dd9775e1c4b62979d6d73e871c37da
Instruction Fuzzy Hash: A3E04F30E0820CAFCB44EFA8E44459CBBB5EF84204F0085EDD409E7350EB302A04CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0562DB98 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30ce260a36cbc926dbc8d104e817fb6aff20b86ad3af841c281f7b212a2d485
Instruction ID: 904b64c280723495464cd804a774af4574ad3d53e46e38e69c4c4eb794d5b908
Opcode Fuzzy Hash: f30ce260a36cbc926dbc8d104e817fb6aff20b86ad3af841c281f7b212a2d485
Instruction Fuzzy Hash: 92E092B4D0420E9F8B84DFA9D4465BEFFF5AB48300F10816AE918E2350E7345A51CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CFF41 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b282edecc7b6a877a4c76ff3843ba59b2a9ee85b2bed7dcee35f7b844e4e3269
Instruction ID: 8beb40a026224504f6e10323c22c33b96fbb07062be72d4cf9ed1dae811506ee
Opcode Fuzzy Hash: b282edecc7b6a877a4c76ff3843ba59b2a9ee85b2bed7dcee35f7b844e4e3269
Instruction Fuzzy Hash: 54D05B2020CA814FDF16CB66901519DBBA0EF66704725409AD0C5CB153D7BA0507FEF3

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C6460 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23ca1f436c86c79e656a09e3560b52144357562c85685def69ec14e69b3a77
Instruction ID: a42a3a5067d141e6edfaf937c6eb7c60764d7727ab3bd14e67b8718ad98af080
Opcode Fuzzy Hash: fb23ca1f436c86c79e656a09e3560b52144357562c85685def69ec14e69b3a77
Instruction Fuzzy Hash: A9E09974E0420CAF8B44EFA9E54899DBBF5EB88200F00C0AAD918E3300EA349A108F81

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CC940 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df99c8cc9802b34bb0b17c2d457badaf1b859317a04f9a6826ddaaf59358aa32
Instruction ID: 2c733abe0b2896a5a7843a27985b71971f6852d0d4f204168be8382dd01fa957
Opcode Fuzzy Hash: df99c8cc9802b34bb0b17c2d457badaf1b859317a04f9a6826ddaaf59358aa32
Instruction Fuzzy Hash: 0BD05E312042498BC708EBB5E01862A339AEB90A49B444068E40E8BB81DBB7D884EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05620468 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1caec66e405744dd50abd39bd9fc4ddd3811c868e8f1f90738428e5eb1ead9
Instruction ID: e170d642eadd3c52d02503d3b2f4efb1970afd8546934539ebc983dbec1b093c
Opcode Fuzzy Hash: db1caec66e405744dd50abd39bd9fc4ddd3811c868e8f1f90738428e5eb1ead9
Instruction Fuzzy Hash: 54D01270A04109EF8F40DFA8D98559DB7F5EB4510871044A9D50AD7210DA312F049B40

Uniqueness

Uniqueness Score: -1.00%

Function 0562AA60 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee93d12538feb44807685290cbc27c0c190c34307c33bdb0ec6112ba8faea516
Instruction ID: 824eedf1de5191c23744f90b579e35b733c4c529123bbe7baf0afff6e42cd270
Opcode Fuzzy Hash: ee93d12538feb44807685290cbc27c0c190c34307c33bdb0ec6112ba8faea516
Instruction Fuzzy Hash: D0D02232A0C3286B0704DEF854014CE7FDDCA94078F06006BC60CCB300EE701A4042D5

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CC92F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd492720770aef1cf247bc0d626087fdbf7ba8d7d4d17b0574477b48359fd7e
Instruction ID: 2bb7ffc803c3ed99b5228d0190c0cda4fb482a41587313472dddaa49ad4d73cd
Opcode Fuzzy Hash: 7bd492720770aef1cf247bc0d626087fdbf7ba8d7d4d17b0574477b48359fd7e
Instruction Fuzzy Hash: 38D05E341023418FC754EF25D489985BFB0EE61289314818EE40ACB563C3B6C00BEF51

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C56C0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5424d022a5713e29f97374a755391ca946ca07d1dee6a5ccf458f9a9f0348697
Instruction ID: a38ed5b8dc6565589ec53b2d6cdcb69b2815343b319b579d594a6343eb6aa605
Opcode Fuzzy Hash: 5424d022a5713e29f97374a755391ca946ca07d1dee6a5ccf458f9a9f0348697
Instruction Fuzzy Hash: BAD02B30915748CEC711AB34D41549C7FB0BF23300701219FD045D7031FB21604DCB10

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CA408 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b919775e672d775d24a5c6c84fae4e6433674cd644dc7cbda872754e0710d280
Instruction ID: 6322d7eb2c7cd0aec587a2f0a08b0ad7fb65aa49a29b5acaf38477d7399ad854
Opcode Fuzzy Hash: b919775e672d775d24a5c6c84fae4e6433674cd644dc7cbda872754e0710d280
Instruction Fuzzy Hash: 03D067B0E0525D9F8B84EFE994465BEBFF5AB48210F1046AA991DE3300F6345651CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5B38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f837941fba40fd9ae2e98aba7465dd483f3f371e7650e1fa7a521f47a76a5215
Instruction ID: d844375029f42f8636929b3c7d19b9f835d1ca2c03a0c9e261f6792fa7500b24
Opcode Fuzzy Hash: f837941fba40fd9ae2e98aba7465dd483f3f371e7650e1fa7a521f47a76a5215
Instruction Fuzzy Hash: DBD0A932224A248FC710AB28E40489833E8AF4962830040AAE206CB330CAA2AC008BC9

Uniqueness

Uniqueness Score: -1.00%

Function 0A1CC396 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e959e789def7147c0d13da62d62df7e3f2d2f8fdac94ab5f0e093644e9dbae1
Instruction ID: cb65a09aa3de8823334ee36d2758375831669bc7cb51e673824967b48bc11877
Opcode Fuzzy Hash: 1e959e789def7147c0d13da62d62df7e3f2d2f8fdac94ab5f0e093644e9dbae1
Instruction Fuzzy Hash: 79D09E366001498BCB00EF90E5554DCBB71FBC8365B045161D6096322187306955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C64A8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7ce9482e41dca018c5d5487b8219d8451626ba0286dfd3013695b394ee4284
Instruction ID: 869e2c1ba69da3cc256132f31b43fb3d78907a14ca9ad0ce6f939b6aac61a670
Opcode Fuzzy Hash: 7f7ce9482e41dca018c5d5487b8219d8451626ba0286dfd3013695b394ee4284
Instruction Fuzzy Hash: 79C08C3291920CA71B00DEE4991449EB7EDCBC5108F0086A9CD08AB300EE322E0416E2

Uniqueness

Uniqueness Score: -1.00%

Function 0562AA30 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc7866b4909fbb87a1071b3d14db5401a34e6ae90057e72651374c3c83a1825
Instruction ID: 807e7be53bd7da5e4cf2ac9857c21e749b1f5dc181d9320ffd42071fcd3c434c
Opcode Fuzzy Hash: cfc7866b4909fbb87a1071b3d14db5401a34e6ae90057e72651374c3c83a1825
Instruction Fuzzy Hash: 8AC0123024C3C05FCB069724941505D3F625DC311470E84EBD1858E073D6154446C712

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C56D0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ff02fd916cecb654f5654faf7b14d6756c24bd07d27b22ec0f2903dc81ad7b
Instruction ID: 9d00c21b8909471e22572863efd21279457e889bef13f9ed303bf6e67d101702
Opcode Fuzzy Hash: 16ff02fd916cecb654f5654faf7b14d6756c24bd07d27b22ec0f2903dc81ad7b
Instruction Fuzzy Hash: A3C0123142070CCEC700BAA8E419898BBB8BB15300B40622AE44A6A120FF20A5A9DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0A1C5700 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.531802350.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a1c0000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d8fafb878ea2d0c3bee4ec398ae6d8ada38516232c80893a2a1404f61c71fc
Instruction ID: 8ba12ab87e3b27f6c643e55af885a3ad450077e4ba4f6f591046bba57d02ae3e
Opcode Fuzzy Hash: 66d8fafb878ea2d0c3bee4ec398ae6d8ada38516232c80893a2a1404f61c71fc
Instruction Fuzzy Hash: 38C0123242170CCEC700BAA8E419898BFB8BB15301B00826AE8452A250EF30A1A9DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05620440 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd386749c73fd52afbc1d4c40a1b9fef47779f52f3b0d5a1e45afd2bcf71e45b
Instruction ID: 74de4d6e020742f39eca5c74b05761970ee750bc33e05944cbe68ab0c9e20fea
Opcode Fuzzy Hash: cd386749c73fd52afbc1d4c40a1b9fef47779f52f3b0d5a1e45afd2bcf71e45b
Instruction Fuzzy Hash: 76B012B7402042A7DEC101E0D64B3C01F91E74322DF2850409052CC902FB8040036803

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05625260 Relevance: 8.9, Strings: 7, Instructions: 103COMMON

Download Yara Rule

Strings

`|^, xrefs: 05625356
`|^, xrefs: 05625320
`|^, xrefs: 056252B3
`|^, xrefs: 056253C3
`|^, xrefs: 0562527C
`|^, xrefs: 056252E9
`|^, xrefs: 0562538D

Memory Dump Source

Source File: 00000002.00000002.530698355.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5620000_AppLaunch.jbxd

Similarity

API ID:
String ID: `|^$`|^$`|^$`|^$`|^$`|^$`|^
API String ID: 0-984518813
Opcode ID: 7064f0dbf7f836b53858af9ad2099118352b9c92eb6e6f57fed6339bf095354b
Instruction ID: 64b5f3d17772df37d0635a1bfa820ce9f5f7d708cb6d26410c148ca6db76a782
Opcode Fuzzy Hash: 7064f0dbf7f836b53858af9ad2099118352b9c92eb6e6f57fed6339bf095354b
Instruction Fuzzy Hash: 1A41FD74E002499FCB48EFF5E58889DB7B9FF48205B108919E516F7350DB326A44CF62

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AIRMOBFR	Summary-133608431-Feb-15.xlsb	Get hash	malicious	Browse	185.252.215.41
	Summary-133608431-Feb-15.xlsb	Get hash	malicious	Browse	185.252.215.41
	Summary-313689350-Feb-15.xlsb	Get hash	malicious	Browse	185.252.215.41
	Summary-313689350-Feb-15.xlsb	Get hash	malicious	Browse	185.252.215.41
	Summary-573686706-Feb-15.xlsb	Get hash	malicious	Browse	185.252.215.41
	Summary-573686706-Feb-15.xlsb	Get hash	malicious	Browse	185.252.215.41

Target ID:	0
Start time:	16:59:48
Start date:	21/03/2022
Path:	C:\Users\user\Desktop\cDtHMoEHO4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cDtHMoEHO4.exe"
Imagebase:	0x400000
File size:	566784 bytes
MD5 hash:	52F85F5842D8DE0C13B4E7ED08F4F46F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.279048300.0000000000185000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.278504573.00000000038A2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Target ID:	1
Start time:	16:59:49
Start date:	21/03/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	16:59:56
Start date:	21/03/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0xb70000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.529276105.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cDtHMoEHO4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
cDtHMoEHO4.exe

Function 00402730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Function 00407A5C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82
COMMON

Function 004162B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80
COMMONLIBRARYCODE

Function 00413CBC Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Function 00402070 Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Function 00402140 Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Function 00404830 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 322
COMMON

Function 0041D2E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Function 0040F6CD Relevance: 4.6, APIs: 3, Instructions: 141
COMMONLIBRARYCODE

Function 00412C37 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Function 0040F82C Relevance: 4.6, APIs: 3, Instructions: 96
COMMONLIBRARYCODE

Function 0041D78E Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Function 00414B37 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
COMMONLIBRARYCODE

Function 004193C6 Relevance: 3.2, APIs: 2, Instructions: 171
COMMONLIBRARYCODE

Function 0040826F Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Function 00411300 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONLIBRARYCODECrypto

Function 0040D203 Relevance: 3.1, APIs: 2, Instructions: 78
COMMONLIBRARYCODE

Function 00409D82 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 004098AE Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE