Edit tour

Windows Analysis Report
hBB2KnTndI.exe

Overview

General Information

Sample Name:	hBB2KnTndI.exe
Analysis ID:	635800
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Contains functionality to prevent local Windows debugging

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

hBB2KnTndI.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\hBB2KnTndI.exe" MD5: B413FF6E943C415AFC26640FF535C724)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

orxds.exe (PID: 6924 cmdline: "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe" MD5: 6807F903AC06FF7E1670181378690B22)

WerFault.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.hBB2KnTndI.exe.8a0000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.hBB2KnTndI.exe.8a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.2.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hBB2KnTndI.exe	Virustotal: Detection: 39%			Perma Link
Source: hBB2KnTndI.exe	ReversingLabs: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000000.265811134.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then sub esp, 1Ch	0_2_0042C470
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_004738B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0049A9C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470A20
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486B40

Source: hBB2KnTndI.exe

String found in binary or memory: http://gcc.gnu.org/bugs.html):

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00407090 CreateMutexW,GetLastError,GetFileAttributesA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_00407090

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402150 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

5_2_00402150

Source: hBB2KnTndI.exe, 00000000.00000000.265140513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00468160	0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CD137	0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C250	0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004503C0	0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004593D0	0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454440	0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00466420	0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00467430	0_2_00467430
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004BA540	0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044B500	0_2_0044B500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00456500	0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044D5E0	0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004416C0	0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004656F0	0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D87F0	0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0045A780	0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C8E0	0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004428E0	0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00457970	0_2_00457970
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004439D0	0_2_004439D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044AA40	0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041CA70	0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044CA70	0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044EA00	0_2_0044EA00
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00453A30	0_2_00453A30
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DBB27	0_2_004DBB27
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DBC47	0_2_004DBC47
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00420CD0	0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D8C88	0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00425D40	0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00445DE0	0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00450DA0	0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00444DB0	0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00459DB0	0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DDE50	0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DCE9D	0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452F60	0_2_00452F60
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454F10	0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041AFC0	0_2_0041AFC0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00414FF0	0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0043DFF0	0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00449F90	0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044BFB0	0_2_0044BFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00422868	5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00409877	5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425827	5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00404120	5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00426A7D	5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00427A30	5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004223D0	5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00416D17	5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425707	5_2_00425707

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004C9BD0 appears 34 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A57E0 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: String function: 00DCFB02 appears 62 times

Source: hBB2KnTndI.exe

Static PE information: invalid certificate

Source: hBB2KnTndI.exe

Static PE information: Number of sections : 16 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5

Source: hBB2KnTndI.exe	Virustotal: Detection: 39%
Source: hBB2KnTndI.exe	ReversingLabs: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f

Jump to behavior

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@7/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hBB2KnTndI.exe

Static file information: File size 2476494 > 1048576

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000000.265811134.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx	0_2_004115AE
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx	0_2_0046A67B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx	0_2_00479666
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx	0_2_0046ABAB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx	0_2_004798B6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004137F6 push ecx; ret	5_2_00413809
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_00DCF8E8 push ecx; ret	7_2_00DCFAB8
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_00DCFAD0 push ecx; ret	7_2_00DCFAE3

Source: hBB2KnTndI.exe	Static PE information: section name: /4
Source: hBB2KnTndI.exe	Static PE information: section name: /14
Source: hBB2KnTndI.exe	Static PE information: section name: /29
Source: hBB2KnTndI.exe	Static PE information: section name: /41
Source: hBB2KnTndI.exe	Static PE information: section name: /55
Source: hBB2KnTndI.exe	Static PE information: section name: /67
Source: hBB2KnTndI.exe	Static PE information: section name: /80
Source: hBB2KnTndI.exe	Static PE information: section name: /91
Source: hBB2KnTndI.exe	Static PE information: section name: /102

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: hBB2KnTndI.exe

Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_00DCD53A rdtsc

7_2_00DCD53A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Evaded block: after key decision

graph_5-19864

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	API coverage: 8.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

5_2_00405230

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

API call chain: ExitProcess graph end node

graph_0-44870

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00417C96

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402C50 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

5_2_00402C50

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_00DCD53A rdtsc

7_2_00DCD53A

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CF542 mov eax, dword ptr fs:[00000030h]	0_2_004CF542
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CB7B1 mov eax, dword ptr fs:[00000030h]	0_2_004CB7B1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h]	0_2_004EEBEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h]	5_2_00419122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h]	5_2_00415391

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess,	0_2_004011A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413738 SetUnhandledExceptionFilter,	5_2_00413738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00413983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00417C96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_004135D3
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_00DCF580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,	7_2_00DCF580

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B1008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004EEC21 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_004EEC21

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_00DC915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak,

7_2_00DC915E

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004C9813 cpuid

0_2_004C9813

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00413811

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free,

5_2_00421B1C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

5_2_00405230

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_0040F1D0 IsUserAnAdmin,GetUserNameW,GetComputerNameExW,

5_2_0040F1D0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	511 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	511 Process Injection	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hBB2KnTndI.exe	39%	Virustotal		Browse
hBB2KnTndI.exe	39%	ReversingLabs	Win32.Trojan.Jaik

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	2%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.3.hBB2KnTndI.exe.8a0000.0.unpack	100%	Avira	HEUR/AGEN.1237917		Download File
5.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1237910		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://gcc.gnu.org/bugs.html):	hBB2KnTndI.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635800
Start date and time: 29/05/202219:42:26	2022-05-29 19:42:26 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hBB2KnTndI.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@7/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.3% (good quality ratio 2.6%) Quality average: 50.5% Quality standard deviation: 35.1%
HCA Information:	Successful, ratio: 89% Number of executed functions: 37 Number of non-executed functions: 165
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.21
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	FORTNITEA.exe	Get hash	malicious	Browse
	SqBYgi0x4H.exe	Get hash	malicious	Browse
	61wg87Mp5s.exe	Get hash	malicious	Browse
	xwBgnRX7mc.exe	Get hash	malicious	Browse
	7uvkuUP9Ki.exe	Get hash	malicious	Browse
	updated.exe	Get hash	malicious	Browse
	h4fbH7kLXV.exe	Get hash	malicious	Browse
	bvOGvz01O9.exe	Get hash	malicious	Browse
	31201672.exe	Get hash	malicious	Browse
	16440147.exe	Get hash	malicious	Browse
	net.exe	Get hash	malicious	Browse
	TbDXlssS18.exe	Get hash	malicious	Browse
	99TdCVWLNI.exe	Get hash	malicious	Browse
	99TdCVWLNI.exe	Get hash	malicious	Browse
	gBIqPAcGLq.exe	Get hash	malicious	Browse
	IV5Mp1B4F7.exe	Get hash	malicious	Browse
	PnmZUzGgZm.exe	Get hash	malicious	Browse
	PnmZUzGgZm.exe	Get hash	malicious	Browse
	rTxXMIDYVm.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_1b4c45b6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6825554213562323
Encrypted:	false
SSDEEP:	96:E2F95Q1hDNH7DAfFpXIQcQvc6QcEDMcw3Dz+HbHg/5VG4rmMOyWZAXGng5FMTPSy:bv5gF8HBUZMXwjlq/u7s9S274ItE
MD5:	F49AA2CE34201C0ED4C6DC7E2580B784
SHA1:	94AE53C0212FAF3261D369EE8A0350552D1C4F60
SHA-256:	F9FEEC72FC0B01B4633E664EEB02CC6814AFDF2B02B091CD8618E5F7EFBFBC23
SHA-512:	9C0D924AB54E72CE3A7E679A176D027964D43AA282DB31E55086198C5A1788FB452D0C43B41DE46286C6E1075F0EF0CFBA5F9714E20FE590E6D52F254B2D83AF
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.3.5.2.2.1.8.9.0.2.7.5.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.3.5.2.2.2.2.4.0.2.7.4.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.3.5.6.6.0.2.-.1.4.2.3.-.4.1.f.c.-.a.3.9.0.-.c.7.3.0.8.4.3.a.e.8.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.6.f.e.2.5.0.-.7.b.b.3.-.4.0.3.4.-.b.6.b.9.-.b.6.d.e.d.5.9.e.2.0.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.B.B.2.K.n.T.n.d.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.d.-.2.e.4.0.-.f.9.0.8.c.f.7.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.1.9.a.6.8.d.c.7.b.4.d.3.5.6.1.6.f.6.1.b.3.2.1.2.a.4.1.d.9.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.c.c.1.3.d.5.2.b.f.2.8.4.1.6.f.3.b.8.a.5.9.4.d.5.8.1.1.3.f.d.8.8.2.8.a.4.0.9.3.!.h.B.B.2.K.n.T.n.d.I...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER325D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 30 02:43:39 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	32426
Entropy (8bit):	2.012984607377576
Encrypted:	false
SSDEEP:	192:JJlJbdOQhLD18DuPqDBJKh7E/qeQwq7A3yJ0Q:bQQl58DuSexEieQ5
MD5:	69ADA93D12ABB0E7C95863E57644450F
SHA1:	23B31CC845750963355D8E4660D81C46008008A1
SHA-256:	2EA59657AA7702D7A3BC07DA5AF7FF2B8308E8773A19679275F97FE4ABDE4326
SHA-512:	74FA6F6D6B5A80E573AB97F23D852B98A560AFD7113B53BF715263DA1FDADD19979D6B5A5AC42249BDD182F03E7222B5DCF757A318FDB60BD278C4A8E80A5B3D
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......[/.b........................................H...........T.......8...........T................s...........................................................................................U...........B..............GenuineIntelW...........T.......@...M/.b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36B3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.698076292139725
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiZX6mq6YWoSUH6qiNAgmfcSQoCpr489bnUsfgNm:RrlsNip696YJSUH6agmfcSKnHfH
MD5:	27A6D542C4C16DC1970A3F52A30DDC6B
SHA1:	D2CFB22FCEF5BECA746739AF241D23EBB41ABBE0
SHA-256:	4DACF9F643C7197F00BF93F42F1412C6E8615F440964804A4E9DCD97CA505B50
SHA-512:	34E344EB617A86963AEE9DADCC7EF5E50912A88B99681609C0A7CC095D862BA96CA9F16480CC3C2B2F027DE3E1C0B5971D289DE3F8EF67C4EA9002ED24E3ACC4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A6D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4568
Entropy (8bit):	4.464078860628713
Encrypted:	false
SSDEEP:	48:cvIwSD8zsEJgtWI9vsDmWgc8sqYj5ya8fm8M4J0HFf2j+q8Qq02jKlkd:uITfCisDngrsqYdyvJZI02jekd
MD5:	A8031E7E8BF09A8436C1A691EBDF881D
SHA1:	851D82DCE40546C019AA67F0C915511A25FBF8AE
SHA-256:	75DC3A49DAAB91D935325967AD398B780C096D71F941C53D0ABDD70616C70974
SHA-512:	5BBAA17FAEED418F2426365AA6FA8A376B764A41C18203CE72809493DE712C13D07DF9B9328B1756001AD6646DF6644BAB71391089AD3AD659C02F559487784E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1537194" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98912
Entropy (8bit):	6.288162510609848
Encrypted:	false
SSDEEP:	1536:mdCQC+TbenjRV4hbdZ7Fbk7zrbITCFcnMeaYNVq7B7d:mdCQZTbejTHXACFcnMjiMJ
MD5:	6807F903AC06FF7E1670181378690B22
SHA1:	901EC730ADC4A7C8531E8DA343A977E04FDE8B03
SHA-256:	115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5
SHA-512:	37CC7812BFD4F5A4D81D7D4B5B5906D35928856BFAF7B532481B4233AFA36E9C41C3D42D84290288A0DEB47F5D8CD54FE1280C1E0F639B8240F9AB2638716EEB
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 2%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: FORTNITEA.exe, Detection: malicious, Browse Filename: SqBYgi0x4H.exe, Detection: malicious, Browse Filename: 61wg87Mp5s.exe, Detection: malicious, Browse Filename: xwBgnRX7mc.exe, Detection: malicious, Browse Filename: 7uvkuUP9Ki.exe, Detection: malicious, Browse Filename: updated.exe, Detection: malicious, Browse Filename: h4fbH7kLXV.exe, Detection: malicious, Browse Filename: bvOGvz01O9.exe, Detection: malicious, Browse Filename: 31201672.exe, Detection: malicious, Browse Filename: 16440147.exe, Detection: malicious, Browse Filename: net.exe, Detection: malicious, Browse Filename: TbDXlssS18.exe, Detection: malicious, Browse Filename: 99TdCVWLNI.exe, Detection: malicious, Browse Filename: 99TdCVWLNI.exe, Detection: malicious, Browse Filename: gBIqPAcGLq.exe, Detection: malicious, Browse Filename: IV5Mp1B4F7.exe, Detection: malicious, Browse Filename: PnmZUzGgZm.exe, Detection: malicious, Browse Filename: PnmZUzGgZm.exe, Detection: malicious, Browse Filename: rTxXMIDYVm.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O...!R..!R..!RR..R..!R8..R..!R8..R..!R8..R..!R8..R..!R...R..!R.. Rg.!RR..R..!R.Y.R..!R.Y.R..!R.Y.R..!RRich..!R........................PE..L..._X.Z.........."..........2............... ....@..................................@....@...... ...........................A.......P...............D..`>...`..........T..............................@............@...............................text............................... ..`.data........ ......................@....idata..j....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.357132284261992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hBB2KnTndI.exe
File size:	2476494
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA512:	ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815
SSDEEP:	24576:dofQL0YjKOTrGRTnFZUDt4KZHD6XyeOjuTfedlb0hv4d7KXl8p+NauQ5V3h357:dofQL0YjKOTrGJ7C5iOjuTWdlxd7Kc
TLSH:	1CB51A135A8B0E75DDC23BB4A1CB633E9734EE30CA2A9B7FF609C53559532C5681A702
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..b.j...R...........\...H...............p....@...................................&....... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4012e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6290AF3D [Fri May 27 11:00:13 2022 UTC]
TLS Callbacks:	0x41bc40, 0x41bbf0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0dfe559e003c7370c899d20dea7dea8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	9/2/2021 11:32:59 AM 9/1/2022 11:32:59 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:	8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:	2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:	33000002528B33AAF895F339DB000000000252

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [005372F0h]
call 00007FF19D099750h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [005372F0h]
call 00007FF19D099730h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537328h]
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537318h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov dword ptr [esp], 004F1000h
call 00007FF19D0C38A9h
sub esp, 04h
test eax, eax
je 00007FF19D099947h
mov dword ptr [esp], 004F1000h
mov ebx, eax
call 00007FF19D0C3850h
sub esp, 04h
mov dword ptr [00536A54h], eax
mov dword ptr [esp+04h], 004F1013h
mov dword ptr [esp], ebx
call 00007FF19D0C3870h
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 004F1029h
mov dword ptr [esp], ebx
call 00007FF19D0C385Bh
sub esp, 08h
mov dword ptr [004B7000h], eax
test esi, esi
je 00007FF19D0998A3h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x137000	0xb98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x25a206	0x27c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x139004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x137230	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb5b5c	0xb5c00	False	0.379203114254	data	6.26139811273	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0xb7000	0x39ce8	0x39e00	False	0.75697725432	data	7.53280661319	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0xf1000	0xb1d8	0xb200	False	0.318929950843	data	5.61563738189	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4	0xfd000	0x38a80	0x38c00	False	0.180035965033	data	4.78722613482	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x136000	0xb60	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x137000	0xb98	0xc00	False	0.4052734375	data	4.97230024056	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0x138000	0x18	0x200	False	0.046875	data	0.118369631259	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0x139000	0x20	0x200	False	0.05859375	data	0.22482003451	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/14	0x13a000	0xd8	0x200	False	0.189453125	data	1.05435750986	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/29	0x13b000	0x14e37	0x15000	False	0.38714890253	data	6.07122897105	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/41	0x150000	0x13b8	0x1400	False	0.25234375	data	4.72334895544	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/55	0x152000	0x1f23	0x2000	False	0.54150390625	data	6.21611847392	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/67	0x154000	0x38	0x200	False	0.1171875	TIM image, (3080,1028)	0.668238434502	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/80	0x155000	0x2ae	0x400	False	0.3525390625	data	3.87768624749	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/91	0x156000	0x829a	0x8400	False	0.315814393939	data	4.14712052349	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/102	0x15f000	0xcd8	0xe00	False	0.345145089286	data	3.1533400052	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReleaseSemaphore, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	_fdopen, _fstat, _lseek, _read, _strdup, _stricoll, _write
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _filbuf, _flsbuf, _fmode, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, atoi, calloc, fclose, fflush, fopen, fputc, fputs, fread, free, fseek, ftell, fwrite, getenv, getwc, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, putwc, realloc, setlocale, setvbuf, signal, sprintf, strchr, strcmp, strcoll, strerror, strftime, strlen, strtod, strtoul, strxfrm, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm
USER32.dll	MessageBoxW

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: hBB2KnTndI.exePID: 6464, Parent PID: 5220

General

Target ID:	0
Start time:	19:43:25
Start date:	29/05/2022
Path:	C:\Users\user\Desktop\hBB2KnTndI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hBB2KnTndI.exe"
Imagebase:	0x400000
File size:	2476494 bytes
MD5 hash:	B413FF6E943C415AFC26640FF535C724
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6480, Parent PID: 6464

General

Target ID:	1
Start time:	19:43:26
Start date:	29/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: AppLaunch.exePID: 6860, Parent PID: 6464

General

Target ID:	5
Start time:	19:43:36
Start date:	29/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x360000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: orxds.exePID: 6924, Parent PID: 6860

General

Target ID:	7
Start time:	19:43:37
Start date:	29/05/2022
Path:	C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Imagebase:	0xdc0000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 2%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6944, Parent PID: 6464

General

Target ID:	8
Start time:	19:43:37
Start date:	29/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148
Imagebase:	0xc50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: hBB2KnTndI.exePID: 6464, Parent PID: 5220COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	7.9%
Signature Coverage:	22.4%
Total number of Nodes:	254
Total number of Limit Nodes:	30

Executed Functions

Function 00411C06 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 353
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00411C06(char _a4, char* _a8, signed int _a12, signed int _a24, signed int _a28, signed int _a32, signed int _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a64, char _a80, void* _a88, signed int _a92, signed int _a116) {
				void* _v16;
				char _v52;
				void _v68;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				void _v79;
				char _v80;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v121;
				signed int _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				void* _v148;
				signed int _v152;
				char _v160;
				char _v164;
				intOrPtr _v168;
				void* _v172;
				void* _v176;
				char _v184;
				void* _v188;
				void* _v192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t226;
				signed int _t227;
				signed int _t232;
				void* _t237;
				void* _t241;
				void* _t245;
				intOrPtr _t249;
				intOrPtr _t254;
				signed int _t260;
				signed int _t263;
				intOrPtr _t268;
				void* _t277;
				void* _t313;
				signed int _t314;
				signed int _t320;
				void* _t324;
				signed int _t326;
				signed int _t330;
				void* _t334;
				signed int _t338;
				void* _t342;
				signed int _t344;
				signed int _t347;
				void* _t349;
				void* _t358;
				void* _t365;
				signed int _t368;
				void* _t372;
				void* _t379;
				void* _t385;
				intOrPtr* _t387;
				intOrPtr* _t388;
				intOrPtr* _t392;
				void* _t397;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;
				char** _t403;
				char** _t404;
				char** _t405;

				_t402 = _t401 - 0x9c;
				_v96 = 0;
				_v116 = _a24;
				_v128 = _a36;
				_v152 = _a28;
				_v136 = _a44;
				_v132 = _a32;
				_v144 = _a92;
				_v140 = _a40;
				_v148 = _a88;
				_v120 = _a64 - 0x5c;
				while(1) {
					_t226 = _v96;
					if(_t226 >= _a12) {
						break;
					}
					if(_t226 <= 0x3c) {
						E004AC690("WHdxwVblbNfTGKiOlUygaMBQekTArfbRUCmhfExZtPGgYnJgWgdPirqBwkduLZziGoxdhACFcJxwPHBvTqJViuSIUV", _v120); // executed
					}
					if(_a4 == 0) {
						_t392 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
						while(1) {
							_t268 =  *((intOrPtr*)(_t392 + 0x18));
							_t379 =  *((intOrPtr*)(_t268 +  *((intOrPtr*)(_t268 + 0x3c)) + 0x78)) + _t268;
							if(_t268 == _t379) {
								goto L17;
							}
							L7:
							_t326 =  *(_t379 + 0x18);
							_t372 = _t326 - 1;
							_v112 = _t326 * 4 - 4;
							while(_t372 != 0xffffffff) {
								_v100 = 0xf124d613;
								_v104 =  *((intOrPtr*)(_t268 + _v112 +  *((intOrPtr*)(_t379 + 0x20)))) + _t268;
								while(1) {
									_v104 = _v104 + 1;
									_t330 =  *((intOrPtr*)(_v104 - 1));
									if(_t330 == 0) {
										break;
									}
									_v121 = _t330 - 0x41;
									_v108 = _t330;
									if(_v121 <= 0x19) {
										_v108 = _t330 | 0x00000020;
									}
									_t275 = _v100 ^ _v108;
									_v100 = (_v100 ^ _v108) * 0x1000193;
								}
								_v112 = _v112 - 4;
								_t334 = _t372 - 1;
								if(_v100 != 0x7264150e) {
									_t372 = _t334;
									continue;
								}
								_v160 = 0;
								_v164 = 0;
								_v168 = 0xb923;
								_v172 = 0;
								 *((intOrPtr*)(_t268 +  *((intOrPtr*)(_t268 + ( *(_t372 + _t372 + _t268 +  *((intOrPtr*)(_t379 + 0x24))) & 0x0000ffff) * 4 +  *((intOrPtr*)(_t379 + 0x1c))))))();
								_t402 = _t402 - 0x10;
								E004A6000(_t275, _t392, E004A8CB0(0x4f09a0, "dAtsTYDEuXFFALbBPGARvZXMKEqRQlmyrZozsZDLZtBSesEKlQySGhhKGBaykHvOuqUZnZxCtnbzOMynRCgITjCxbB"));
								goto L18;
							}
							L17:
							_t392 =  *_t392;
							_t268 =  *((intOrPtr*)(_t392 + 0x18));
							_t379 =  *((intOrPtr*)(_t268 +  *((intOrPtr*)(_t268 + 0x3c)) + 0x78)) + _t268;
							if(_t268 == _t379) {
								goto L17;
							}
							goto L7;
						}
					}
					L18:
					_v96 = _v96 + 1;
				}
				if(_a4 != 0) {
					_t227 = _v132;
					_t338 = _v128;
					asm("sbb ebx, edx");
					asm("cdq");
					_t232 = _v116;
					_t341 = (_t232 * _a12 >> 0x20) + _v116 * ((_t338 << 0x00000020 | _t227) << 2) + _v152 * _a12;
					asm("adc edx, ebx");
					_v172 = _t232 * _a12 + _v140 - (_t227 << 2);
					_v168 = (_t232 * _a12 >> 0x20) + _v116 * ((_t338 << 0x00000020 | _t227) << 2) + _v152 * _a12;
					_t277 =  &_v79;
					L00472AC0(0x4f09a0); // executed
					_push(_t379);
					_push(_t379);
					_t237 = memcpy( &_v68, 0x4f1d46, 4 << 2);
					_t403 = _t402 + 0xc;
					_v176 = _t237;
					_v168 = 0x2e;
					_v172 = 0x10;
					 *_t403 = "481035029895482919189744454404510355566990232";
					E00411B90((_t232 * _a12 >> 0x20) + _v116 * ((_t338 << 0x00000020 | _t227) << 2) + _v152 * _a12);
					_v80 = 0x7e;
					memset( &_v79, 0, 9 << 0);
					_t404 =  &(_t403[3]);
					_v79 = 0x15;
					_v78 = 0x1b;
					_t241 = 0;
					_v77 = 0xc;
					_v76 = 0x10;
					_v75 = 0x1b;
					_v74 = 0x12;
					_v73 = 0x4d;
					_v72 = 0x4c;
					do {
						 *(_t277 + _t241) =  *(_t277 + _t241) ^ 0x0000007e;
						_t241 = _t241 + 1;
					} while (_t241 != 8);
					_v172 = _t277;
					_t385 = _t277;
					_v71 = 0;
					L0040146E(_t277,  &_v52, _t341, _t385, 0x4f1d46);
					_t342 =  &_v79;
					_push(0x4f1d46);
					_v80 = 0x15;
					memset(_t385, 0, 5 << 0);
					_t405 =  &(_t404[3]);
					_v79 = 0x3b;
					_v78 = 0x71;
					_t245 = 0;
					_v77 = 0x79;
					_v76 = 0x79;
					do {
						 *(_t342 + _t245) =  *(_t342 + _t245) ^ 0x00000015;
						_t245 = _t245 + 1;
					} while (_t245 != 4);
					_v172 = _t342;
					_v75 = 0;
					E0049A850(_t277,  &_v52, 0x4f1d46);
					_push(_t277);
					_t387 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
					while(1) {
						_t249 =  *((intOrPtr*)(_t387 + 0x18));
						_t313 =  *((intOrPtr*)(_t249 +  *((intOrPtr*)(_t249 + 0x3c)) + 0x78)) + _t249;
						if(_t249 == _t313) {
							goto L37;
						}
						_t344 =  *(_t313 + 0x18);
						_t397 = _t344 - 1;
						_v108 = _t344 * 4 - 4;
						while(_t397 != 0xffffffff) {
							_v96 = 0x2fb93544;
							_v100 =  *((intOrPtr*)(_t249 + _v108 +  *((intOrPtr*)(_t313 + 0x20)))) + _t249;
							while(1) {
								_v100 = _v100 + 1;
								_t347 =  *((intOrPtr*)(_v100 - 1));
								if(_t347 == 0) {
									break;
								}
								_v112 = _t347 - 0x41;
								_v104 = _t347;
								if(_v112 <= 0x19) {
									_v104 = _t347 | 0x00000020;
								}
								_v96 = (_v96 ^ _v104) * 0x1000193;
							}
							_v108 = _v108 - 4;
							_t349 = _t397 - 1;
							if(_v96 != 0xa535b8d) {
								_t397 = _t349;
								continue;
							}
							_v172 = _v52;
							_v112 =  *((intOrPtr*)(_t249 +  *((intOrPtr*)(_t249 + ( *(_t397 + _t397 + _t249 +  *((intOrPtr*)(_t313 + 0x24))) & 0x0000ffff) * 4 +  *((intOrPtr*)(_t313 + 0x1c))))))();
							_push(_t313);
							_v80 = 0;
							_t388 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
							while(1) {
								_t254 =  *((intOrPtr*)(_t388 + 0x18));
								_t399 =  *((intOrPtr*)(_t254 +  *((intOrPtr*)(_t254 + 0x3c)) + 0x78)) + _t254;
								if(_t254 == _t399) {
									goto L38;
								}
								_t314 =  *(_t399 + 0x18);
								_t358 = _t314 - 1;
								_v108 = _t314 * 4 - 4;
								while(_t358 != 0xffffffff) {
									_v96 = 0x1ac81ebf;
									_t290 =  *((intOrPtr*)(_v108 + _t254 +  *((intOrPtr*)(_t399 + 0x20)))) + _t254;
									_v100 =  *((intOrPtr*)(_v108 + _t254 +  *((intOrPtr*)(_t399 + 0x20)))) + _t254;
									while(1) {
										_v100 = _v100 + 1;
										_t320 =  *((intOrPtr*)(_v100 - 1));
										if(_t320 == 0) {
											break;
										}
										_v116 = _t320 - 0x41;
										_v104 = _t320;
										if(_v116 <= 0x19) {
											_v104 = _t320 | 0x00000020;
										}
										_t290 = _v96 ^ _v104;
										_v96 = (_v96 ^ _v104) * 0x1000193;
									}
									_v108 = _v108 - 4;
									_t324 = _t358 - 1;
									if(_v96 != 0x58daf3eb) {
										_t358 = _t324;
										continue;
									}
									_t365 =  &_v68;
									_v176 = _v112;
									_v172 = _t365;
									 *0x536020 =  *((intOrPtr*)(_t254 +  *((intOrPtr*)(_t254 + ( *(_t358 + _t358 + _t254 +  *((intOrPtr*)(_t399 + 0x24))) & 0x0000ffff) * 4 +  *((intOrPtr*)(_t399 + 0x1c))))))();
									_v172 =  &_v80;
									_v176 = 0x40;
									_v184 = _a4;
									_t405[1] = _a8;
									VirtualProtect(_t365, _t365, ??, ??); // executed
									_t368 = _v144;
									 *((intOrPtr*)(_t405 - 0x10 + 4)) = 0;
									_v176 = _v148;
									_v172 = _t368;
									_v184 = _a80;
									_t260 = E0041C250();
									_v96 = _t368;
									_v100 = _t260 ^ _a116;
									E00497980(_t290,  &_v52, _a4, _t399, _t400);
									_t263 = _v100;
									goto L50;
								}
								L38:
								_t388 =  *_t388;
							}
						}
						L37:
						_t387 =  *_t387;
					}
				} else {
					E004A6000(_t275, _t392, E004A8CB0(0x4f09a0, "ngNqkCxrmWjitGGcQCOTdGQkkavXRgvVoCmMJWrtPacoLEYmaeIfxTNXHhKESVkqkjGjgOUYplRxfWdomQjnuOqAnl"));
					_t263 = 0;
				}
				L50:
				return _t263;
			}

0x00411c0c
0x00411c18
0x00411c1f
0x00411c25
0x00411c2b
0x00411c34
0x00411c3d
0x00411c43
0x00411c49
0x00411c52
0x00411c5e
0x00411c61
0x00411c61
0x00411c67
0x00000000
0x00000000
0x00411c70
0x00411c80
0x00411c80
0x00411c89
0x00411c98
0x00411c9b
0x00411c9b
0x00411ca5
0x00411ca9
0x00000000
0x00000000
0x00411caf
0x00411caf
0x00411cb9
0x00411cbc
0x00411cbf
0x00411ccb
0x00411cdc
0x00411cdf
0x00411cdf
0x00411ce5
0x00411cea
0x00000000
0x00000000
0x00411d03
0x00411d0d
0x00411d10
0x00411d18
0x00411d18
0x00411d1e
0x00411d27
0x00411d27
0x00411cec
0x00411cf7
0x00411cfa
0x00411cfc
0x00000000
0x00411cfc
0x00411d3e
0x00411d46
0x00411d4e
0x00411d56
0x00411d5d
0x00411d5f
0x00411d79
0x00000000
0x00411d79
0x00411d80
0x00411d80
0x00411c9b
0x00411ca5
0x00411ca9
0x00000000
0x00000000
0x00000000
0x00411ca9
0x00411c9b
0x00411d87
0x00411d87
0x00411d87
0x00411d93
0x00411dba
0x00411dbd
0x00411ddb
0x00411ddd
0x00411ded
0x00411df3
0x00411dfc
0x00411dfe
0x00411e06
0x00411e0a
0x00411e0d
0x00411e17
0x00411e18
0x00411e1f
0x00411e1f
0x00411e21
0x00411e25
0x00411e30
0x00411e38
0x00411e3f
0x00411e4b
0x00411e4f
0x00411e4f
0x00411e51
0x00411e55
0x00411e59
0x00411e5b
0x00411e5f
0x00411e63
0x00411e67
0x00411e6b
0x00411e6f
0x00411e73
0x00411e73
0x00411e77
0x00411e78
0x00411e80
0x00411e83
0x00411e85
0x00411e89
0x00411e95
0x00411e98
0x00411e99
0x00411e9d
0x00411e9d
0x00411e9f
0x00411ea3
0x00411ea7
0x00411ea9
0x00411ead
0x00411eb1
0x00411eb1
0x00411eb5
0x00411eb6
0x00411ebe
0x00411ec1
0x00411ec5
0x00411eca
0x00411ed4
0x00411ed7
0x00411ed7
0x00411ee1
0x00411ee5
0x00000000
0x00000000
0x00411eeb
0x00411ef5
0x00411ef8
0x00411efb
0x00411f07
0x00411f18
0x00411f1b
0x00411f1b
0x00411f21
0x00411f26
0x00000000
0x00000000
0x00411f3f
0x00411f49
0x00411f4c
0x00411f54
0x00411f54
0x00411f63
0x00411f63
0x00411f28
0x00411f33
0x00411f36
0x00411f38
0x00000000
0x00411f38
0x00411f7e
0x00411f83
0x00411f86
0x00411f87
0x00411f97
0x00411fa5
0x00411fa5
0x00411faf
0x00411fb3
0x00000000
0x00000000
0x00411fb5
0x00411fb8
0x00411fc2
0x00411fc5
0x00411fcd
0x00411fdb
0x00411fdd
0x00411fe0
0x00411fe0
0x00411fe6
0x00411feb
0x00000000
0x00000000
0x00412004
0x0041200e
0x00412011
0x00412019
0x00412019
0x0041201f
0x00412028
0x00412028
0x00411fed
0x00411ff8
0x00411ffb
0x00411ffd
0x00000000
0x00411ffd
0x00412042
0x00412045
0x00412048
0x00412056
0x0041205b
0x00412062
0x0041206a
0x0041206d
0x00412071
0x0041207c
0x00412082
0x0041208a
0x00412091
0x00412095
0x00412098
0x004120a3
0x004120a6
0x004120a9
0x004120b1
0x00000000
0x004120b1
0x00411fa3
0x00411fa3
0x00411fa3
0x00411fa5
0x00411f9c
0x00411f9c
0x00411f9c
0x00411d95
0x00411dac
0x00411db1
0x00411db3
0x004120b4
0x004120bb

APIs

VirtualProtect.KERNELBASE ref: 00412071

Strings

;, xrefs: 00411E9F
~, xrefs: 00411E4B
y, xrefs: 00411EA9
., xrefs: 00411E25
@, xrefs: 00412062
q, xrefs: 00411EA3
y, xrefs: 00411EAD
ngNqkCxrmWjitGGcQCOTdGQkkavXRgvVoCmMJWrtPacoLEYmaeIfxTNXHhKESVkqkjGjgOUYplRxfWdomQjnuOqAnl, xrefs: 00411D95
481035029895482919189744454404510355566990232, xrefs: 00411E38
WHdxwVblbNfTGKiOlUygaMBQekTArfbRUCmhfExZtPGgYnJgWgdPirqBwkduLZziGoxdhACFcJxwPHBvTqJViuSIUV, xrefs: 00411C75
M, xrefs: 00411E6B
dAtsTYDEuXFFALbBPGARvZXMKEqRQlmyrZozsZDLZtBSesEKlQySGhhKGBaykHvOuqUZnZxCtnbzOMynRCgITjCxbB, xrefs: 00411D62
L, xrefs: 00411E6F

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: .$481035029895482919189744454404510355566990232$;$@$L$M$WHdxwVblbNfTGKiOlUygaMBQekTArfbRUCmhfExZtPGgYnJgWgdPirqBwkduLZziGoxdhACFcJxwPHBvTqJViuSIUV$dAtsTYDEuXFFALbBPGARvZXMKEqRQlmyrZozsZDLZtBSesEKlQySGhhKGBaykHvOuqUZnZxCtnbzOMynRCgITjCxbB$ngNqkCxrmWjitGGcQCOTdGQkkavXRgvVoCmMJWrtPacoLEYmaeIfxTNXHhKESVkqkjGjgOUYplRxfWdomQjnuOqAnl$q$y$y$~
API String ID: 544645111-2225272719
Opcode ID: 7353639ac445e588ca468dd27df4b9542e9b8164f82b0625ce9cd195f4d2bf38
Instruction ID: c1ddfac882092ca28d0c1fef0d605da383e04a441de3e6fa946777a2f5e50792
Opcode Fuzzy Hash: 7353639ac445e588ca468dd27df4b9542e9b8164f82b0625ce9cd195f4d2bf38
Instruction Fuzzy Hash: 7BF15570D04358CFDB10CFA8C484AAEBBF1BF89318F14855AD958AB351D778A986CF85

Uniqueness

Uniqueness Score: -1.00%

Function 004EEC21 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 467
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 004EEF02
GetThreadContext.KERNELBASE(?,00010007), ref: 004EEF17
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004EEF38
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 004EEF6A
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004EEF8A
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 004EF0BD
VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 004EF0DA
VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 004EF144
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004EF166
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004EF181
SetThreadContext.KERNELBASE(?,00010007), ref: 004EF19E
ResumeThread.KERNELBASE(?), ref: 004EF1AB

Strings

D, xrefs: 004EEE5A

Memory Dump Source

Source File: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
String ID: D
API String ID: 12256240-2746444292
Opcode ID: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction ID: f14853d1daf5c290361174a733dbf435bb876527ff68e3612e8f80380057f519
Opcode Fuzzy Hash: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction Fuzzy Hash: 28121671E00259EBDB21CFA5CD84BEEBBB5FF04705F1480AAE509E6250E7759A84CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0040134F
LoadLibraryA.KERNEL32 ref: 00401368
GetProcAddress.KERNEL32 ref: 00401380
GetProcAddress.KERNEL32 ref: 00401395
GetModuleHandleA.KERNEL32 ref: 004013C7
GetProcAddress.KERNEL32 ref: 004013E3
atexit.MSVCRT ref: 00401401

Strings

libgcj-16.dll, xrefs: 004013C0
__register_frame_info, xrefs: 00401375
_Jv_RegisterClasses, xrefs: 004013D8
libgcc_s_dw2-1.dll, xrefs: 00401348, 0040135F
__deregister_frame_info, xrefs: 0040138A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoadatexit
String ID: _Jv_RegisterClasses$__deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-16.dll
API String ID: 2016387483-548026336
Opcode ID: a49af0327885dfaf37addc9f7394b8ef8a82b361c6fba9dbd006f98827e9bd4c
Instruction ID: 944ebc1ab6a9b7fb65a9cabfc219c15400e170629bf40ec202d1239acc89c01f
Opcode Fuzzy Hash: a49af0327885dfaf37addc9f7394b8ef8a82b361c6fba9dbd006f98827e9bd4c
Instruction Fuzzy Hash: 13111FB19043588AD310BF79A54512E7AE4EB80348F41853FDD8457A65EB7CD448C79F

Uniqueness

Uniqueness Score: -1.00%

Function 00424F00 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32 ref: 00424F15
_errno.MSVCRT ref: 00424F7E
GetLastError.KERNEL32 ref: 00424F85
_errno.MSVCRT ref: 00424F91
_errno.MSVCRT ref: 00424F9E
_errno.MSVCRT ref: 00424FA8

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _errno$ErrorFileFindFirstLast
String ID:
API String ID: 2068755524-0
Opcode ID: df9ab3b089e42e85b99c3837e230caf84befe69d2a0c8e19520527bea3019630
Instruction ID: 5c54a7aa9ecc6ec69266cd62e650226d9670c2886410b73ad55dfc5529630234
Opcode Fuzzy Hash: df9ab3b089e42e85b99c3837e230caf84befe69d2a0c8e19520527bea3019630
Instruction Fuzzy Hash: 2411D570704361CADB10AF65F9812A9B790DFC2314F95469BE4608F346D37C8845C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 004011A5 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E004011A5(void* __ebx) {
				char _v20;
				intOrPtr _v24;
				void* _v28;
				char _v44;
				char _v48;
				char* _v72;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t30;
				signed int _t32;
				char* _t34;
				void* _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t45;
				void* _t48;
				void* _t49;
				signed int _t50;
				signed int _t51;
				void* _t58;

				_t40 = __ebx;
				_push(__ebx);
				_t49 = _t48 - 0x14;
				_t18 =  *0x4f5500; // 0x41bc40
				if(_t18 != 0) {
					_v20 = 0;
					_v24 = 2;
					_v28 = 0;
					 *_t18();
					_t49 = _t49 - 0xc;
				}
				_v28 = E00401000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t50 = _t49 - 4;
				E0041BA40(_t42);
				_t21 =  *0x4ef224; // 0xfffffffd
				 *_t50 = _t21;
				E00420650(); // executed
				E0041B6A0(); // executed
				_t24 =  *0x536028;
				if(_t24 != 0) {
					_t40 = __imp___iob;
					 *0x4ef228 = _t24;
					_v28 = _t24;
					 *_t50 =  *((intOrPtr*)(_t40 + 0x10));
					L004121C0();
					_v28 =  *0x536028;
					 *_t50 =  *((intOrPtr*)(_t40 + 0x30));
					L004121C0();
					_v28 =  *0x536028;
					_t24 =  *((intOrPtr*)(_t40 + 0x50));
					 *_t50 = _t24;
					L004121C0();
				}
				L004121D0();
				_t43 =  *0x4ef228; // 0x4000
				 *_t24 = _t43;
				E0041C050(_t40, _t44, _t45);
				_t51 = _t50 & 0xfffffff0;
				_t26 = E0041BBD0();
				L004121D8();
				_v24 =  *_t26;
				_v28 =  *0x536000;
				 *_t51 =  *0x536004; // executed
				_t30 = L004AC6AC(_t51, _t58); // executed
				L004121C8();
				 *_t51 = _t30;
				ExitProcess(??);
				_v84 = 0x536000;
				 *((intOrPtr*)(_t51 - 0x3c)) = 0x536004;
				_v44 = 0;
				_v72 =  &_v44;
				_t32 =  *0x4ef220; // 0x2
				_v76 = _t32 & 0x00000001;
				_t34 =  &_v48;
				_v80 = _t34;
				L004121E0();
				return _t34;
			}

0x004011a5
0x004011b3
0x004011b4
0x004011b7
0x004011be
0x004011c0
0x004011c8
0x004011d0
0x004011d7
0x004011d9
0x004011d9
0x004011dc
0x004011e3
0x004011e8
0x004011eb
0x004011f0
0x004011f5
0x004011f8
0x004011fd
0x00401202
0x00401209
0x0040120b
0x00401211
0x00401216
0x0040121d
0x00401220
0x0040122a
0x00401231
0x00401234
0x0040123e
0x00401242
0x00401245
0x00401248
0x00401248
0x0040124d
0x00401252
0x00401258
0x0040125a
0x0040125f
0x00401262
0x00401267
0x0040126e
0x00401277
0x00401280
0x00401283
0x0040128a
0x0040128f
0x00401292
0x004012a7
0x004012af
0x004012b6
0x004012be
0x004012c2
0x004012ca
0x004012ce
0x004012d2
0x004012d6
0x004012de

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
_setmode.MSVCRT ref: 00401220
_setmode.MSVCRT ref: 00401234
_setmode.MSVCRT ref: 00401248
__p__fmode.MSVCRT ref: 0040124D
__p__environ.MSVCRT ref: 00401267
_cexit.MSVCRT ref: 0040128A
ExitProcess.KERNEL32 ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 3476844589-0
Opcode ID: 00ce2c2cb12d3d451cd5806ac6a92fdc0dbc261bd3cad2dd99e5ec2d359d762e
Instruction ID: 6e3a6e12f3a6c162d6cb87ca4d91f315a6727c89c3acc64a2b341cc734ff6212
Opcode Fuzzy Hash: 00ce2c2cb12d3d451cd5806ac6a92fdc0dbc261bd3cad2dd99e5ec2d359d762e
Instruction Fuzzy Hash: 2B213EB45047049FC700FF75D9856597BE0FF58314F01482EE984DB312D778E8989B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424120 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 645
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00424120(signed int __eax, intOrPtr* __ecx, signed int __edx, intOrPtr _a4) {
				void* _v16;
				void _v32;
				signed int* _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				int _v68;
				signed int* _v72;
				void* _v76;
				int _v80;
				signed int* _v84;
				intOrPtr _v88;
				signed int* _v92;
				signed int _v96;
				signed int _v97;
				char _v112;
				int _v116;
				int _v120;
				signed int* _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t229;
				signed int _t231;
				signed int _t239;
				signed int _t241;
				void* _t249;
				signed int _t250;
				signed int _t252;
				signed char* _t255;
				signed int _t256;
				signed int _t257;
				signed int* _t260;
				signed int _t261;
				int* _t263;
				signed int _t267;
				signed int* _t272;
				void* _t278;
				signed int _t294;
				signed int _t304;
				signed int _t308;
				void* _t311;
				int _t313;
				signed int _t324;
				signed int _t330;
				signed int _t336;
				signed int* _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t341;
				int _t342;
				signed int* _t343;
				void** _t346;
				signed int _t349;
				signed char* _t350;
				signed int _t352;
				signed int _t353;
				intOrPtr _t354;
				signed int _t355;
				int _t357;
				char* _t358;
				void* _t361;
				char* _t363;
				signed int* _t367;
				signed int* _t369;
				signed char* _t372;
				signed char* _t374;
				signed int _t377;
				signed int _t380;
				void* _t382;
				signed int _t384;
				signed char* _t386;
				intOrPtr _t388;
				signed int* _t393;
				signed int _t394;
				char* _t396;
				signed int _t399;
				intOrPtr* _t400;
				signed int* _t401;
				signed int* _t402;
				signed int _t403;
				signed int _t405;
				signed int _t406;
				signed int _t408;
				signed int* _t409;
				signed int _t410;
				signed int* _t411;
				signed int _t412;
				void* _t413;
				signed int* _t414;
				signed int _t415;
				intOrPtr _t416;
				signed int _t417;
				signed int* _t419;
				void* _t420;
				signed int* _t421;
				intOrPtr* _t422;
				signed int* _t425;
				intOrPtr* _t427;
				signed int* _t429;
				intOrPtr* _t430;
				signed int* _t431;
				intOrPtr* _t432;
				void* _t439;

				_t336 = __eax;
				_t421 = _t420 - 0x6c;
				_v52 = __edx;
				_v64 = __ecx;
				if((__edx & 0x00000004) != 0) {
					_v68 = _t421;
					 *_t421 = __eax;
					_t422 = _t421 - E0041C220(strlen(??) + 0x10 >> 4 << 4);
					_t405 = _t336;
					_t220 =  &_v112;
					_t393 = _t220;
					_v60 = _t220;
					_t221 =  *_t336 & 0x000000ff;
					L53:
					while(1) {
						if(_t221 == 0x7f) {
							L58:
							_t222 =  *(_t405 + 1) & 0x000000ff;
							 *_t393 = 0x7f;
							if(_t222 != 0) {
								_t393[0] = _t222;
								_t405 = _t405 + 2;
								_t221 =  *_t405 & 0x000000ff;
								_t393 =  &(_t393[0]);
								continue;
							}
							_t393 =  &(_t393[0]);
							_t405 = _t405 + 1;
							L55:
							_t369 =  &(_t393[0]);
							_t95 = _t405 + 1; // -1
							_t353 = _t95;
							 *_t393 = _t222;
							if(_t222 == 0 || _t222 == 0x7b) {
								if(_t222 == 0x7b) {
									_v56 = _t369;
									_t394 = _t353;
									do {
										L61:
										_t367 = _v56;
										_t349 = 1;
										while(1) {
											_t223 =  *(_t394 + 1) & 0x000000ff;
											if(_t223 == 0x7f) {
												goto L69;
											}
											L63:
											_t394 = _t394 + 1;
											L64:
											if(_t223 == 0x7d || _t223 == 0x2c && _t349 == 1) {
												_t349 = _t349 - 1;
												if(_t349 == 0) {
													if(_t223 != 0x2c) {
														_t225 = _t394;
														goto L90;
													}
													goto L80;
												}
												 *_t367 = _t223;
												_t223 =  *(_t394 + 1) & 0x000000ff;
												_t367 =  &(_t367[0]);
												if(_t223 != 0x7f) {
													goto L63;
												}
											} else {
												if(_t223 == 0x7b) {
													_t349 = _t349 + 1;
													_t338 = 1;
													_v48 = 1;
												} else {
													_v48 = _t223 != 0;
													_t338 = _v48 & 0x000000ff;
												}
												_t409 =  &(_t367[0]);
												 *_t367 = _t223;
												if(_t338 == 0) {
													if(_v48 == 0) {
														L71:
														_v56 = 1;
														L99:
														L51:
														return _v56;
													}
													_t367 = _t409;
													if(_t223 != 0x2c) {
														L98:
														 *_t367 = 0;
														_v56 = 1;
														goto L99;
													}
													L80:
													_t231 = _t394;
													_t408 = 1;
													goto L81;
													do {
														do {
															while(1) {
																L81:
																_t339 =  *(_t231 + 1) & 0x000000ff;
																_t114 = _t231 + 1; // -3
																_t352 = _t114;
																if(_t339 != 0x7f) {
																	goto L108;
																}
																L82:
																if( *((char*)(_t231 + 2)) != 0) {
																	while(1) {
																		_t339 =  *(_t352 + 2) & 0x000000ff;
																		_t118 = _t352 + 2; // 0x1
																		_t231 = _t118;
																		if(_t339 != 0x7f) {
																			break;
																		}
																		if( *(_t231 + 1) == 0) {
																			goto L98;
																		}
																		_t352 = _t231;
																	}
																	L87:
																	if(_t339 == 0x7b) {
																		_t408 = _t408 + 1;
																		L81:
																		_t339 =  *(_t231 + 1) & 0x000000ff;
																		_t114 = _t231 + 1; // -3
																		_t352 = _t114;
																		if(_t339 != 0x7f) {
																			goto L108;
																		}
																		goto L82;
																	}
																	if(_t339 != 0x7d) {
																		break;
																	}
																	goto L89;
																}
																goto L98;
																L108:
																_t231 = _t352;
																goto L87;
															}
														} while (_t339 != 0);
														goto L98;
														L89:
														_t408 = _t408 - 1;
													} while (_t408 != 0);
													L90:
													_t119 = _t225 + 1; // 0x2
													_t350 = _t119;
													_t226 =  *(_t225 + 1) & 0x000000ff;
													while(1) {
														_t367 =  &(_t367[0]);
														_t350 =  &(_t350[1]);
														 *(_t367 - 1) = _t226;
														if(_t226 == 0) {
															break;
														}
														_t226 =  *_t350 & 0x000000ff;
													}
													 *_t422 = _a4;
													_t406 = _v52;
													_t229 = E00424120(_v60, _v64, _t406);
													_v52 = _t406 | 0x00000001;
													if(_t229 == 1) {
														goto L71;
													}
													break;
												} else {
													_t367 = _t409;
													_t223 =  *(_t394 + 1) & 0x000000ff;
													if(_t223 == 0x7f) {
														goto L69;
													}
													goto L63;
												}
											}
											L69:
											_t224 =  *(_t394 + 2) & 0x000000ff;
											 *_t367 = 0x7f;
											_t337 =  &(_t367[0]);
											_t367[0] = _t224;
											if(_t224 != 0) {
												_t223 =  *(_t394 + 3) & 0x000000ff;
												_t367 = _t337;
												_t394 = _t394 + 3;
												goto L64;
											}
											_t367[0] = 0;
											goto L71;
										}
									} while ( *_t394 == 0x2c);
									_v56 = _t229;
									goto L99;
								}
								_t421 = _v68;
								goto L1;
							} else {
								_t222 =  *(_t405 + 1) & 0x000000ff;
								_t393 = _t369;
								_t405 = _t353;
								if(_t222 != 0x7f) {
									goto L54;
								}
								goto L58;
							}
						}
						L54:
						if(_t222 == 0x7b) {
							_v56 = _t393;
							_t394 = _t405;
							goto L61;
						}
						goto L55;
					}
				}
				L1:
				_v92 = _t421;
				 *_t421 = _t336;
				_t4 = strlen(??) + 1; // 0x1
				_t425 = _t421 - E0041C220(_t232 + 0x10 >> 4 << 4);
				_v116 = _t4;
				_v120 = _t336;
				 *_t425 =  &_v112;
				 *_t425 = memcpy(??, ??, ??); // executed
				_t239 = E00424B00(_t238); // executed
				_v48 = _t239;
				_t410 = _t239;
				_v32 = 0;
				_t241 = E00423B20( &_v44);
				_v56 = _t241;
				if(_t241 != 0) {
					L50:
					goto L51;
				}
				_t395 = _v52;
				if(E00423A80(_t410, _v52) == 0) {
					_t411 = _t425;
					 *_t425 = _v48;
					_t249 = E0041C220(strlen(??) + 0x10 >> 4 << 4);
					_t372 = _v48;
					_t427 = _t425 - _t249;
					_t396 =  &_v112;
					_t354 = _t396;
					do {
						_t250 =  *_t372 & 0x000000ff;
						if(_t250 == 0x7f) {
							_t250 = _t372[1] & 0x000000ff;
							_t372 =  &(_t372[1]);
						}
						_t354 = _t354 + 1;
						_t372 =  &(_t372[1]);
						 *(_t354 - 1) = _t250;
					} while (_t250 != 0);
					 *_t427 = _t396;
					L0042B408();
					_t425 = _t411;
					if(_t250 == 0) {
						_v56 = 1;
						goto L50;
					}
					_v56 = E00424070(_t250,  &_v44);
					goto L4;
				} else {
					 *_t425 =  &_v44;
					_v56 = E00424120(_t410, _v64, _t395 | 0x00000080);
					L4:
					_t355 = _v56;
					if(_t355 != 0) {
						goto L50;
					}
					_t252 =  *(_t336 + 1) & 0x000000ff;
					if(_t252 == 0x2f) {
						L8:
						 *_t425 = _v48;
						_t255 = strlen(??) + _t336;
						if(_t336 >= _t255) {
							_t336 =  *_t255 & 0x000000ff;
							_v60 = _t255;
							_v97 = _t336;
							L16:
							_t256 = _v97 & 0x000000ff;
							if(_t256 == 0x2f || _t256 == 0x5c) {
								_t374 = _v60;
								_t412 = _v97 & 0x000000ff;
								while(1) {
									_t374 =  &(_t374[1]);
									_t257 =  *_t374 & 0x000000ff;
									_t355 = _t355 & 0xffffff00 | _t257 == 0x0000005c;
									_t336 = _t336 & 0xffffff00 | _t257 == 0x0000002f | _t355;
									if(_t336 == 0) {
										break;
									}
									_t412 = _t257;
								}
								_v60 = _t374;
								_v97 = _t412;
								_v96 = _v48;
								goto L22;
							} else {
								_v97 = 0x5c;
								_v96 = _v48;
								L22:
								_t260 = _v36;
								_v56 = 2;
								_v72 = _t260;
								_t261 =  *_t260;
								_v48 = _v52 & 0x00008000;
								if(_t261 == 0) {
									L124:
									 *_t425 = _v72;
									free(??);
									goto L51;
								} else {
									goto L23;
								}
								while(1) {
									L23:
									 *_t425 = _t261;
									_t263 = E00425080();
									_t399 = _t263;
									if(_t263 == 0) {
										goto L118;
									}
									if(_v96 == 0) {
										_v68 = 0;
									} else {
										 *_t425 =  *_v72;
										_v68 = strlen(??);
									}
									_v76 = 0;
									_v88 = _v68 + 2;
									while(1) {
										L27:
										 *_t425 = _t399;
										_t278 = E00425240();
										_t413 = _t278;
										if(_t278 == 0) {
											break;
										}
										if(_v48 == 0 ||  *((intOrPtr*)(_t413 + 8)) == 0x10) {
											_t50 = _t413 + 0xc; // 0xc
											_t342 = _t50;
											if(E00423E50(_v60, _v52, _t342) != 0) {
												continue;
											}
											_t377 =  *(_t413 + 6) & 0x0000ffff;
											_v84 = _t425;
											_t429 = _t425 - E0041C220(_t377 + _v88 + 0xf >> 4 << 4);
											_v80 = 0;
											_t415 =  &_v112;
											if(_v68 != 0) {
												_v80 = _t377;
												 *_t429 = _t415;
												_v116 = _v68;
												_v120 =  *_v72;
												memcpy(??, ??, ??);
												_t357 = _v68;
												_t377 = _v80;
												_t294 =  *(_t429 + _t357 + 0xb) & 0x000000ff;
												if(_t294 == 0x2f || _t294 == 0x5c) {
													_v80 = _v68;
												} else {
													_v80 = _t357 + 1;
													 *((char*)(_t415 + _t357)) = _v97 & 0x000000ff;
												}
											}
											_v120 = _t342;
											_v116 = _t377 + 1;
											_t343 = _t429;
											 *_t429 = _v80 + _t415;
											memcpy(??, ??, ??);
											 *_t429 = _t415;
											_t430 = _t429 - E0041C220(strlen(??) + 0x10 >> 4 << 4);
											_t304 = _t415;
											_t358 =  &_v112;
											_t416 = _t358;
											while(1) {
												L34:
												_t380 =  *_t304 & 0x000000ff;
												if(_t380 == 0x7f) {
													break;
												}
												_t416 = _t416 + 1;
												_t304 = _t304 + 1;
												 *(_t416 - 1) = _t380;
												if(_t380 == 0) {
													L36:
													 *_t430 = _t358;
													L0042B408();
													_t417 = _t304;
													_t431 = _t343;
													if(_t304 == 0) {
														_v56 = 3;
														L117:
														_t425 = _v84;
														goto L27;
													}
													_t308 = _v52;
													_v56 = _v56 & ((_t304 & 0xffffff00 | _v56 == 0x00000002) & 0x000000ff) - 0x00000001;
													if((_t308 & 0x00000040) != 0) {
														if(_a4 != 0) {
															E00424070(_t417, _a4);
														}
														goto L117;
													}
													_t346 = _v76;
													if(_t346 == 0) {
														 *_t431 = 0xc;
														_t311 = malloc(??);
														if(_t311 == 0) {
															goto L117;
														}
														 *(_t311 + 8) = _t417;
														 *(_t311 + 4) = 0;
														 *_t311 = 0;
														L133:
														_v76 = _t311;
														goto L117;
													}
													_v80 = _t399;
													_t403 = _t308 & 0x00004000;
													while(1) {
														_t313 = _t346[2];
														 *_t431 = _t417;
														_v120 = _t313;
														if(_t403 != 0) {
															goto L40;
														}
														L44:
														L0042B400();
														_t382 =  *_t346;
														_t361 = _t346[1];
														if(_t313 > 0) {
															L41:
															if(_t361 == 0) {
																L46:
																_t399 = _v80;
																_v80 = _t313;
																 *_t431 = 0xc;
																_t311 = malloc(??);
																if(_t311 == 0) {
																	goto L117;
																}
																 *(_t311 + 8) = _t417;
																 *(_t311 + 4) = 0;
																 *_t311 = 0;
																if(_v80 <= 0) {
																	 *_t346 = _t311;
																	if(_v76 != 0) {
																		goto L117;
																	}
																	goto L133;
																}
																_t346[1] = _t311;
																goto L117;
															}
															L42:
															_t346 = _t361;
															_t313 = _t346[2];
															 *_t431 = _t417;
															_v120 = _t313;
															if(_t403 != 0) {
																goto L40;
															}
															goto L44;
														}
														L45:
														_t361 = _t382;
														if(_t361 != 0) {
															goto L42;
														}
														goto L46;
														L40:
														_t313 = strcoll();
														_t382 =  *_t346;
														if(_t313 <= 0) {
															goto L45;
														}
														goto L41;
													}
												}
											}
											_t384 =  *(_t304 + 1) & 0x000000ff;
											_t416 = _t416 + 1;
											_t304 = _t304 + 2;
											 *(_t416 - 1) = _t384;
											if(_t384 != 0) {
												goto L34;
											}
											goto L36;
										} else {
											continue;
										}
									}
									 *_t425 = _t399;
									E00425290();
									if(_v76 != 0) {
										E004240D0(_v76, _a4);
									}
									L113:
									_t401 = _v72;
									_t341 = _t401 + 4;
									 *_t425 =  *(_t341 - 4);
									free(??);
									_t261 =  *(_t401 + 4);
									if(_t261 == 0) {
										L134:
										_v72 = _v36;
										goto L124;
									}
									if(_v56 == 1) {
										L121:
										_t267 = _v72[1];
										do {
											_t341 =  &(_t341[1]);
											 *_t425 = _t267;
											free(??);
											_t267 =  *_t341;
										} while (_t267 != 0);
										L123:
										_v56 = 1;
										_v72 = _v36;
										goto L124;
									}
									_v72 = _t341;
									continue;
									L118:
									if((_v52 & 0x00000004) == 0) {
										_t400 = _v64;
										if(_t400 == 0) {
											goto L113;
										}
										L0042B2A8();
										_v120 =  *_t263;
										_t414 = _v72;
										 *_t425 =  *_t414;
										if( *_t400() == 0) {
											goto L113;
										}
										_t272 = _t414;
										_t341 =  &(_t414[1]);
										_t402 = _t414;
										L120:
										 *_t425 =  *_t272;
										free(??);
										if(_t402[1] == 0) {
											goto L123;
										}
										goto L121;
									}
									_t402 = _v72;
									_t341 =  &(_t402[1]);
									_t272 = _t402;
									goto L120;
								}
							}
						}
						_t355 =  *_t255 & 0x000000ff;
						_v97 = _t355;
						if(_t355 == 0x2f || _t355 == 0x5c) {
							_v60 = _t255;
						} else {
							while(1) {
								_t22 = _t255 - 1; // -2
								_t386 = _t22;
								if(_t336 == _t386) {
									break;
								}
								_t355 =  *(_t255 - 1) & 0x000000ff;
								_t255 = _t386;
								if(_t355 == 0x2f || _t355 == 0x5c) {
									_v60 = _t386;
									_v97 = _t355;
									goto L16;
								} else {
									continue;
								}
							}
							_v60 = _t386;
							_v97 =  *(_t255 - 1) & 0x000000ff;
						}
						goto L16;
					}
					_t439 = _t252 - 0x5c;
					if(_t439 == 0) {
						goto L8;
					}
					_t355 = 2;
					asm("repe cmpsb");
					if(_t439 == 0) {
						if((_v52 & 0x00000010) != 0) {
							_t324 = E00423A80(_t336, _v52);
							_v56 = _t324;
							if(_t324 != 0) {
								goto L110;
							}
							 *_t425 = _t336;
							_t419 = _t425;
							_t432 = _t425 - E0041C220(strlen(??) + 0x10 >> 4 << 4);
							_t363 =  &_v112;
							_t388 = _t363;
							do {
								_t330 =  *_t336 & 0x000000ff;
								if(_t330 == 0x7f) {
									_t330 =  *(_t336 + 1) & 0x000000ff;
									_t336 = _t336 + 1;
								}
								_t388 = _t388 + 1;
								_t336 = _t336 + 1;
								 *(_t388 - 1) = _t330;
							} while (_t330 != 0);
							 *_t432 = _t363;
							L0042B408();
							_t425 = _t419;
							if(_t330 == 0 || _a4 == 0) {
								goto L134;
							} else {
								E00424070(_t330, _a4);
								_v72 = _v36;
								goto L124;
							}
						}
						L110:
						_v60 = _t336;
						_v97 = 0x5c;
						_v96 = 0;
						goto L22;
					}
					goto L8;
				}
			}

0x00424126
0x00424128
0x0042412b
0x00424131
0x00424134
0x00424490
0x00424493
0x004244a9
0x004244ab
0x004244ad
0x004244b1
0x004244b3
0x004244b6
0x00000000
0x004244b9
0x004244bb
0x004244e5
0x004244e5
0x004244e9
0x004244ee
0x004245a0
0x004245a3
0x004245a6
0x004245a9
0x00000000
0x004245a9
0x004244f4
0x004244f7
0x004244c1
0x004244c3
0x004244c6
0x004244c6
0x004244c9
0x004244cb
0x0042498f
0x00424999
0x0042499c
0x00424505
0x00424505
0x00424505
0x00424508
0x0042450d
0x0042450d
0x00424513
0x00000000
0x00000000
0x00424515
0x00424515
0x00424518
0x0042451a
0x00424525
0x00424528
0x004245b3
0x0042467a
0x00000000
0x0042467a
0x00000000
0x004245b3
0x0042452e
0x00424530
0x00424534
0x00424539
0x00000000
0x00000000
0x00424560
0x00424562
0x00424590
0x00424593
0x00424598
0x00424564
0x00424566
0x0042456a
0x0042456a
0x00424570
0x00424573
0x00424575
0x00424978
0x00424550
0x00424550
0x0042466a
0x00424483
0x0042448d
0x0042448d
0x00424980
0x00424982
0x00424660
0x00424660
0x00424663
0x00000000
0x00424663
0x004245b9
0x004245b9
0x004245bb
0x004245bb
0x004245c0
0x004245c0
0x004245c0
0x004245c0
0x004245c0
0x004245c4
0x004245c4
0x004245ca
0x00000000
0x00000000
0x004245d0
0x004245d4
0x004245e8
0x004245e8
0x004245ec
0x004245ec
0x004245f2
0x00000000
0x00000000
0x004245e4
0x00000000
0x00000000
0x004245e6
0x004245e6
0x004245f4
0x004245f7
0x00424672
0x004245c0
0x004245c0
0x004245c4
0x004245c4
0x004245ca
0x00000000
0x00000000
0x00000000
0x004245ca
0x004245fc
0x00000000
0x00000000
0x00000000
0x004245fc
0x00000000
0x004246ef
0x004246ef
0x00000000
0x004246ef
0x00424653
0x00000000
0x004245fe
0x004245fe
0x004245fe
0x00424603
0x00424603
0x00424603
0x00424606
0x00424613
0x00424613
0x00424616
0x0042461b
0x0042461e
0x00000000
0x00000000
0x00424610
0x00424610
0x00424623
0x00424626
0x00424634
0x0042463c
0x0042463f
0x00000000
0x00000000
0x00000000
0x0042457b
0x0042457b
0x0042450d
0x00424513
0x00000000
0x00000000
0x00000000
0x00424513
0x00424575
0x0042453b
0x0042453b
0x0042453f
0x00424542
0x00424547
0x0042454a
0x00424580
0x00424584
0x00424586
0x00000000
0x00424586
0x0042454c
0x00000000
0x0042454c
0x00424645
0x0042464e
0x00000000
0x0042464e
0x00424991
0x00000000
0x004244d9
0x004244d9
0x004244dd
0x004244df
0x004244e3
0x00000000
0x00000000
0x00000000
0x004244e3
0x004244cb
0x004244bd
0x004244bf
0x00424500
0x00424503
0x00000000
0x00424503
0x00000000
0x004244bf
0x004244b9
0x0042413a
0x0042413a
0x0042413d
0x00424145
0x00424156
0x0042415c
0x00424160
0x00424164
0x0042416c
0x0042416f
0x00424174
0x00424177
0x0042417c
0x00424183
0x0042418a
0x0042418d
0x00424480
0x00000000
0x00424480
0x00424193
0x004241a1
0x00424681
0x00424683
0x00424694
0x00424699
0x0042469c
0x0042469e
0x004246a2
0x004246bd
0x004246bd
0x004246c2
0x004246c4
0x004246c8
0x004246c8
0x004246b0
0x004246b3
0x004246b8
0x004246b8
0x004246cd
0x004246d0
0x004246d7
0x004246d9
0x00424476
0x00000000
0x00424476
0x004246e7
0x00000000
0x004241a7
0x004241af
0x004241bc
0x004241bf
0x004241bf
0x004241c4
0x00000000
0x00000000
0x004241ca
0x004241d0
0x004241eb
0x004241ee
0x004241f6
0x004241fa
0x00424966
0x00424969
0x0042496c
0x00424249
0x00424249
0x0042424f
0x00424259
0x0042425c
0x00424264
0x00424264
0x00424267
0x00424271
0x00424274
0x00424276
0x00000000
0x00000000
0x00424262
0x00424262
0x0042427a
0x0042427d
0x00424283
0x00000000
0x004248cb
0x004248ce
0x004248d2
0x00424286
0x00424286
0x0042428c
0x00424293
0x00424296
0x0042429e
0x004242a3
0x004247ba
0x004247bd
0x004247c0
0x00000000
0x00000000
0x00000000
0x00000000
0x004242a9
0x004242a9
0x004242a9
0x004242ac
0x004242b3
0x004242b5
0x00000000
0x00000000
0x004242c0
0x0042483a
0x004242c6
0x004242cb
0x004242d3
0x004242d3
0x004242d9
0x004242e3
0x004242f0
0x004242f0
0x004242f0
0x004242f3
0x004242fa
0x004242fc
0x00000000
0x00000000
0x00424307
0x0042430f
0x0042430f
0x00424321
0x00000000
0x00000000
0x00424323
0x0042432a
0x0042433c
0x00424341
0x00424348
0x0042434e
0x004247d3
0x004247db
0x004247de
0x004247e2
0x004247e6
0x004247eb
0x004247ee
0x004247f1
0x004247f8
0x00424823
0x004247fe
0x00424803
0x0042480c
0x0042480c
0x004247f8
0x0042435a
0x0042435e
0x00424362
0x00424366
0x00424369
0x0042436e
0x00424384
0x00424386
0x00424388
0x0042438c
0x0042439d
0x0042439d
0x0042439d
0x004243a3
0x00000000
0x00000000
0x00424390
0x00424393
0x00424398
0x0042439b
0x004243b9
0x004243b9
0x004243bc
0x004243c3
0x004243c5
0x004243c7
0x00424814
0x0042476b
0x0042476b
0x00000000
0x0042476b
0x004243de
0x004243e1
0x004243e6
0x00424765
0x00424830
0x00424830
0x00000000
0x00424765
0x004243ec
0x004243f1
0x004248a5
0x004248ac
0x004248b3
0x00000000
0x00000000
0x004248b9
0x004248bc
0x004248c3
0x00424853
0x00424853
0x00000000
0x00424853
0x004243fc
0x004243ff
0x00424417
0x00424417
0x0042441c
0x0042441f
0x00424423
0x00000000
0x00000000
0x00424425
0x00424425
0x0042442c
0x0042442e
0x00424431
0x00424411
0x00424413
0x00424439
0x00424439
0x0042443c
0x0042443f
0x00424446
0x0042444d
0x00000000
0x00000000
0x00424456
0x00424459
0x00424460
0x00424468
0x00424846
0x0042484d
0x00000000
0x00000000
0x00000000
0x0042484d
0x0042446e
0x00000000
0x0042446e
0x00424415
0x00424415
0x00424417
0x0042441c
0x0042441f
0x00424423
0x00000000
0x00000000
0x00000000
0x00424423
0x00424433
0x00424433
0x00424437
0x00000000
0x00000000
0x00000000
0x00424403
0x00424403
0x0042440a
0x0042440f
0x00000000
0x00000000
0x00000000
0x0042440f
0x00424417
0x0042439b
0x004243a5
0x004243ac
0x004243af
0x004243b4
0x004243b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00424307
0x00424713
0x00424716
0x00424720
0x00424728
0x00424728
0x0042472d
0x0042472d
0x00424730
0x00424736
0x00424739
0x0042473e
0x00424743
0x0042485b
0x0042485e
0x00000000
0x0042485e
0x0042474d
0x00424796
0x00424799
0x0042479c
0x0042479c
0x0042479f
0x004247a2
0x004247a7
0x004247a9
0x004247ad
0x004247b0
0x004247b7
0x00000000
0x004247b7
0x0042474f
0x00000000
0x00424773
0x00424777
0x00424866
0x0042486b
0x00000000
0x00000000
0x00424871
0x00424878
0x0042487c
0x00424881
0x00424888
0x00000000
0x00000000
0x0042488e
0x00424890
0x00424893
0x00424785
0x00424787
0x0042478a
0x00424794
0x00000000
0x00000000
0x00000000
0x00424794
0x0042477d
0x00424780
0x00424783
0x00000000
0x00424783
0x004242a9
0x0042424f
0x00424200
0x00424206
0x00424209
0x0042495e
0x00424238
0x00424238
0x00424238
0x00424238
0x0042423d
0x00000000
0x00000000
0x00424220
0x00424224
0x00424229
0x0042489a
0x0042489d
0x00000000
0x00000000
0x00000000
0x00000000
0x00424229
0x00424243
0x00424246
0x00424246
0x00000000
0x00424209
0x004241d2
0x004241d4
0x00000000
0x00000000
0x004241de
0x004241e3
0x004241e5
0x004246fa
0x004248df
0x004248e6
0x004248e9
0x00000000
0x00000000
0x004248ef
0x004248f2
0x00424907
0x00424909
0x0042490d
0x0042491e
0x0042491e
0x00424923
0x00424925
0x00424929
0x00424929
0x00424911
0x00424914
0x00424919
0x00424919
0x0042492e
0x00424931
0x00424938
0x0042493a
0x00000000
0x0042494b
0x0042494e
0x00424956
0x00000000
0x00424956
0x0042493a
0x00424700
0x00424700
0x00424703
0x00424707
0x00000000
0x00424707
0x00000000
0x004241e5

APIs

strlen.MSVCRT ref: 00424140
memcpy.MSVCRT ref: 00424167

Part of subcall function 00424B00: setlocale.MSVCRT ref: 00424B18
Part of subcall function 00424B00: _strdup.MSVCRT ref: 00424B26
Part of subcall function 00424B00: setlocale.MSVCRT ref: 00424B3C
Part of subcall function 00424B00: wcstombs.MSVCRT ref: 00424B67
Part of subcall function 00424B00: realloc.MSVCRT ref: 00424B7B
Part of subcall function 00424B00: wcstombs.MSVCRT ref: 00424B94
Part of subcall function 00424B00: setlocale.MSVCRT ref: 00424BA4
Part of subcall function 00424B00: free.MSVCRT ref: 00424BAC

Part of subcall function 00423B20: malloc.MSVCRT ref: 00423B3B

strlen.MSVCRT ref: 00424496
strlen.MSVCRT ref: 00424686
_strdup.MSVCRT ref: 004246D0

Part of subcall function 00424120: strlen.MSVCRT ref: 004241F1

Strings

\, xrefs: 004248CE

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$setlocale$_strdupwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 3818432545-2967466578
Opcode ID: 7ec423548edddd31fb1172171624ded5f4303dbfa6a0717a804b939ea2766881
Instruction ID: 6bab2ba1e4bbff584d2888d673531f6975ca6569ec9e712c2f51e181aeaa1acf
Opcode Fuzzy Hash: 7ec423548edddd31fb1172171624ded5f4303dbfa6a0717a804b939ea2766881
Instruction Fuzzy Hash: FD429174F042648FDB10DFA9E4803AEBBF1EF85344F98455BD8959B301E3389942CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424B00 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 00424B18
_strdup.MSVCRT ref: 00424B26
setlocale.MSVCRT ref: 00424B3C
wcstombs.MSVCRT ref: 00424B67
realloc.MSVCRT ref: 00424B7B
wcstombs.MSVCRT ref: 00424B94
setlocale.MSVCRT ref: 00424BA4
free.MSVCRT ref: 00424BAC
mbstowcs.MSVCRT ref: 00424BDA
mbstowcs.MSVCRT ref: 00424C04
wcstombs.MSVCRT ref: 00424CF3
realloc.MSVCRT ref: 00424D0A
wcstombs.MSVCRT ref: 00424D24
wcstombs.MSVCRT ref: 00424DDF
setlocale.MSVCRT ref: 00424DFB
free.MSVCRT ref: 00424E03
setlocale.MSVCRT ref: 00424E6B
free.MSVCRT ref: 00424E73

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocalewcstombs$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 2891164732-0
Opcode ID: b31dd5d4948880a8f93658e025a59d8b1e8f64e54700df8329e5d4990db15265
Instruction ID: 294d6ec6c8c2c08e6f5ecf196f345d9c47e40495e6456396b4dea8a54525ba36
Opcode Fuzzy Hash: b31dd5d4948880a8f93658e025a59d8b1e8f64e54700df8329e5d4990db15265
Instruction Fuzzy Hash: 81B19170A142358ACB20AF69E44527BF7F1FF94340FC5842FE4889B355E3789891DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6A0 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0041B6B6
strlen.MSVCRT ref: 0041B6C3

Strings

", xrefs: 0041B73E
', xrefs: 0041B91D
', xrefs: 0041B72C
\, xrefs: 0041B7E0
[, xrefs: 0041B7F2
*, xrefs: 0041B735
@, xrefs: 0041B880
?, xrefs: 0041B71D

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CommandLinestrlen
String ID: "$'$'$*$?$@$[$\
API String ID: 3702654222-871974141
Opcode ID: 014621bda27978ea51d8879c53f59ee4fc01c41584cf4dee7b32efed8c197395
Instruction ID: b7f57443ae9d02fc7280bc91385ba25e2d13df21e05181c6e04709ad9e95b9c9
Opcode Fuzzy Hash: 014621bda27978ea51d8879c53f59ee4fc01c41584cf4dee7b32efed8c197395
Instruction Fuzzy Hash: 65A1C270A143098FDB14CB68D8843EEB7E6FB88304F18856BD855D7351E33998868BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00406D2A Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 4076memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004014F9: VirtualAlloc.KERNEL32 ref: 0040153B

VirtualAlloc.KERNEL32 ref: 00406D6C
VirtualAlloc.KERNEL32 ref: 00407F9B
VirtualAlloc.KERNEL32 ref: 0040925F
VirtualAlloc.KERNEL32 ref: 0040A21A

Strings

o, xrefs: 0040A20B

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: o
API String ID: 4275171209-252678980
Opcode ID: 7876b43eb201ecd0c654acdc51d58cb169a997b285aa601c4952b6215d074a63
Instruction ID: b6b0caca9b328ea0c1f73490f8004b060f5fa5f76fab2d150c52cdd5329ce992
Opcode Fuzzy Hash: 7876b43eb201ecd0c654acdc51d58cb169a997b285aa601c4952b6215d074a63
Instruction Fuzzy Hash: 88D32B76801229CFCB65CF58CDC5BD9B7B5BF44308F0881EAC949AB216E730AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004014F9 Relevance: 10.2, APIs: 3, Strings: 1, Instructions: 4219memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0040153B
VirtualAlloc.KERNEL32 ref: 00402634
VirtualAlloc.KERNEL32 ref: 004059A5

Strings

y, xrefs: 0040152C

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: y
API String ID: 4275171209-4225443349
Opcode ID: 925cafceef868559a619fe5fcb7d67b57cb65f6eee8d0d3c6efdfafa2b735f12
Instruction ID: 02314fd4cf1174d6d415910666e6840481e8a11ab169fa6f77ca844e3b2d8e92
Opcode Fuzzy Hash: 925cafceef868559a619fe5fcb7d67b57cb65f6eee8d0d3c6efdfafa2b735f12
Instruction Fuzzy Hash: D7D33C76C01229CBCB25CF58CD85BC9B7B5BF54308F1842EAC95DAB206D730AA95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2A4 Relevance: 7.5, APIs: 3, Instructions: 3712
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406D2A: VirtualAlloc.KERNEL32 ref: 00406D6C

VirtualAlloc.KERNEL32 ref: 0040C2E6
VirtualAlloc.KERNEL32 ref: 0040D13F
VirtualAlloc.KERNEL32 ref: 0040EF6B

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6028685e0a6cedc7f31912a2d6d53837c396e9ebb7f4ffdaefeba7b3568ecc4f
Instruction ID: d97ebcd7520be7e76b50b5a5784d8158421a972f6e4ab85348ec855e199b89c8
Opcode Fuzzy Hash: 6028685e0a6cedc7f31912a2d6d53837c396e9ebb7f4ffdaefeba7b3568ecc4f
Instruction Fuzzy Hash: 8EC31B76C01229CFCB65CF58CD85BD9B7B5BF44308F0881EAC959AB216E730AA94CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004249B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

glob-1.0-mingw32, xrefs: 004249CE, 004249DD

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: glob-1.0-mingw32
API String ID: 0-3253302226
Opcode ID: 1abaf3b29fdba8cc23075ab6474858afc39f7b8f745aa37f70867453243fe092
Instruction ID: b8782072dfe865eb7d940e2225d954ac1887608d9f45a8cb93ab16330c58d1d1
Opcode Fuzzy Hash: 1abaf3b29fdba8cc23075ab6474858afc39f7b8f745aa37f70867453243fe092
Instruction Fuzzy Hash: D32190B2B443248BCB149F69F8452AFBBA5EFD4304F84455FE88167302D77CA941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004AB5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004AB604
malloc.MSVCRT ref: 004AB665

Strings

/J, xrefs: 004AB62B

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: malloc
String ID: /J
API String ID: 2803490479-1125715729
Opcode ID: 67903aeabbdab4e43518a7ea792d1a46330fa4c823134d3bf2966fdc01e39692
Instruction ID: 978cf8fcab6963bf5dc729908277cd5a72a91ab1d83133055cbf38acce71b218
Opcode Fuzzy Hash: 67903aeabbdab4e43518a7ea792d1a46330fa4c823134d3bf2966fdc01e39692
Instruction Fuzzy Hash: 4C0144B02053055AD7107F66A8C166B7694EF76348F41482FEE844B343E7BDD85097EB

Uniqueness

Uniqueness Score: -1.00%

Function 00424FD0 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNEL32 ref: 00424FE5
GetLastError.KERNEL32 ref: 00425052
_errno.MSVCRT ref: 0042505C

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ErrorFileFindLastNext_errno
String ID:
API String ID: 2804278807-0
Opcode ID: 7cfe841b90e4922a52334382e8c7b15fe9c7ddb5546ac9d10c18a24a9ef10097
Instruction ID: 62c469d670b267ff73ad219ebe3d03042d15996f50bf7b38469f66676e2fc392
Opcode Fuzzy Hash: 7cfe841b90e4922a52334382e8c7b15fe9c7ddb5546ac9d10c18a24a9ef10097
Instruction Fuzzy Hash: 5601C8716046618BDF10EF69BC813A6B790EF45315F88846BE848CF346E23DC848D3E6

Uniqueness

Uniqueness Score: -1.00%

Function 00425290 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(?,?,?,?,?,0042471B), ref: 004252A5
free.MSVCRT(?,?,?,?,?,?,0042471B), ref: 004252B4
_errno.MSVCRT ref: 004252C0

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CloseFind_errnofree
String ID:
API String ID: 1660445202-0
Opcode ID: 441ba031dc975d3c37c690e2cc3b60cbc3454b32681044380269ab40b0034261
Instruction ID: 19311e590a9d18845a9dcd81fa132f71f2ec31319e629e5734ff85766be96cbc
Opcode Fuzzy Hash: 441ba031dc975d3c37c690e2cc3b60cbc3454b32681044380269ab40b0034261
Instruction Fuzzy Hash: 7DE04FB0700711CBC7007EB5A88522E36A4AF04314FD10AAEEC508F2C3E73C94404BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00426FE0 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5daf321b857766ad2d9d3cd1be15eb308d8f8412a232f7b019fe335b850ca8
Instruction ID: 455b9ab0fa881882b775e49478b9e31a878a35e2746c4bd75b0612878f9c125b
Opcode Fuzzy Hash: bd5daf321b857766ad2d9d3cd1be15eb308d8f8412a232f7b019fe335b850ca8
Instruction Fuzzy Hash: 9FF044B0A052068FCB1CCF04D4D0A26B7A0BFA8314F44689EDA840B382C339ECC0DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 004012F5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0040130A

Part of subcall function 004011A5: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401220
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401234
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401248
Part of subcall function 004011A5: __p__fmode.MSVCRT ref: 0040124D
Part of subcall function 004011A5: __p__environ.MSVCRT ref: 00401267
Part of subcall function 004011A5: _cexit.MSVCRT ref: 0040128A
Part of subcall function 004011A5: ExitProcess.KERNEL32 ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode__set_app_type_cexit
String ID:
API String ID: 1603352833-0
Opcode ID: 0c6c21d3da0c26be2a6962d4b5d298f42c3039939e46e04a491074ec539d9ced
Instruction ID: b537ba7b3021bfc12492c367917d5c9f4a380c34972d173bc2a6d0b613c430d7
Opcode Fuzzy Hash: 0c6c21d3da0c26be2a6962d4b5d298f42c3039939e46e04a491074ec539d9ced
Instruction Fuzzy Hash: 6FD0CA32800A1A8BCA24AF78C80939AF7B0FB04308F020A1CE5A93B011C7B4351A8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004012EA

Part of subcall function 004011A5: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401220
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401234
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401248
Part of subcall function 004011A5: __p__fmode.MSVCRT ref: 0040124D
Part of subcall function 004011A5: __p__environ.MSVCRT ref: 00401267
Part of subcall function 004011A5: _cexit.MSVCRT ref: 0040128A
Part of subcall function 004011A5: ExitProcess.KERNEL32 ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode__set_app_type_cexit
String ID:
API String ID: 1603352833-0
Opcode ID: 81472174a9c8b944e2ceb1f4e4ab65e3830dc5efc5a6b5bc608e56136d046557
Instruction ID: 47275128fedc777255371a284aa1a686176105b773411750fa5747b567b606dc
Opcode Fuzzy Hash: 81472174a9c8b944e2ceb1f4e4ab65e3830dc5efc5a6b5bc608e56136d046557
Instruction Fuzzy Hash: F0A011B08080088AC3203F28C80A20A3AB0AB08300F08022CB0800A2A2CBB800888AAA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420CD0 Relevance: 20.8, APIs: 7, Strings: 4, Instructions: 1598stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00420CDA
strlen.MSVCRT ref: 00420CE4

Strings

inity, xrefs: 00422402
!, xrefs: 0042287D
5, xrefs: 004212A2
, xrefs: 0042208A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: e815c2ec56e0ae49ea9b27382123c498193bd113e543a7d261c9ba54a1ddde20
Instruction ID: 0e130e0ca7a6df97e55fec71d3ac585f0b09b3fd014ee4956513d286ccbd8a83
Opcode Fuzzy Hash: e815c2ec56e0ae49ea9b27382123c498193bd113e543a7d261c9ba54a1ddde20
Instruction Fuzzy Hash: 2CE248706083A1CFD320DF28D58476BBBE1BF94304F95892EE98987361D779E845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFC0 Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 328
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E0041AFC0(signed char* __eax, intOrPtr __ecx, signed int __edx) {
				void* _v16;
				char _v32;
				signed int _v36;
				char _v40;
				char* _v44;
				signed int _v48;
				char _v52;
				char* _v56;
				signed int* _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v100;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				signed int _v380;
				char _v384;
				char* _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed char* _v404;
				signed char _v408;
				intOrPtr _v412;
				char _v416;
				intOrPtr _v420;
				signed int _v424;
				signed int _v432;
				signed int _v436;
				intOrPtr _v440;
				signed int _v444;
				signed int _v448;
				void* _v461;
				char _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				signed int _t163;
				signed int _t165;
				void* _t170;
				signed int _t172;
				signed int _t182;
				intOrPtr _t202;
				signed int _t206;
				signed int _t207;
				intOrPtr* _t208;
				signed int _t210;
				signed int _t214;
				int _t219;
				signed int _t221;
				signed int _t225;
				signed int _t226;
				signed char* _t229;
				signed int _t231;
				signed char* _t233;
				intOrPtr _t234;
				signed int _t238;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed char* _t262;
				signed int _t264;
				intOrPtr _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				char* _t280;
				signed int _t282;
				signed char* _t285;
				signed char* _t286;
				void* _t288;
				void* _t289;
				intOrPtr* _t290;
				intOrPtr* _t292;
				void* _t298;
				void* _t304;

				_t254 = __edx;
				_t229 = __eax;
				_t290 = _t289 - 0x1cc;
				_t163 =  *__eax & 0x000000ff;
				_v436 = __edx;
				_v440 = __ecx;
				_t298 = _t163 - 0x5f;
				_v432 = _t163;
				if(_t298 == 0) {
					_t278 = 1;
					if(__eax[1] != 0x5a) {
						goto L1;
					} else {
					}
				} else {
					L1:
					asm("repe cmpsb");
					_t238 = 0 | _t298 > 0x00000000;
					_t278 = 0;
					if(_t238 == (_t163 & 0xffffff00 | _t298 > 0x00000000)) {
						_t225 =  *(_t229 + 8) & 0x000000ff;
						if((_t254 & 0xffffff00 | _t225 == 0x0000002e | _t238 & 0xffffff00 | _t225 == 0x0000005f) != 0 || _t225 == 0x24) {
							_t226 =  *(_t229 + 9) & 0x000000ff;
							if(_t226 == 0x44) {
								L17:
								_t278 = 0;
								if( *((char*)(_t229 + 0xa)) == 0x5f) {
									_t278 = ((_t226 & 0xffffff00 | _t226 != 0x00000049) & 0x000000ff) + 2;
								}
							} else {
								_t278 = 0;
								if(_t226 == 0x49) {
									goto L17;
								}
							}
						}
					}
				}
				 *_t290 = _t229;
				_t165 = strlen(??);
				_t272 = _t165 + _t165;
				_v380 = _t165;
				_v416 = _t229;
				_v408 = 0x11;
				_v412 = _t229 + _t165;
				_t240 = _t165 * 4;
				_v404 = _t229;
				_v392 = _t272;
				_v396 = 0;
				_v384 = 0;
				_v376 = 0;
				_v372 = 0;
				_v368 = 0;
				_v364 = 0;
				_v360 = 0;
				_t170 = E0041C220(0x12 + (_t165 * 4 + _t272) * 4 >> 4 << 4);
				_t172 =  &_v461 >> 2;
				_v444 = _t172;
				_t255 = _t172 * 4;
				_t292 = _t290 - _t170 - E0041C220(0x12 + _t165 * 4 >> 4 << 4);
				_t304 = _t278 - 1;
				_v400 = _t255;
				_v388 =  &_v464;
				if(_t304 == 0) {
					if(_v432 == 0x5f) {
						if( *((char*)(_t229 + 1)) != 0x5a) {
							goto L22;
						} else {
							_t273 =  &_v416;
							_v404 = _t229 + 2;
							_v432 = E00414FF0(_t273, 1);
							if((_v408 & 0x00000001) == 0) {
								_t182 =  *_v404 & 0x000000ff;
							} else {
								_t262 = _v404;
								_t182 =  *_t262 & 0x000000ff;
								if(_t182 == 0x2e) {
									_v444 = _t273;
									do {
										_t206 = _t262[1] & 0x000000ff;
										_t123 = _t206 - 0x61; // -7
										if(_t123 <= 0x19 || _t206 == 0x5f) {
											_t207 = _t262[2] & 0x000000ff;
											_t233 =  &(_t262[2]);
											while(_t207 - 0x61 <= 0x19) {
												L52:
												_t233 =  &(_t233[1]);
												_t207 =  *_t233 & 0x000000ff;
											}
											if(_t207 == 0x5f) {
												goto L52;
											}
											goto L31;
										} else {
											_t182 =  *_t262 & 0x000000ff;
											if(_t206 - 0x30 <= 9) {
												_t233 = _t262;
												L31:
												while(_t207 == 0x2e) {
													while((_t233[1] & 0x000000ff) - 0x30 <= 9) {
														_t207 = _t233[2] & 0x000000ff;
														_t233 =  &(_t233[2]);
														if(_t207 - 0x30 > 9) {
															goto L31;
														} else {
															do {
																_t233 =  &(_t233[1]);
																_t214 =  *_t233 & 0x000000ff;
															} while (_t214 - 0x30 <= 9);
															if(_t214 == 0x2e) {
																continue;
															}
														}
														goto L38;
													}
													break;
												}
												L38:
												_t282 = _v396;
												_v404 = _t233;
												if(_t282 >= _v392) {
													L49:
													_t208 = 0;
												} else {
													_t234 = _t233 - _t262;
													_v396 = _t282 + 1;
													_t208 = _v400 + (_t282 + _t282 * 2) * 4;
													if(_t234 == 0 || _t208 == 0) {
														goto L49;
													} else {
														 *_t208 = 0;
														 *(_t208 + 4) = _t262;
														 *((intOrPtr*)(_t208 + 8)) = _t234;
													}
												}
												goto L42;
											}
										}
										goto L12;
										L42:
										 *_t292 = _t208;
										_t210 = E004121F0(_v432, 0x4d);
										_t262 = _v404;
										_v432 = _t210;
										_t182 =  *_t262 & 0x000000ff;
									} while (_t182 == 0x2e);
								}
							}
							goto L12;
						}
					} else {
						goto L22;
					}
				} else {
					if(_t304 < 0 || _t278 > 3) {
						_v432 = E00414030( &_v416, _t240);
						_t182 =  *_v404 & 0x000000ff;
					} else {
						_t250 = _t229 + 0xb;
						_v404 = _t250;
						if( *((char*)(_t229 + 0xb)) == 0x5f) {
							if( *((char*)(_t229 + 0xc)) != 0x5a) {
								goto L8;
							} else {
								_v404 = _t229 + 0xd;
								_t252 = E00414FF0( &_v416, 0);
								goto L11;
							}
							goto L55;
						} else {
							L8:
							_v448 = _t255;
							 *_t292 = _t250;
							_v432 = _t250;
							_t219 = strlen(??);
							_t251 = _v432;
							_t264 = _v448;
							if(_t272 <= 0) {
								L10:
								_t252 = 0;
							} else {
								_v396 = 1;
								if(_t219 != 0) {
									_t277 = _v444;
									 *((intOrPtr*)(4 + _t277 * 4)) = _t251;
									 *(_t277 * 4) = 0;
									_t252 = _t264;
									 *(8 + _t277 * 4) = _t219;
								} else {
									goto L10;
								}
							}
						}
						L11:
						 *_t292 = 0;
						_t221 = E004121F0(_t252, (0 | _t278 != 0x00000002) + 0x43);
						_t285 = _v404;
						_v432 = _t221;
						 *_t292 = _t285;
						_t286 = _t285 + strlen(??);
						_v404 = _t286;
						_t182 =  *_t286 & 0x000000ff;
					}
					L12:
					_t231 = _v432;
					if(_t231 == 0 || _t182 != 0) {
						L22:
						return 0;
					} else {
						_v100 = 0;
						_v96 = 0;
						_t280 =  &_v356;
						_v84 = 0;
						_v80 = 0;
						_v92 = _v436;
						_v68 = 0;
						_v64 = 0;
						_v76 = 0;
						_v72 = 0;
						_v88 = _v440;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						E004123E0( &_v36, _t231,  &_v48);
						_v32 = 0;
						_v36 = _v36 * _v48;
						E0041C220(0x12 + _v48 * 8 >> 4 << 4);
						E0041C220(0x12 + _v36 * _v48 * 8 >> 4 << 4);
						_v56 =  &_v464;
						_v424 = _t231;
						_v44 =  &_v464;
						_v420 = _v60;
						_v60 =  &_v424;
						E00415790(_t280, _t231, 0x11);
						_v60 = _v420;
						_t202 = _v100;
						 *((char*)(_t288 + _t202 - 0x160)) = 0;
						_v472 = _t202;
						_v468 = _v88;
						 *_t292 = _t280;
						_v92();
						return 0 | _v76 == 0x00000000;
					}
				}
				L55:
			}

0x0041afc0
0x0041afc6
0x0041afc8
0x0041afce
0x0041afd1
0x0041afd7
0x0041afdd
0x0041afdf
0x0041afe5
0x0041b311
0x0041b316
0x00000000
0x00000000
0x0041b31c
0x0041afeb
0x0041afeb
0x0041aff7
0x0041aff9
0x0041afff
0x0041b003
0x0041b005
0x0041b015
0x0041b2dd
0x0041b2e3
0x0041b2ef
0x0041b2ef
0x0041b2f5
0x0041b305
0x0041b305
0x0041b2e5
0x0041b2e5
0x0041b2e9
0x00000000
0x00000000
0x0041b2e9
0x0041b2e3
0x0041b015
0x0041b003
0x0041b023
0x0041b026
0x0041b02e
0x0041b031
0x0041b037
0x0041b03d
0x0041b047
0x0041b04d
0x0041b054
0x0041b05a
0x0041b060
0x0041b06d
0x0041b077
0x0041b081
0x0041b08b
0x0041b09c
0x0041b0a6
0x0041b0b6
0x0041b0c1
0x0041b0c4
0x0041b0ca
0x0041b0df
0x0041b0e1
0x0041b0e4
0x0041b0ee
0x0041b0f4
0x0041b328
0x0041b338
0x00000000
0x0041b33a
0x0041b33a
0x0041b348
0x0041b35c
0x0041b362
0x0041b4da
0x0041b368
0x0041b368
0x0041b36e
0x0041b373
0x0041b379
0x0041b37f
0x0041b37f
0x0041b383
0x0041b389
0x0041b4e9
0x0041b4ed
0x0041b4f8
0x0041b500
0x0041b500
0x0041b503
0x0041b509
0x0041b510
0x00000000
0x00000000
0x00000000
0x0041b397
0x0041b39c
0x0041b39f
0x0041b3a5
0x00000000
0x0041b3a7
0x0041b3b0
0x0041b3bb
0x0041b3c2
0x0041b3ca
0x00000000
0x0041b3d0
0x0041b3d0
0x0041b3d0
0x0041b3d3
0x0041b3d9
0x0041b3e0
0x00000000
0x00000000
0x0041b3e0
0x00000000
0x0041b3ca
0x00000000
0x0041b3b0
0x0041b3e2
0x0041b3e2
0x0041b3ee
0x0041b3f4
0x0041b4e2
0x0041b4e2
0x0041b3fa
0x0041b406
0x0041b408
0x0041b40e
0x0041b411
0x00000000
0x0041b41f
0x0041b41f
0x0041b425
0x0041b428
0x0041b428
0x0041b411
0x00000000
0x0041b3f4
0x0041b39f
0x00000000
0x0041b42b
0x0041b42b
0x0041b43f
0x0041b444
0x0041b44a
0x0041b450
0x0041b453
0x0041b45b
0x0041b373
0x00000000
0x0041b362
0x00000000
0x00000000
0x00000000
0x0041b0fa
0x0041b0fa
0x0041b46b
0x0041b477
0x0041b109
0x0041b10d
0x0041b110
0x0041b116
0x0041b483
0x00000000
0x0041b489
0x0041b494
0x0041b4a1
0x00000000
0x0041b4a1
0x00000000
0x0041b11c
0x0041b11c
0x0041b11c
0x0041b122
0x0041b125
0x0041b12b
0x0041b132
0x0041b138
0x0041b13e
0x0041b152
0x0041b158
0x0041b140
0x0041b142
0x0041b14c
0x0041b4a8
0x0041b4ae
0x0041b4b5
0x0041b4c0
0x0041b4c2
0x00000000
0x00000000
0x00000000
0x0041b14c
0x0041b13e
0x0041b15a
0x0041b15f
0x0041b16e
0x0041b173
0x0041b179
0x0041b17f
0x0041b187
0x0041b189
0x0041b18f
0x0041b18f
0x0041b192
0x0041b192
0x0041b19a
0x0041b32a
0x0041b333
0x0041b1a8
0x0041b1b3
0x0041b1ba
0x0041b1be
0x0041b1c4
0x0041b1cb
0x0041b1d4
0x0041b1dd
0x0041b1e4
0x0041b1eb
0x0041b1f2
0x0041b1f9
0x0041b1ff
0x0041b206
0x0041b20d
0x0041b214
0x0041b21b
0x0041b222
0x0041b229
0x0041b230
0x0041b23b
0x0041b252
0x0041b255
0x0041b26d
0x0041b274
0x0041b282
0x0041b288
0x0041b28e
0x0041b29a
0x0041b29f
0x0041b2aa
0x0041b2ad
0x0041b2b5
0x0041b2bd
0x0041b2c1
0x0041b2c5
0x0041b2c8
0x0041b2dc
0x0041b2dc
0x0041b19a
0x00000000

APIs

strlen.MSVCRT ref: 0041B026
strlen.MSVCRT ref: 0041B12B
strlen.MSVCRT ref: 0041B182

Strings

Z, xrefs: 0041B47F
_GLOBAL_, xrefs: 0041AFF2
_, xrefs: 0041B109
_, xrefs: 0041B2F1
Z, xrefs: 0041B334
_, xrefs: 0041B321

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 39653677-662103887
Opcode ID: 98d1d1fea4c518d2d70a2fee37865237b8bb3d1f72dd8f9a2dd59909d9b9ec13
Instruction ID: eab190f41740b2045098edf58ce9dafb8d428dcb1a3803bf52a98d8e1b45c869
Opcode Fuzzy Hash: 98d1d1fea4c518d2d70a2fee37865237b8bb3d1f72dd8f9a2dd59909d9b9ec13
Instruction Fuzzy Hash: 1AE14D71D042688FDB20CF25C8903EEBBB1FB49304F4481EAD859AB345D7799A86CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004439D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 1067COMMON

Download Yara Rule

Strings

-, xrefs: 00443DC7
p!I, xrefs: 00444976
,5O, xrefs: 0044406A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-$p!I
API String ID: 0-2700094955
Opcode ID: 7d368a4db095e43ae844c24bf5300ab9f769a1a52e24a244eb042bbfcc36e521
Instruction ID: 09e15aae1ebf9ad2a78fbd8567021d5911aedfb8421294efe659c05e44abcf04
Opcode Fuzzy Hash: 7d368a4db095e43ae844c24bf5300ab9f769a1a52e24a244eb042bbfcc36e521
Instruction Fuzzy Hash: 7FA27E70A042498FEF14CF68C084BAE7BB1BF45725F24865AE8659F392C339ED46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00425D40 Relevance: 6.7, APIs: 4, Instructions: 660COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00425D47

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconv
String ID:
API String ID: 3737801528-0
Opcode ID: 3513e1a4d1d14dd198aa9093421a120db29fe829b197367fd2d0c621b92d26af
Instruction ID: b9284ff923231524a5b31e24bb7a83898ad3920c9f9cc8e63fc2ff371aa166f4
Opcode Fuzzy Hash: 3513e1a4d1d14dd198aa9093421a120db29fe829b197367fd2d0c621b92d26af
Instruction Fuzzy Hash: 6A42B0707083658BC710DF19E18432BBBE2BB84304F9A895EE8C59B341D779ED45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004428E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 1067COMMON

Download Yara Rule

Strings

-, xrefs: 00442CD7
,5O, xrefs: 00442F7A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: a6ef09191976d58f788e0e984dc370556bfcf4485082072386103aa33dcf3b62
Instruction ID: d64095adc402f2a3a8903c16e53054d47469bf03f6c0dc6c2c0adb5885b4b9f8
Opcode Fuzzy Hash: a6ef09191976d58f788e0e984dc370556bfcf4485082072386103aa33dcf3b62
Instruction Fuzzy Hash: 37A2B270A043458FEB24CF28C184BAEBBB1BF05314F64865AE8559F392C379ED86CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00466420 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

,5O, xrefs: 004669CC
-, xrefs: 0046705F

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: c0729ad79b09cb5300bc5b1d97aac92e7e0c8980f83ff6cad9a0fec20fd54c76
Instruction ID: 074985e2108dc1a28e4c010391b6073b7b904a06021536cffeb6b3520c4b0e09
Opcode Fuzzy Hash: c0729ad79b09cb5300bc5b1d97aac92e7e0c8980f83ff6cad9a0fec20fd54c76
Instruction Fuzzy Hash: 8D729270A00249DFCF14CF68D484AAEBBB1BF45314F16825AE8559B391E339ED46CF86

Uniqueness

Uniqueness Score: -1.00%

Function 004656F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

,5O, xrefs: 00465C9C
-, xrefs: 0046632F

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: 4474d5e3b8fdd3834c59bd43f5218e4ba0ed73c1effa786c792f4cce2035ba2d
Instruction ID: c09b2f52bd865b9399cc263624875b1e108e8195d272374c5d136307ac582797
Opcode Fuzzy Hash: 4474d5e3b8fdd3834c59bd43f5218e4ba0ed73c1effa786c792f4cce2035ba2d
Instruction Fuzzy Hash: D8729070A046098FCF14DF68C494AAEBBF1BF05324F14865AE8659B391E339ED46CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00445DE0 Relevance: 4.8, Strings: 3, Instructions: 1017COMMON

Download Yara Rule

Strings

P1I, xrefs: 00446CF0
,5O, xrefs: 00446550
-, xrefs: 004461AE

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-$P1I
API String ID: 0-3531569498
Opcode ID: 78296e7f08b9d7948900ec2accdfffc41f5e05db4ffaaccafe32ed64d4cfdbf0
Instruction ID: 590d2b6b1dcef6242a48b160c10cc88154ea6bec31dbaeac368d21473ac75bea
Opcode Fuzzy Hash: 78296e7f08b9d7948900ec2accdfffc41f5e05db4ffaaccafe32ed64d4cfdbf0
Instruction Fuzzy Hash: 8D927170A042548BEF14DF68C0847AE7BB1BF06304F66855EE8499F392D779DC86CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00444DB0 Relevance: 4.8, Strings: 3, Instructions: 1016COMMON

Download Yara Rule

Strings

-, xrefs: 0044517E
`)I, xrefs: 00445CC0
,5O, xrefs: 00445520

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-$`)I
API String ID: 0-1947141267
Opcode ID: 16309b379162eceb056d7ebc5e0ec80dcdc1562288815787678290ca53f9cd1f
Instruction ID: 541796ffcf1940af7a7c8e462de31224affe13ae53df9f21e9a542590f8c256f
Opcode Fuzzy Hash: 16309b379162eceb056d7ebc5e0ec80dcdc1562288815787678290ca53f9cd1f
Instruction Fuzzy Hash: F1928B70A04648CBEF14DF68C0847AE7BB1BF45304F64855AE8499F392D779EC86CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004D87F0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78052c430ee59d04dec00af7362a8f02280950fb3f1323203a7ab47010caddbf
Instruction ID: 29e360af980b715b1eff284adf4c4df86812a61db507402c0eebb9906e4d50e1
Opcode Fuzzy Hash: 78052c430ee59d04dec00af7362a8f02280950fb3f1323203a7ab47010caddbf
Instruction Fuzzy Hash: 14F14DB1E012199FDF14CFA9C8906AEB7B1FF48314F15826FE419A7344DB35A901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8E0 Relevance: 3.4, APIs: 2, Instructions: 421COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,00000001,0041D9E4), ref: 0041C9E0

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4faf5ff1bf83171ac02ea2252ff168ecd2d57c4a6d4c2177f361016a51eccb91
Instruction ID: fbdb4b2a3b731f556a8aaa0250c5d08bd5e1d5bde183a0cb6e18c7be085082a8
Opcode Fuzzy Hash: 4faf5ff1bf83171ac02ea2252ff168ecd2d57c4a6d4c2177f361016a51eccb91
Instruction Fuzzy Hash: B6E12A72A446258FC704CF28C8D23D9BBE2AF81354F19827ADD599B342C37EAD859784

Uniqueness

Uniqueness Score: -1.00%

Function 00468160 Relevance: 3.3, Strings: 2, Instructions: 844COMMON

Download Yara Rule

Strings

,5O, xrefs: 00468781
-, xrefs: 00468E0D

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: 9c55081f505dce213f40bdc2d6cfd4752ee05600ac5b367c7ab2ca8f77f21ae4
Instruction ID: 7aa50590b6b60e0b5102c0e4054bb15c1c56594df38895d1129a96c41e8fc607
Opcode Fuzzy Hash: 9c55081f505dce213f40bdc2d6cfd4752ee05600ac5b367c7ab2ca8f77f21ae4
Instruction Fuzzy Hash: 19728070A002498FCF14DF68C4946AEBBB1BF05304F14865EE8459B391EB79ED86CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00467430 Relevance: 3.3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

Strings

-, xrefs: 004680DD
,5O, xrefs: 00467A51

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: 4bc54e4e4034196d0b3e09f705c27cd098fe7cef16737d4d8b3bd8a371eedf38
Instruction ID: d659c64110555db4e54ac50a023933b903ce631897e99604de2d6cc4dc833d8f
Opcode Fuzzy Hash: 4bc54e4e4034196d0b3e09f705c27cd098fe7cef16737d4d8b3bd8a371eedf38
Instruction Fuzzy Hash: AD72A070A08209DFDB14DF68C484AAEBBF1BF05318F14855AE8459B351E739ED86CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 004738B0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00473903

Strings

basic_string::append, xrefs: 00473950

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memset
String ID: basic_string::append
API String ID: 2221118986-3811946249
Opcode ID: d89754ffa428566461ccd07bdfa1b19473ea9f1e9b8df19157b4f4bac64bf658
Instruction ID: ea8f9f826f29c21711dda11d128dfc89583a34913a89cda86972ff55ceba5b9a
Opcode Fuzzy Hash: d89754ffa428566461ccd07bdfa1b19473ea9f1e9b8df19157b4f4bac64bf658
Instruction Fuzzy Hash: 6911DFF2E056008FC310BF29D48856FFBE4AB91311F55C56FE9885B311E778AA049B8B

Uniqueness

Uniqueness Score: -1.00%

Function 004D8C88 Relevance: 2.9, APIs: 1, Instructions: 1354COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004D8E03

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 02deb92841897436473f05212dc81b3230664060b9f6c4d1982e33aafa4d7425
Instruction ID: 81ae2921413551c6780df07f151ddf98c591d603772396c3ea9858ced9f50d0e
Opcode Fuzzy Hash: 02deb92841897436473f05212dc81b3230664060b9f6c4d1982e33aafa4d7425
Instruction Fuzzy Hash: 3FC22771E086288FDB65CE28DD907AAB3B5EB49304F1441EBD84DE7340E779AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 0044D5E0 Relevance: 2.0, APIs: 1, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccbdc2dedd47a5e706c14cdc7a82ba7a6e2203ce021791e58cee7087b6189b0
Instruction ID: 279f37d5e98e3b3100b0887a9ad025be400c80965c68a51f3984c725bc95f9e4
Opcode Fuzzy Hash: 6ccbdc2dedd47a5e706c14cdc7a82ba7a6e2203ce021791e58cee7087b6189b0
Instruction Fuzzy Hash: 57628F70E04298CFEB24DF68C4907AEBBB1AF05314F28865AE4659F392C379DD46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044CA70 Relevance: 2.0, APIs: 1, Instructions: 754COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044CC44

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 8a665aed61ae976c2acebd75b8dcd649f65a3df04d4867947e290664dfbf92d6
Instruction ID: 5124d889975178a784303149c88be9825ff62088f2774f10e24a1f375c09493f
Opcode Fuzzy Hash: 8a665aed61ae976c2acebd75b8dcd649f65a3df04d4867947e290664dfbf92d6
Instruction Fuzzy Hash: E4629070E052988FEB54CFA8C0D07AEBBB1BF05314F28825AE8559B392C379DD46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044AA40 Relevance: 2.0, APIs: 1, Instructions: 712COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044AD2A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: ad7993ae4f221ba1e8f5d51b8bb6652938dd233b8da8ac38adf0741580a8338f
Instruction ID: 03b8307fe8af6d2a61eeb92bb0f58712459c97fdbfd6d170774622f70c4e75d0
Opcode Fuzzy Hash: ad7993ae4f221ba1e8f5d51b8bb6652938dd233b8da8ac38adf0741580a8338f
Instruction Fuzzy Hash: 8362A4709442988FEB14CF68C4947AEBBB1BF05314F28825AE8659F381C379DD57CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0044BFB0 Relevance: 2.0, APIs: 1, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90685067a4e7ecb40c6ac3a9c313b9fecff8f2d38f4c4b2779659eb588493104
Instruction ID: cfcc0a16be50866a693f9415e02fe4fe7d52e9987321f36762b963e55819d049
Opcode Fuzzy Hash: 90685067a4e7ecb40c6ac3a9c313b9fecff8f2d38f4c4b2779659eb588493104
Instruction Fuzzy Hash: 0F529170906258CFEB64CFA8C4D07AEBBB1AF05324F1C825AE8659B391D379DC46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044B500 Relevance: 2.0, APIs: 1, Instructions: 705COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044B7DA

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 0577d69c564a9d5b96204350ad41838468f9726bae25c4b6eb213814c9ff01ca
Instruction ID: 56c7e15bf85b0b6a2d15706e9b8d491d0f968eda9d7ac6ed564ec042df4147df
Opcode Fuzzy Hash: 0577d69c564a9d5b96204350ad41838468f9726bae25c4b6eb213814c9ff01ca
Instruction Fuzzy Hash: A35271709042588FEB24CF68C4907AEBBB1EF45324F28865AE8659F391C379DD47CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00449F90 Relevance: 2.0, APIs: 1, Instructions: 705COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044A26A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 0577d69c564a9d5b96204350ad41838468f9726bae25c4b6eb213814c9ff01ca
Instruction ID: 774013577510cc5f2c76ddcbb1ef0eb607f7427a6d170da15bbeee5e02ecf9ab
Opcode Fuzzy Hash: 0577d69c564a9d5b96204350ad41838468f9726bae25c4b6eb213814c9ff01ca
Instruction Fuzzy Hash: 3C52B0709442588FEB20CF68C0847AEBBB1BF05324F19869AE8659F391C379DC57CB46

Uniqueness

Uniqueness Score: -1.00%

Function 004503C0 Relevance: 1.9, APIs: 1, Instructions: 655COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00450781

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: cb3006130dd7e42829b3004c7781e953fbcfabaffa84905ba73f428958262f31
Instruction ID: 1ba113455a6184096ce4f163dff43d9cd119ffa28e56368a80b2356c992e06a0
Opcode Fuzzy Hash: cb3006130dd7e42829b3004c7781e953fbcfabaffa84905ba73f428958262f31
Instruction Fuzzy Hash: 0152CF74904298DFDF14DFA8C4907AEBFB1BF45315F18825AE8959B383C339984ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 00450DA0 Relevance: 1.9, APIs: 1, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932f4df7d875ea87f96b42b5f2e1f251c747a301549347b0b98f8a37d2927dd0
Instruction ID: 04be347c0bc77b74ee9c6bfd662ac8d9fedf8c20f832471cb33afc6a5a84e868
Opcode Fuzzy Hash: 932f4df7d875ea87f96b42b5f2e1f251c747a301549347b0b98f8a37d2927dd0
Instruction Fuzzy Hash: 9F42F270D042989FCF24CFA8C0907AEBBB1AF05315F14819BEC919B3A3C378994ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044EA00 Relevance: 1.8, APIs: 1, Instructions: 570COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044ED3B

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: cd02168774b80e216d03531530df5556a2d137873f953791506afa7696a0e30b
Instruction ID: 8d61fd680a6d616762daf76c83deb9a5d7614011ad3166526c2faa6a08ff5e78
Opcode Fuzzy Hash: cd02168774b80e216d03531530df5556a2d137873f953791506afa7696a0e30b
Instruction Fuzzy Hash: 9132AD70904299DFEF10CFA9D0807AEBFB1BF05314F14455BE895AB382C379A94ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 0043DFF0 Relevance: 1.6, APIs: 1, Instructions: 340stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0043E33E

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: d566590d37779bca265cc2a5a866327b1f82eae64eea281ff3e62f8c7e20948d
Instruction ID: 23d6ad602170c6406652ede0ae7e0a25ff090e72a8c70e63711af2ad627e5684
Opcode Fuzzy Hash: d566590d37779bca265cc2a5a866327b1f82eae64eea281ff3e62f8c7e20948d
Instruction Fuzzy Hash: E2E15E71901119CFCF14CF6AC4806AEBBB1AF4D324F18925AE825AB391D339ED42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004416C0 Relevance: 1.6, APIs: 1, Instructions: 339COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00441A09

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: 6d7cff8f5e94c84ad2be04c7832b32ef5c4dd08bb1094c1bf3d22c5f523c3663
Instruction ID: a0474b2f58dc4b78011c3f87e853268e819ec89b4132a75c8a53623d6a2d0f02
Opcode Fuzzy Hash: 6d7cff8f5e94c84ad2be04c7832b32ef5c4dd08bb1094c1bf3d22c5f523c3663
Instruction Fuzzy Hash: 9BD15D75A002198BDF20DF69C4805EEB7F1FF48314F64815AE855AB360E739ED82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004CD137 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 004CD2B3

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 205f5db79ebd84f74a6d79e044b196edb6aed300a4d25be2936dbd0686ccffae
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 0D517A7CE0064866DBF89A698896FBF679AAB02304F0C057FD842D7391CE1DDD46821F

Uniqueness

Uniqueness Score: -1.00%

Function 0049A9C0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

basic_string::_M_replace, xrefs: 0049ACA0

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: basic_string::_M_replace
API String ID: 0-2323331477
Opcode ID: 42e15e87170c5060c3382461a1ada10b42e0dbe0ed25fbee402e72022a2fee0c
Instruction ID: 052374d8f981a4ccada7bec4deddc09578f4b44ff1d9c943b912c08537c57289
Opcode Fuzzy Hash: 42e15e87170c5060c3382461a1ada10b42e0dbe0ed25fbee402e72022a2fee0c
Instruction Fuzzy Hash: 6B810875A083129FCB10DF29C18042EBBF2AFC5740F55882EE5859B324E739E855DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00456500 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c0eedaa5fe9ff636e774d836646f7c89289f2a79cd3a9ac15451f03e4b4e0a
Instruction ID: 11f3ca7da48d0faa70c591f793c361796009eac0c1c9d7153293b8ba1d7178b2
Opcode Fuzzy Hash: b8c0eedaa5fe9ff636e774d836646f7c89289f2a79cd3a9ac15451f03e4b4e0a
Instruction Fuzzy Hash: BD62D170A042588BDF14CFA8C0807AEBBF1BF05316F96855BEC559B392D3399D4ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 004BA540 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b24d087022e83954a3639f7b4b4f6a27bdfed2d15f2294e78459255bd37fd6
Instruction ID: 2c01264ea91ba00c8fa4103cd166bb2ec133fe8580cbcad18a97a01931c8e29e
Opcode Fuzzy Hash: 54b24d087022e83954a3639f7b4b4f6a27bdfed2d15f2294e78459255bd37fd6
Instruction Fuzzy Hash: 692261B3F515144BDB4CCB5DDCA27ECB2E3AFD8214B0E903DA40AE3345EA79D9158648

Uniqueness

Uniqueness Score: -1.00%

Function 00454F10 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368d771ee4798fb9020d3f1b27f7af012b01f82ba1a4b30a3338c53106e20d05
Instruction ID: 89b630be04755274964a0f182134c9cbad34c29fe58a0b9e2f42ce26f0f83556
Opcode Fuzzy Hash: 368d771ee4798fb9020d3f1b27f7af012b01f82ba1a4b30a3338c53106e20d05
Instruction Fuzzy Hash: 5E52AF70904A58CBCB14CFA8C0607BE7BB1BF05316F54815AEC559F392D379AD4ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 00454440 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43be4580e86c68f28544203249f35394b7c8f308de601b862dec96d1efa9b452
Instruction ID: f6140a01123a71873850203f6a2a2e6240f5307a6169437066588c07c375cb65
Opcode Fuzzy Hash: 43be4580e86c68f28544203249f35394b7c8f308de601b862dec96d1efa9b452
Instruction Fuzzy Hash: 78528E74904258CBCB14CFA8C0807AEBBB1BF8531AF15815AEC559F396D339DD8ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 00452F60 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43be4580e86c68f28544203249f35394b7c8f308de601b862dec96d1efa9b452
Instruction ID: 0fd6902dbd2145ddbfabbe96baf5995d56b27a4cf61517608f58e1a82e47116a
Opcode Fuzzy Hash: 43be4580e86c68f28544203249f35394b7c8f308de601b862dec96d1efa9b452
Instruction Fuzzy Hash: B052AD70A042588BCB14CFA8C1807AEBBB1BF05397F14815AEC559F396D3799E4ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 004593D0 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af272ffea1dcf702705da48b33d874de111d0bee1c238f9cb9024816f8c4528
Instruction ID: bce34784da9436e56412e95fe593b6d758068fc58fea058062b73260b63544d9
Opcode Fuzzy Hash: 2af272ffea1dcf702705da48b33d874de111d0bee1c238f9cb9024816f8c4528
Instruction Fuzzy Hash: 9C42BC70904288CFDF24DFA9C0807AEBBF2BF05315F14815AE8959B392D3799D4ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00453A30 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7b7978d33b7f27bcabfd40021b0874887ad9b3f6ea416ad59f5974299ff6de
Instruction ID: b2f45e578388a470de2332baba52a206611ada327e901733ea0b0ab7dcde4a0b
Opcode Fuzzy Hash: fb7b7978d33b7f27bcabfd40021b0874887ad9b3f6ea416ad59f5974299ff6de
Instruction Fuzzy Hash: 7C429F719042588BCF14CFA8C0807AEBBB1BF45356F24815AEC55AF396D3399E8ECB45

Uniqueness

Uniqueness Score: -1.00%

Function 00459DB0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb38fb03050b4f87a1a1ddc2e8c3a2e205d389a2fed0bbf4cf52345e05c45c7
Instruction ID: 0c17e7d11ade1bdf82359d61a7fab421e229076c77f686aa46c89077fa998487
Opcode Fuzzy Hash: 9cb38fb03050b4f87a1a1ddc2e8c3a2e205d389a2fed0bbf4cf52345e05c45c7
Instruction Fuzzy Hash: 8042A070A042488FCF14DFA9C0947AEBBF1AF45305F14825BEC859B392D3399D5ACB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045A780 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce80e74b4d0c170bef4790e23ac2d1cce52f26a383ae37f51237a612b3e1f2e
Instruction ID: 54bd06c4594ea7c7b191fe691a6d3503ca5ae5e71a7611cab3403046eeb71e7b
Opcode Fuzzy Hash: 0ce80e74b4d0c170bef4790e23ac2d1cce52f26a383ae37f51237a612b3e1f2e
Instruction Fuzzy Hash: 3C329FB09042588BCB10EF75D0906BFBBF1AF45306F14861BEC968B352D738E95ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 00457970 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0eb48c5e898122da48368ecbfbf18f5f2bb4b3166834eb7968940bcfaece27
Instruction ID: c401600196e0e940d0620956f31570e820ebcd04c71d1ec95dd07eddec7701b0
Opcode Fuzzy Hash: fe0eb48c5e898122da48368ecbfbf18f5f2bb4b3166834eb7968940bcfaece27
Instruction Fuzzy Hash: 7932AF709082589BDF11CFA8E0847AEBBB1BF05305F14416BEC45AB382D77D994ECB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475e8221e453e280ef27addb34f63407c65e086ee023c2c898d504a7350b10ad
Instruction ID: 628de0db8d75158281ab8078c9373b04ddd6c9958aea86d1487eb301effcebf8
Opcode Fuzzy Hash: 475e8221e453e280ef27addb34f63407c65e086ee023c2c898d504a7350b10ad
Instruction Fuzzy Hash: 98F16171704600CBD7149E6A98903EABBD2ABC8344F19887FD946CF34AE67DCCC59788

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA70 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,00000001,0041D9E4), ref: 0041D1E9

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 64620d66f2c8938d0cb0cf1a84ba2559d3e79901d8ffdd4d40b88405c9a24545
Instruction ID: 006d86a4feb16d496d69e0205ef4cc7fe2bc30b9f75a62fd6d3e4c7ea4c9a5fa
Opcode Fuzzy Hash: 64620d66f2c8938d0cb0cf1a84ba2559d3e79901d8ffdd4d40b88405c9a24545
Instruction Fuzzy Hash: 8BB1E576A046259FC714CF28C8D23D9BBE2BF81350F19813AEC5A9B342C37AAD459784

Uniqueness

Uniqueness Score: -1.00%

Function 004DCE9D Relevance: .3, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae70b87e7456231d474ad8acb31c1dd5f5a994dc4dfa4d7130a51ebc35ad56e
Instruction ID: c8b2deada51b633c30e7040b33d73b69aae48eb7497a7e81f7a114096b401ae5
Opcode Fuzzy Hash: 1ae70b87e7456231d474ad8acb31c1dd5f5a994dc4dfa4d7130a51ebc35ad56e
Instruction Fuzzy Hash: 67B19931610609DFDB19CF28C496BA57BA1FF45364F25825AE899CF3A1C339E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004C9813 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3876dc35d0dec0636d8222ba7b8c691e8f0be0c1f56d4eb916fada070419bb0
Instruction ID: e44b314274d1e7d3d4c52109fe092ba32ea890c3906486bec3461ad90988f8ee
Opcode Fuzzy Hash: b3876dc35d0dec0636d8222ba7b8c691e8f0be0c1f56d4eb916fada070419bb0
Instruction Fuzzy Hash: 6351A0B6A116059FEB68CF55D98ABAAB7F0FB44314F24842FC509EB350D3789D00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C250 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf044b2d7dd0ea96e6e2d3def7215889a5738d7d170ca20fb917c8d50bf2c39
Instruction ID: 9960a08dacbd3a0503c95a57f7e1d68a07c0b749eda18db6ff6b03a0befb96eb
Opcode Fuzzy Hash: 4cf044b2d7dd0ea96e6e2d3def7215889a5738d7d170ca20fb917c8d50bf2c39
Instruction Fuzzy Hash: 8221C132B443190B97049CAEACC019BF3C7ABD8264F59813FED5CC3355E9719C998285

Uniqueness

Uniqueness Score: -1.00%

Function 00470A20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e9389e333b968ccd225293db0c4563de851505901709603af1d08dec95f8f9
Instruction ID: aa8d06ae98519e85e739260fc26642c64c86eb157fc69afad3a196ed77b383c7
Opcode Fuzzy Hash: 10e9389e333b968ccd225293db0c4563de851505901709603af1d08dec95f8f9
Instruction Fuzzy Hash: 04419D74905309CFDB00EFA9C48469EBBF0FF55318F00866AE845AB351D378E949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00486B40 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2304bd9ec2c27679bc6826c64fb0f3bb0b47f44e841c1e845139e313d8416b36
Instruction ID: 6933890cf20d7fb8d1bf992bfcf6b8ec26080c3ce902b2991bb0f60aa005a6f9
Opcode Fuzzy Hash: 2304bd9ec2c27679bc6826c64fb0f3bb0b47f44e841c1e845139e313d8416b36
Instruction Fuzzy Hash: AC4192749042198FDB10EF69C4946AEFBF0FF55318F00496EE841AB351D378E849CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004DBC47 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee08308985d10c9d648ab75eab738e71b50f45ff6d779e26fe61daf8dc167ee
Instruction ID: edfdfb7aedaf1e0ef69520600605080f7306829c404bc187ea0a3e1f52df9f79
Opcode Fuzzy Hash: dee08308985d10c9d648ab75eab738e71b50f45ff6d779e26fe61daf8dc167ee
Instruction Fuzzy Hash: D321B673F20539477B0CC47E8C532BDB6E1C68C501745423AE8A6EA3C1D96CD917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 004DBB27 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42bf66f3b2d893692f64063e492e0bc0a70722be2f8036d4cfcce361b78519c
Instruction ID: 7ce7ab4cc890b8b043f53f98ce619f41e8d827c0fc48d6494fad043fe6095ca0
Opcode Fuzzy Hash: c42bf66f3b2d893692f64063e492e0bc0a70722be2f8036d4cfcce361b78519c
Instruction Fuzzy Hash: 9911CA23F30C255B675C816D8C1727AA5D2DBD825030F533BD826E7384E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 004DDE50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 1f86648261f794d5e5fe53235b529fba9503b8e39957f15b876ad50d98dfe98f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 12117A77E0188243D724CA3DC8B46B7E7A5EBF7320B2C437BD0428F758D22AE8459608

Uniqueness

Uniqueness Score: -1.00%

Function 004EEBEC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
Instruction ID: 2a7543f1b5c1d9d8279d78365afe440eb7b77663ca9e7f691fe84507ff0f85e6
Opcode Fuzzy Hash: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
Instruction Fuzzy Hash: 55E01A322105909BC7219A5BC840C96F7E8EF947B1B154566EA4697611D235FC41CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004CF542 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c8ee549e0e701cc67c10f8b31497336b99bd38d043062465dd4583a8c5f113
Instruction ID: c4abfb838af37546161023671287e5937ff46afa49a4eb0bb4bc212d6cb3e58f
Opcode Fuzzy Hash: 22c8ee549e0e701cc67c10f8b31497336b99bd38d043062465dd4583a8c5f113
Instruction Fuzzy Hash: 15E04632A11228EBCB14DB898904E8AB2ACEB48B84B1100ABB611D3201C278DE00D7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004CB7B1 Relevance: .0, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8a6c4b3cf830ed144381963364f1d73fe104952161c63b1984596417fe1e2e
Instruction ID: 1b93084a1a039f5ba4590c99073b684bb7db0f86f6f2f187f1d29c7ff6483277
Opcode Fuzzy Hash: bc8a6c4b3cf830ed144381963364f1d73fe104952161c63b1984596417fe1e2e
Instruction Fuzzy Hash: 68E01235101148AFCB616B15CC9EE2A3B2AEB80381F440429F90586231CB39ED52CAC8

Uniqueness

Uniqueness Score: -1.00%

Function 0042C470 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4a5c730f25fc9888ce67d226b0ff7384fd8932a890f570a862b5e3ca627b7
Instruction ID: b388c2251a59f43fd6e52c5f27581e78781c4411d0d5c9edf0ac91079a2a92c7
Opcode Fuzzy Hash: abe4a5c730f25fc9888ce67d226b0ff7384fd8932a890f570a862b5e3ca627b7
Instruction Fuzzy Hash: 2FC012B0C0424046C2007F348506128BDB06F5330CF84585CE44013202E639C018465F

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF40 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 113fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042DFB1
fwrite.MSVCRT ref: 0042E053
fputs.MSVCRT ref: 0042E066
fwrite.MSVCRT ref: 0042E089
fputs.MSVCRT ref: 0042E09D
fwrite.MSVCRT ref: 0042E0C7
abort.MSVCRT ref: 0042E0CC
free.MSVCRT ref: 0042E0D4
abort.MSVCRT ref: 0042E139
fwrite.MSVCRT ref: 0042E161

Strings

terminate called without an active exception, xrefs: 0042E153
terminate called recursively, xrefs: 0042E0B9
not enough space for format expansion (Please submit full bug report at http://gcc.gnu.org/bugs.html): , xrefs: 0042DF51
terminate called after throwing an instance of ', xrefs: 0042E045
-, xrefs: 0042E143

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: fwrite$abortfputs$freememcpy
String ID: -$not enough space for format expansion (Please submit full bug report at http://gcc.gnu.org/bugs.html): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 1748391741-837261893
Opcode ID: 6a834da6b6b146f8822325c18b1359ea73434e2780b2d5d817d484c365acc2e6
Instruction ID: a226534c6e8664fcbd8913f8464b36c9a281fef7d5404d740806d0bf51c83a46
Opcode Fuzzy Hash: 6a834da6b6b146f8822325c18b1359ea73434e2780b2d5d817d484c365acc2e6
Instruction Fuzzy Hash: 084159B0508358DED710AF22D48876BBBE0EF45304F40C95EE9988B342D7799589DF96

Uniqueness

Uniqueness Score: -1.00%

Function 004364A0 Relevance: 19.9, APIs: 11, Strings: 2, Instructions: 366
stringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E004364A0(intOrPtr* __ecx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v16;
				void* _v20;
				char _v32;
				intOrPtr _v36;
				char* _v40;
				int _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				void* _v68;
				void* _v84;
				void* _v88;
				void* _v92;
				void* _v108;
				intOrPtr _v112;
				void* _v116;
				int _v128;
				int _v132;
				char* _v136;
				char* _v140;
				void* _v152;
				void* _v164;
				void* _v176;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t142;
				char _t145;
				int _t149;
				char _t151;
				int _t152;
				char** _t154;
				int _t155;
				intOrPtr _t158;
				int _t159;
				int _t162;
				char* _t165;
				int _t166;
				char** _t168;
				int _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				int _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				char** _t183;
				int _t184;
				intOrPtr _t186;
				intOrPtr _t188;
				int _t193;
				intOrPtr _t196;
				int _t202;
				intOrPtr _t205;
				char** _t209;
				int _t210;
				intOrPtr _t213;
				char* _t220;
				char* _t226;
				signed int _t227;
				char* _t228;
				char* _t229;
				char* _t230;
				char* _t231;
				char* _t232;
				char* _t235;
				intOrPtr* _t236;
				char* _t238;
				char* _t245;
				char* _t254;
				void* _t257;
				void* _t260;
				intOrPtr _t261;
				intOrPtr _t264;
				intOrPtr _t267;
				char* _t270;
				char* _t271;
				char* _t272;
				intOrPtr* _t273;
				char* _t274;
				intOrPtr _t275;
				char* _t276;
				char* _t277;
				char* _t278;
				char* _t279;
				char* _t280;
				char* _t281;
				intOrPtr* _t282;
				intOrPtr* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				void* _t287;
				void* _t290;
				void* _t291;
				void* _t297;
				void* _t298;
				void* _t299;

				_t142 = __ecx + 8;
				_t284 = _t286;
				_t282 = __ecx;
				_t287 = _t286 - 0x2c;
				 *__ecx = _t142;
				_v36 = _t142;
				 *((char*)(__ecx + 8)) = 0;
				 *(__ecx + 4) = 0;
				_t271 =  *( *_a4 + 0x10);
				_t145 =  *_t271;
				_v40 = _t145;
				if(_t145 == 0) {
					_v48 = 0x2a;
					_v52 = 1;
					_v56 = 0;
					_v60 = 0;
					E004982F0(1, __ecx, _t271, __ecx, _t284);
					goto L23;
				} else {
					if(_t271[4] == 0) {
						L22:
						_t272 = _v40;
						_t149 = strlen(_t272);
						_v52 = _t272;
						_v48 = _t149;
						_v56 = 0;
						_v60 = 0;
						E004979A0(1, _t282, _t272, _t282, _t284);
						L23:
						return _t282;
					} else {
						_t235 = _v40;
						while(1) {
							_t151 = _t271[4];
							_v60 = _t235;
							_v56 = _t151;
							_v32 = _t151;
							_t152 = strcmp(??, ??);
							_t235 = _v32;
							if(1 > 4) {
								break;
							}
							if(_t152 == 0) {
								continue;
							}
							break;
						}
						if(_t152 == 0) {
							goto L22;
						} else {
							_v60 = 0x80;
							_t236 = _t282;
							E004999D0(_t236);
							_t154 =  *0x4f6394; // 0x4f6300
							_t290 = _t287 - 4;
							_t226 =  *_t154;
							_v64 = _t226;
							_t155 = strlen(??);
							if(_t155 > 0x7fffffff -  *(_t282 + 4)) {
								L35:
								_v60 = "basic_string::append";
								E004A57E0();
								goto L36;
							} else {
								_v56 = _t155;
								_v60 = _t226;
								_t236 = _t282;
								E00499B70(_t236);
								_t290 = _t290 - 8;
								_t196 =  *_t282;
								_t232 =  *(_t282 + 4);
								_t271 =  &(_t232[1]);
								if(_v36 == _t196) {
									_t261 = 0xf;
								} else {
									_t261 =  *((intOrPtr*)(_t282 + 8));
								}
								if(_t271 > _t261) {
									_v48 = 1;
									_v52 = 0;
									_t236 = _t282;
									_v56 = 0;
									_v60 = _t232;
									E00499D40(_t236, _t261);
									_t290 = _t290 - 0x10;
									_t196 =  *_t282;
								}
								 *((char*)(_t196 + _t232)) = 0x3d;
								 *(_t282 + 4) = _t271;
								 *((char*)( *_t282 +  &(_t232[1]))) = 0;
								_t226 =  *( *( *_a4 + 0x10));
								_t202 = strlen(_t226);
								if(_t202 > 0x7fffffff -  *(_t282 + 4)) {
									L36:
									_v60 = "basic_string::append";
									E004A57E0();
									0;
									_push(_t284);
									_t285 = _t290;
									_push(_t271);
									_push(_t282);
									_push(_t226);
									_t283 = _t236;
									_t291 = _t290 - 0x3c;
									 *_t236 = 0x4f057c;
									_t273 =  *((intOrPtr*)( *_v56 + 0x10));
									_t158 =  *_t273;
									_v112 = _t158;
									if(_t158 == 0) {
										_t159 =  *0x4f0570; // 0x0
										 *((intOrPtr*)(_t291 + 0xc)) = 0x2a;
										_v128 = 1;
										_v136 = 0;
										_v132 = _t159;
										E00472F20(_t236, _t285);
										goto L54;
									} else {
										if( *((intOrPtr*)(_t273 + 4)) == 0) {
											L55:
											_t274 = _v56;
											_t162 = strlen(_t274);
											_v136 = _t274;
											_v132 = _t162;
											E004739B0(_t283);
											return _t283;
										} else {
											_t238 = _v56;
											_t227 = 0;
											while(1) {
												_t227 = _t227 + 1;
												_t165 =  *((intOrPtr*)(_t273 + _t227 * 4));
												_v136 = _t238;
												_v132 = _t165;
												_v52 = _t165;
												_t166 = strcmp(??, ??);
												_t238 = _v52;
												if(_t227 > 4) {
													break;
												}
												if(_t166 == 0) {
													continue;
												}
												break;
											}
											if(_t166 == 0) {
												goto L55;
											} else {
												_v136 = 0x80;
												E00474640(_t283);
												_t168 =  *0x4f6394; // 0x4f6300
												_t228 =  *_t168;
												_v140 = _t228;
												_t169 = strlen(??);
												_v140 = _t228;
												_v136 = _t169;
												E00473670(_t283);
												_t171 =  *_t283;
												_t297 = _t291 - 0xfffffffffffffffc;
												_t275 =  *((intOrPtr*)(_t171 - 0xc));
												_t229 = _t275 + 1;
												if(_t229 <=  *((intOrPtr*)(_t171 - 8))) {
													if( *((intOrPtr*)(_t171 - 4)) > 0) {
														goto L44;
													} else {
														goto L45;
													}
													goto L66;
												} else {
													L44:
													_v136 = _t229;
													E00474640(_t283);
													_t171 =  *_t283;
													_t297 = _t297 - 4;
												}
												L45:
												 *((char*)(_t171 +  *((intOrPtr*)(_t171 - 0xc)))) = 0x3d;
												_t173 =  *_t283;
												_t94 = _t173 - 0xc; // -12
												if(_t94 != 0x4f0570) {
													 *(_t173 - 4) = 0;
													 *((intOrPtr*)(_t173 - 0xc)) = _t229;
													 *((char*)(_t173 + _t275 + 1)) = 0;
												}
												_t230 =  *( *( *_v0 + 0x10));
												_t177 = strlen(_t230);
												_v136 = _t230;
												_v132 = _t177;
												E00473670(_t283);
												_t298 = _t297 - 8;
												_t231 = 4;
												do {
													_t179 =  *_t283;
													_t254 =  *((intOrPtr*)(_t179 - 0xc));
													_t276 = _t254 + 1;
													_v52 = _t254;
													if(_t276 <=  *((intOrPtr*)(_t179 - 8))) {
														if( *((intOrPtr*)(_t179 - 4)) > 0) {
															goto L48;
														} else {
															goto L49;
														}
														goto L66;
													} else {
														L48:
														_v136 = _t276;
														E00474640(_t283);
														_t179 =  *_t283;
														_t298 = _t298 - 4;
													}
													L49:
													 *((char*)(_t179 +  *((intOrPtr*)(_t179 - 0xc)))) = 0x3b;
													_t181 =  *_t283;
													_t104 = _t181 - 0xc; // -12
													_t257 = _t104;
													if(_t257 != 0x4f0570) {
														 *(_t181 - 4) = 0;
														 *((intOrPtr*)(_t181 - 0xc)) = _t276;
														 *((char*)(_t257 +  &(_v52[0xd]))) = 0;
													}
													_t183 =  *0x4f6394; // 0x4f6300
													_t277 =  *(_t183 + _t231);
													_t184 = strlen(_t277);
													_v136 = _t277;
													_v132 = _t184;
													E00473670(_t283);
													_t186 =  *_t283;
													_t299 = _t298 - 8;
													_t245 =  *((intOrPtr*)(_t186 - 0xc));
													_t278 = _t245 + 1;
													_v52 = _t245;
													if(_t278 <=  *((intOrPtr*)(_t186 - 8))) {
														if( *((intOrPtr*)(_t186 - 4)) > 0) {
															goto L51;
														} else {
															goto L52;
														}
														break;
													} else {
														L51:
														_v136 = _t278;
														E00474640(_t283);
														_t186 =  *_t283;
														_t299 = _t299 - 4;
													}
													L52:
													 *((char*)(_t186 +  *((intOrPtr*)(_t186 - 0xc)))) = 0x3d;
													_t188 =  *_t283;
													_t113 = _t188 - 0xc; // -12
													_t260 = _t113;
													if(_t260 != 0x4f0570) {
														 *(_t188 - 4) = 0;
														 *((intOrPtr*)(_t188 - 0xc)) = _t278;
														 *((char*)(_t260 +  &(_v52[0xd]))) = 0;
													}
													_t279 =  *( *( *_v0 + 0x10) + _t231);
													_t193 = strlen(_t279);
													_v136 = _t279;
													_v132 = _t193;
													E00473670(_t283);
													_t231 =  &(_t231[4]);
													_t298 = _t299 - 8;
												} while (_t231 != 0x18);
												L54:
												return _t283;
											}
										}
									}
								} else {
									_v56 = _t202;
									_v60 = _t226;
									_t236 = _t282;
									E00499B70(_t236);
									_t290 = _t290 - 8;
									_t226 = 4;
									while(1) {
										_t280 =  *(_t282 + 4);
										_v32 =  &(_t280[1]);
										_t205 =  *_t282;
										if(_v36 == _t205) {
											_t264 = 0xf;
										} else {
											_t264 =  *((intOrPtr*)(_t282 + 8));
										}
										if(_v32 > _t264) {
											_v48 = 1;
											_v52 = 0;
											_t236 = _t282;
											_v56 = 0;
											_v60 = _t280;
											E00499D40(_t236, _t264);
											_t290 = _t290 - 0x10;
											_t205 =  *_t282;
										}
										 *((char*)(_t205 + _t280)) = 0x3b;
										 *(_t282 + 4) =  &(_t280[1]);
										 *((char*)( *_t282 +  &(_t280[1]))) = 0;
										_t209 =  *0x4f6394; // 0x4f6300
										_t271 =  *(_t209 + _t226);
										_t210 = strlen(_t271);
										if(_t210 > 0x7fffffff -  *(_t282 + 4)) {
											break;
										}
										_v56 = _t210;
										_v60 = _t271;
										_t236 = _t282;
										E00499B70(_t236);
										_t281 =  *(_t282 + 4);
										_t290 = _t290 - 8;
										_v32 =  &(_t281[1]);
										_t213 =  *_t282;
										if(_v36 == _t213) {
											_t267 = 0xf;
										} else {
											_t267 =  *((intOrPtr*)(_t282 + 8));
										}
										if(_v32 > _t267) {
											_v48 = 1;
											_v52 = 0;
											_t236 = _t282;
											_v56 = 0;
											_v60 = _t281;
											E00499D40(_t236, _t267);
											_t290 = _t290 - 0x10;
											_t213 =  *_t282;
										}
										 *((char*)(_t213 + _t281)) = 0x3d;
										 *(_t282 + 4) =  &(_t281[1]);
										 *((char*)( *_t282 +  &(_t281[1]))) = 0;
										_t271 = ( *( *_a4 + 0x10))[_t226];
										_t220 = strlen(_t271);
										if(_t220 > 0x7fffffff -  *(_t282 + 4)) {
											_v60 = "basic_string::append";
											E004A57E0();
											_t270 =  *_t282;
											_t226 = _t220;
											if(_v36 != _t270) {
												_v60 = _t270;
												L004AB5B0();
											}
											E0041EC30(_t220, _t226, _t270, _t271, _t282, _t226);
											break;
										} else {
											_v56 = _t220;
											_v60 = _t271;
											_t236 = _t282;
											E00499B70(_t236);
											_t226 =  &(_t226[4]);
											_t290 = _t290 - 8;
											if(_t226 != 0x18) {
												continue;
											} else {
												return _t282;
											}
										}
										goto L66;
									}
									_v60 = "basic_string::append";
									E004A57E0();
									goto L35;
								}
							}
						}
					}
				}
				L66:
			}

0x004364a1
0x004364a4
0x004364a9
0x004364ab
0x004364ae
0x004364b0
0x004364b6
0x004364ba
0x004364c3
0x004364c6
0x004364ca
0x004364cd
0x00436786
0x0043678e
0x00436796
0x0043679e
0x004367a5
0x00000000
0x004364d3
0x004364d8
0x00436690
0x00436690
0x00436696
0x0043669b
0x0043669f
0x004366a5
0x004366ad
0x004366b4
0x004366b9
0x004366c5
0x004364de
0x004364de
0x004364e9
0x004364ec
0x004364ef
0x004364f2
0x004364f6
0x004364f9
0x00436501
0x00436504
0x00000000
0x00000000
0x004364e7
0x00000000
0x00000000
0x00000000
0x004364e7
0x00436508
0x00000000
0x0043650e
0x0043650e
0x00436515
0x00436517
0x0043651c
0x00436521
0x00436524
0x00436526
0x00436529
0x00436538
0x004367e0
0x004367e0
0x004367e7
0x00000000
0x0043653e
0x0043653e
0x00436542
0x00436545
0x00436547
0x0043654c
0x0043654f
0x00436554
0x00436557
0x0043655a
0x0043677c
0x00436560
0x00436560
0x00436560
0x00436565
0x00436750
0x00436758
0x00436760
0x00436762
0x0043676a
0x0043676d
0x00436772
0x00436775
0x00436775
0x0043656b
0x00436571
0x00436574
0x00436581
0x00436586
0x00436595
0x004367ec
0x004367ec
0x004367f3
0x004367fe
0x00436800
0x00436801
0x00436803
0x00436804
0x00436805
0x00436806
0x00436808
0x0043680e
0x00436816
0x00436819
0x0043681d
0x00436820
0x00436a70
0x00436a75
0x00436a7d
0x00436a85
0x00436a8c
0x00436a90
0x00000000
0x00436826
0x0043682b
0x004369d0
0x004369d0
0x004369d6
0x004369db
0x004369de
0x004369e4
0x004369f5
0x00436831
0x00436831
0x00436834
0x00436844
0x00436844
0x00436847
0x0043684a
0x0043684d
0x00436851
0x00436854
0x0043685c
0x0043685f
0x00000000
0x00000000
0x00436842
0x00000000
0x00000000
0x00000000
0x00436842
0x00436863
0x00000000
0x00436869
0x00436869
0x00436872
0x00436877
0x0043687f
0x00436881
0x00436884
0x00436889
0x0043688c
0x00436892
0x00436897
0x00436899
0x0043689c
0x0043689f
0x004368a5
0x00436a65
0x00000000
0x00436a6b
0x00000000
0x00436a6b
0x00000000
0x004368ab
0x004368ab
0x004368ab
0x004368b0
0x004368b5
0x004368b7
0x004368b7
0x004368ba
0x004368bd
0x004368c1
0x004368c3
0x004368cc
0x00436a9d
0x00436aa4
0x00436aa7
0x00436aa7
0x004368da
0x004368df
0x004368e4
0x004368e7
0x004368ed
0x004368f2
0x004368f5
0x004368fa
0x004368fa
0x004368fc
0x004368ff
0x00436905
0x00436908
0x00436a15
0x00000000
0x00436a1b
0x00000000
0x00436a1b
0x00000000
0x0043690e
0x0043690e
0x0043690e
0x00436913
0x00436918
0x0043691a
0x0043691a
0x0043691d
0x00436920
0x00436924
0x00436926
0x00436926
0x0043692f
0x00436a20
0x00436a27
0x00436a2d
0x00436a2d
0x00436935
0x0043693a
0x00436940
0x00436945
0x00436948
0x0043694e
0x00436953
0x00436955
0x00436958
0x0043695b
0x00436961
0x00436964
0x00436a05
0x00000000
0x00436a0b
0x00000000
0x00436a0b
0x00000000
0x0043696a
0x0043696a
0x0043696a
0x0043696f
0x00436974
0x00436976
0x00436976
0x00436979
0x0043697c
0x00436980
0x00436982
0x00436982
0x0043698b
0x00436a40
0x00436a47
0x00436a4d
0x00436a4d
0x00436999
0x0043699f
0x004369a4
0x004369a7
0x004369ad
0x004369b2
0x004369b5
0x004369b8
0x004369c1
0x004369ca
0x004369ca
0x00436863
0x0043682b
0x0043659b
0x0043659b
0x0043659f
0x004365a2
0x004365a4
0x004365a9
0x004365ac
0x004365b1
0x004365b1
0x004365b7
0x004365ba
0x004365bf
0x00436730
0x004365c5
0x004365c5
0x004365c5
0x004365cb
0x00436700
0x00436708
0x00436710
0x00436712
0x0043671a
0x0043671d
0x00436722
0x00436725
0x00436725
0x004365d1
0x004365d8
0x004365dd
0x004365e2
0x004365e7
0x004365ed
0x004365fc
0x00000000
0x00000000
0x00436602
0x00436606
0x00436609
0x0043660b
0x00436610
0x00436613
0x00436619
0x0043661c
0x00436621
0x00436740
0x00436627
0x00436627
0x00436627
0x0043662d
0x004366d0
0x004366d8
0x004366e0
0x004366e2
0x004366ea
0x004366ed
0x004366f2
0x004366f5
0x004366f5
0x00436633
0x0043663a
0x0043663f
0x0043664c
0x00436652
0x00436661
0x004367af
0x004367b6
0x004367bb
0x004367c0
0x004367c2
0x004367c4
0x004367c7
0x004367c7
0x004367cf
0x00000000
0x00436667
0x00436667
0x0043666b
0x0043666e
0x00436670
0x00436675
0x00436678
0x0043667e
0x00000000
0x00436684
0x0043668d
0x0043668d
0x0043667e
0x00000000
0x00436661
0x004367d4
0x004367db
0x00000000
0x004367db
0x00436595
0x00436538
0x00436508
0x004364d8
0x00000000

APIs

strcmp.MSVCRT ref: 004364F9
strlen.MSVCRT ref: 00436529
strlen.MSVCRT ref: 00436586
strlen.MSVCRT ref: 004365ED
strlen.MSVCRT ref: 00436652
strlen.MSVCRT ref: 00436696

Strings

basic_string::append, xrefs: 004367AF, 004367D4, 004367E0, 004367EC
*, xrefs: 00436786

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 1a1a3da6eb4d93d64a83e13746ef0796e30cd370aad5641f002ca6c3b3fe77bb
Instruction ID: 3ec927a0c19a44dc664e541155c6981a3c28670a4dea4267400fd9859b13bce3
Opcode Fuzzy Hash: 1a1a3da6eb4d93d64a83e13746ef0796e30cd370aad5641f002ca6c3b3fe77bb
Instruction Fuzzy Hash: 78E146B4A04705DFC710EF29C48462EFBE2EF88344F51C96EE8958B351D739A845CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D611B Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004D6154
___free_lconv_mon.LIBCMT ref: 004D615F

Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D15
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D27
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D39
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D4B
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D5D
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D6F
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D81
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D93
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DA5
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DB7
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DC9
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DDB
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DED

_free.LIBCMT ref: 004D6176
_free.LIBCMT ref: 004D618B
_free.LIBCMT ref: 004D6196
_free.LIBCMT ref: 004D61B8
_free.LIBCMT ref: 004D61CB
_free.LIBCMT ref: 004D61D9
_free.LIBCMT ref: 004D61E4
_free.LIBCMT ref: 004D621C
_free.LIBCMT ref: 004D6223
_free.LIBCMT ref: 004D6240
_free.LIBCMT ref: 004D6258

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction ID: ae6bc186b09831e7528380d99d6c3133d577c8d010bf005a07e3d1e0273b4160
Opcode Fuzzy Hash: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction Fuzzy Hash: F2316D35A006019BDB206A79D856F5B73E9AB00354F22482FF458D6352EF3CFC448A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF10 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E0041BF10(void* __ebx, char* __ecx, intOrPtr __edx, long __edi, int __esi, void* __ebp, signed char* _a4, char _a8) {
				void* _v16;
				struct _MEMORY_BASIC_INFORMATION* _v20;
				signed char* _v24;
				intOrPtr _v64;
				intOrPtr _v72;
				char* _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v108;
				char* _v112;
				char** _v116;
				intOrPtr _v136;
				signed int _v160;
				void* _t57;
				int _t60;
				long _t62;
				signed char* _t64;
				void* _t66;
				void* _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t78;
				char* _t79;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t85;
				intOrPtr _t86;
				signed int* _t88;
				intOrPtr _t91;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t104;
				signed int _t105;
				intOrPtr _t112;
				char* _t114;
				intOrPtr _t116;
				signed int _t117;
				struct _MEMORY_BASIC_INFORMATION* _t122;
				intOrPtr _t123;
				void* _t125;
				char** _t130;
				void* _t132;
				void** _t133;
				char** _t134;
				char** _t135;
				char** _t136;

				_t128 = __ebp;
				_t99 = __edx;
				_t85 = __ecx;
				_t133 = _t132 - 0x14;
				_t57 = __imp___iob;
				_v20 = 0x17;
				_v24 = 1;
				_t122 =  &_a8;
				 *_t133 = "Mingw runtime failure:\n";
				_t4 = _t57 + 0x40; // 0x770d4640
				_t78 = _t4;
				_v16 = _t78;
				fwrite(__ebx, __esi, ??, ??);
				_v20 = _t122;
				 *_t133 = _t78;
				_v24 = _a4;
				_t60 = vfprintf(??, ??, ??);
				abort();
				_push(__ebp);
				_t114 = _t85;
				_t79 = _t60;
				_t123 = _t99;
				_t134 = _t133 - 0x4c;
				_v112 = 0x1c;
				 *_t134 = _t79;
				_v116 =  &_v84;
				_t62 = VirtualQuery(_t78, _t122, __edi);
				_t135 = _t134 - 0xc;
				if(_t62 == 0) {
					_v112 = _t79;
					_v116 = 0x1c;
					 *_t135 = "  VirtualQuery failed for %d bytes at address %p";
					E0041BF10(_t79, _t85, _t99, _t114, _t123, __ebp);
					_t64 =  *0x536068;
					if(_t64 == 0) {
						 *0x536068 = 1;
						_t64 = 0;
						if(0x4fc1d8 <= 7) {
							goto L11;
						} else {
							_push(_t114);
							_push(_t123);
							_push(_t79);
							_t136 = _t135 - 0x20;
							if(0x4fc1d8 <= 0xb) {
								_t80 = 0x4fc1d8;
								goto L29;
							} else {
								_t123 =  *0x4fc1d8; // 0x0
								if(_t123 != 0) {
									L24:
									_t80 = 0x4fc1d8;
									goto L25;
								} else {
									_t82 =  *0x4fc1dc; // 0x0
									if(_t82 != 0) {
										goto L24;
									} else {
										_t85 =  *0x4fc1e0; // 0x0
										_t80 = 0x4fc1e4;
										if(_t85 == 0) {
											L29:
											_t99 =  *_t80;
											if( *_t80 != 0) {
												L25:
												while(_t80 < 0x4fc1d8) {
													_t42 = _t80 + 4; // 0x0
													_t86 =  *_t42;
													_t100 =  *_t80;
													_t80 = _t80 + 8;
													_t43 = _t86 + 0x400000; // 0x905a4d
													_t44 = _t86 + 0x400000; // 0x400000
													_t64 = _t44;
													_v136 = _t100 +  *_t43;
													L1();
												}
												goto L27;
											} else {
												_t47 = _t80 + 4; // 0x0
												_t64 =  *_t47;
												if(_t64 == 0) {
													goto L18;
												} else {
													goto L25;
												}
											}
										} else {
											_t80 = 0x4fc1d8;
											L18:
											_t34 = _t80 + 8; // 0x0
											_t64 =  *_t34;
											if(_t64 != 1) {
												_v160 = _t64;
												 *_t136 = "  Unknown pseudo relocation protocol version %d.\n";
												_t66 = E0041BF10(_t80, _t85, _t99, _t114, _t123, _t128);
												_push(_t85);
												_push(_t66);
												_t88 =  &_v160;
												if(_t66 >= 0x1000) {
													do {
														_t88 = _t88 - 0x1000;
														_t66 = _t66 - 0x1000;
													} while (_t66 > 0x1000);
												}
												_pop(_t67);
												return _t67;
											} else {
												while(1) {
													_t80 = _t80 + 0xc;
													if(_t80 >= 0x4fc1d8) {
														break;
													}
													_t103 =  *_t80;
													_t35 = _t80 + 4; // 0x3a434347
													_t116 =  *_t35;
													_t36 = _t103 + 0x400000; // 0x404000
													_t125 = _t36;
													_t37 = _t103 + 0x400000; // 0x17d818d
													_t91 =  *_t37;
													_t38 = _t80 + 8; // 0x4e472820
													_t104 =  *_t38 & 0x000000ff;
													_t39 = _t116 + 0x400000; // 0x3a834347
													_t64 = _t39;
													if(_t104 == 0x10) {
														_t105 =  *(_t116 + 0x400000) & 0x0000ffff;
														if(_t105 < 0) {
															_t105 = _t105 | 0xffff0000;
														}
														_v136 = _t91 + _t105 - _t125;
														L1();
														continue;
													} else {
														if(_t104 == 0x20) {
															_v136 = _t91 - _t125 +  *_t64;
															L1();
															continue;
														} else {
															if(_t104 == 8) {
																_t117 =  *_t64 & 0x000000ff;
																if(_t117 < 0) {
																	_t117 = _t117 | 0xffffff00;
																}
																_v136 = _t91 + _t117 - _t125;
																L1();
																continue;
															} else {
																_v160 = _t104;
																 *_t136 = "  Unknown pseudo relocation bit size %d.\n";
																_v136 = 0;
																_t64 = E0041BF10(_t80, _t91, _t104, _t116, _t125, _t128);
																goto L24;
															}
														}
													}
													break;
												}
												L27:
												return _t64;
											}
										}
									}
								}
							}
						}
					} else {
						L11:
						return _t64;
					}
				} else {
					_t68 = _v64;
					if(_t68 == 0x40 || _t68 == 4) {
						_v112 = _t114;
						_v116 = _t123;
						 *_t135 = _t79;
						_t69 = memcpy(??, ??, ??);
						goto L5;
					} else {
						_t130 =  &_v88;
						_v112 = 0x40;
						_v108 = _t130;
						_v116 = _v72;
						 *_t135 = _v84;
						VirtualProtect(??, ??, ??, ??);
						_t135 = _t135 - 0x10;
						_v112 = _t114;
						_v116 = _t123;
						 *_t135 = _t79;
						_v92 = _v64;
						_t69 = memcpy(??, ??, ??);
						_t112 = _v92;
						if(_t112 == 0x40 || _t112 == 4) {
							L5:
							return _t69;
						} else {
							_v108 = _t130;
							_v112 = _v88;
							_v116 = _v72;
							 *_t135 = _v84;
							return VirtualProtect(??, ??, ??, ??);
						}
					}
				}
			}

0x0041bf10
0x0041bf10
0x0041bf10
0x0041bf12
0x0041bf15
0x0041bf1a
0x0041bf22
0x0041bf2a
0x0041bf2e
0x0041bf35
0x0041bf35
0x0041bf38
0x0041bf3c
0x0041bf45
0x0041bf49
0x0041bf4c
0x0041bf50
0x0041bf55
0x0041bf60
0x0041bf62
0x0041bf66
0x0041bf68
0x0041bf6a
0x0041bf71
0x0041bf79
0x0041bf7c
0x0041bf80
0x0041bf85
0x0041bf8a
0x0041c038
0x0041c03c
0x0041c044
0x0041c04b
0x0041c050
0x0041c057
0x0041c065
0x0041c06f
0x0041c077
0x00000000
0x0041c079
0x0041c079
0x0041c07a
0x0041c07b
0x0041c07c
0x0041c082
0x0041c170
0x00000000
0x0041c088
0x0041c088
0x0041c090
0x0041c125
0x0041c125
0x00000000
0x0041c096
0x0041c096
0x0041c09e
0x00000000
0x0041c0a4
0x0041c0a4
0x0041c0aa
0x0041c0b1
0x0041c175
0x0041c175
0x0041c179
0x0041c12a
0x0041c130
0x0041c132
0x0041c132
0x0041c135
0x0041c137
0x0041c13a
0x0041c140
0x0041c140
0x0041c14b
0x0041c153
0x0041c158
0x00000000
0x0041c17b
0x0041c17b
0x0041c17b
0x0041c180
0x00000000
0x0041c186
0x00000000
0x0041c186
0x0041c180
0x0041c0b7
0x0041c0b7
0x0041c0bc
0x0041c0bc
0x0041c0bc
0x0041c0c2
0x0041c20b
0x0041c20f
0x0041c216
0x0041c220
0x0041c221
0x0041c227
0x0041c22b
0x0041c22d
0x0041c22d
0x0041c236
0x0041c23b
0x0041c22d
0x0041c247
0x0041c249
0x0041c0c8
0x0041c0c8
0x0041c0c8
0x0041c0d1
0x00000000
0x00000000
0x0041c0d7
0x0041c0d9
0x0041c0d9
0x0041c0dc
0x0041c0dc
0x0041c0e2
0x0041c0e2
0x0041c0e8
0x0041c0e8
0x0041c0ec
0x0041c0ec
0x0041c0f5
0x0041c190
0x0041c19a
0x0041c19c
0x0041c19c
0x0041c1aa
0x0041c1b3
0x00000000
0x0041c0fb
0x0041c0fe
0x0041c1f8
0x0041c201
0x00000000
0x0041c104
0x0041c107
0x0041c1c0
0x0041c1c7
0x0041c1c9
0x0041c1c9
0x0041c1d7
0x0041c1e0
0x00000000
0x0041c10d
0x0041c10d
0x0041c111
0x0041c118
0x0041c120
0x00000000
0x0041c120
0x0041c107
0x0041c0fe
0x00000000
0x0041c0f5
0x0041c160
0x0041c166
0x0041c166
0x0041c0c2
0x0041c0b1
0x0041c09e
0x0041c090
0x0041c082
0x0041c059
0x0041c059
0x0041c059
0x0041c059
0x0041bf90
0x0041bf90
0x0041bf97
0x0041bf9e
0x0041bfa2
0x0041bfa6
0x0041bfa9
0x00000000
0x0041bfc0
0x0041bfc4
0x0041bfc8
0x0041bfd0
0x0041bfd4
0x0041bfdc
0x0041bfdf
0x0041bfe4
0x0041bfeb
0x0041bfef
0x0041bff3
0x0041bff6
0x0041bffa
0x0041bfff
0x0041c006
0x0041bfae
0x0041bfb5
0x0041c00d
0x0041c011
0x0041c015
0x0041c01d
0x0041c025
0x0041c037
0x0041c037
0x0041c006
0x0041bf97

APIs

fwrite.MSVCRT ref: 0041BF3C
vfprintf.MSVCRT ref: 0041BF50
abort.MSVCRT(?,?,?,00400000,?,0041C050), ref: 0041BF55
VirtualQuery.KERNEL32 ref: 0041BF80
memcpy.MSVCRT ref: 0041BFA9
VirtualProtect.KERNEL32 ref: 0041BFDF
memcpy.MSVCRT ref: 0041BFFA
VirtualProtect.KERNEL32 ref: 0041C028

Strings

Mingw runtime failure:, xrefs: 0041BF2E
@, xrefs: 0041BFC8

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: 1e520a454cde59e9bff562c0f39255684f35df32cdaf5f508b02e28f493bf07a
Instruction ID: 6b95b88d9b9f031e8b3e7878d61b0dc59add42060e7ecb58c4b1b668d1cc6926
Opcode Fuzzy Hash: 1e520a454cde59e9bff562c0f39255684f35df32cdaf5f508b02e28f493bf07a
Instruction Fuzzy Hash: 9C31E3B1A083159BD700EF2AD58555FBBE4FF88798F90895EF48887310D338D9448F96

Uniqueness

Uniqueness Score: -1.00%

Function 004D03CA Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D03E0
_free.LIBCMT ref: 004D03EC
_free.LIBCMT ref: 004D03F7
_free.LIBCMT ref: 004D0402
_free.LIBCMT ref: 004D040D
_free.LIBCMT ref: 004D0418
_free.LIBCMT ref: 004D0423
_free.LIBCMT ref: 004D042E
_free.LIBCMT ref: 004D0439
_free.LIBCMT ref: 004D0447

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction ID: ddeec8e5c29e84e780b843238c46a971b4061bb5b88939ed643d5af21b27b4b0
Opcode Fuzzy Hash: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction Fuzzy Hash: FC21A07A900108AFCB41EF99C862DDE7BB5FF08344F51856BF5199B121EB39EA44CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004979A0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00497A23
memcpy.MSVCRT ref: 00497A50
memmove.MSVCRT ref: 00497AA0
memmove.MSVCRT ref: 00497AD6
memmove.MSVCRT ref: 00497B12

Strings

basic_string::_M_replace, xrefs: 00497C6A

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 7078ef13320a4255e3a7e9dd97f1d9185ede01f815977d27743a0454484f4ff0
Instruction ID: 9813e7da1e0e98ea4b6079e2c26d5322d77907ce62c14f22a8d8565b1adbec75
Opcode Fuzzy Hash: 7078ef13320a4255e3a7e9dd97f1d9185ede01f815977d27743a0454484f4ff0
Instruction Fuzzy Hash: FC813571A1C3118FCB11DF28C59012FBFE1AF86740F15882EE9D987311D639E985CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004CA030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004CA067
___except_validate_context_record.LIBVCRUNTIME ref: 004CA06F
_ValidateLocalCookies.LIBCMT ref: 004CA0F8
__IsNonwritableInCurrentImage.LIBCMT ref: 004CA123
_ValidateLocalCookies.LIBCMT ref: 004CA178

Strings

csm, xrefs: 004CA1A1
csm, xrefs: 004CA10D

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$csm
API String ID: 1170836740-3733052814
Opcode ID: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction ID: f9fac748510d4f8f7ac9096365022fa8707e23638cddede5a8976044ee339cb2
Opcode Fuzzy Hash: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction Fuzzy Hash: 5C517F38A002189FCF64DF69C844F9A7BA5AF4431CF18809FE9155B391D73ADD21CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D5533 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004D555D
_free.LIBCMT ref: 004D5636
_free.LIBCMT ref: 004D5663

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: aae99d533923b94e607a5262edbc4de21aab151f974200e495149ca3df222e2c
Instruction ID: 1356f657016f8a47f08e8d8bacfedf51a798415a79390ecf32079f8bc6a3acde
Opcode Fuzzy Hash: aae99d533923b94e607a5262edbc4de21aab151f974200e495149ca3df222e2c
Instruction Fuzzy Hash: FC5108B5904A05AFDB20AF79D8A1A6EBBA4AF01314F20416FF91497341EF3DD9018B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 82COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00401033
signal.MSVCRT ref: 00401088
signal.MSVCRT ref: 0040110A
signal.MSVCRT ref: 00401198

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 7b668e2b0bc2a94e5227f3c117c6a73f908d8d7407a0e760226328c275a4f015
Instruction ID: 10d143c34868f6c1315d96ad97e0a4fc0016d64e02df0930e6aadbc5630afc56
Opcode Fuzzy Hash: 7b668e2b0bc2a94e5227f3c117c6a73f908d8d7407a0e760226328c275a4f015
Instruction Fuzzy Hash: 6F31EB701082409AE7206F68C54036F76E0BF46768F164A2FE5E9DB7E1C7BE88C4975B

Uniqueness

Uniqueness Score: -1.00%

Function 00436800 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 188stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00436854
strlen.MSVCRT ref: 00436884
strlen.MSVCRT ref: 004368DF
strlen.MSVCRT ref: 00436940
strlen.MSVCRT ref: 0043699F
strlen.MSVCRT ref: 004369D6

Strings

*, xrefs: 00436A75

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$strcmp
String ID: *
API String ID: 551667898-163128923
Opcode ID: a299df25b2166fc69c13b0ebf6971447661059d9b6b0347f6795a1cd01595fac
Instruction ID: efd8975ca5cad601d9593c428e836070feaee3a31a286f9e0c51c8e1cf47c223
Opcode Fuzzy Hash: a299df25b2166fc69c13b0ebf6971447661059d9b6b0347f6795a1cd01595fac
Instruction Fuzzy Hash: F57136B0A05605DFC710EF29D48866EFBE1FF88304F11C46ED8949B321D778A945DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425080 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

_fullpath.MSVCRT ref: 004250B5
malloc.MSVCRT ref: 0042517C
memcpy.MSVCRT ref: 0042519F
_errno.MSVCRT ref: 00425200
_errno.MSVCRT ref: 0042521C

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _errno$_fullpathmallocmemcpy
String ID:
API String ID: 3274612330-0
Opcode ID: 28c92a027f3989a38aa95c90b1ab728370efe3fbf980d31f46c0e2954d305adb
Instruction ID: 0fb53e270595307cae48910d140e7d4ac79ea98d665f675b35882a6a5727976f
Opcode Fuzzy Hash: 28c92a027f3989a38aa95c90b1ab728370efe3fbf980d31f46c0e2954d305adb
Instruction Fuzzy Hash: 20410431744A248BE3149F29E8463BBB7D1EF81304F88855ED880CB395C77C9899C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004D5E97 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D5E5F: _free.LIBCMT ref: 004D5E84

_free.LIBCMT ref: 004D5EE5
_free.LIBCMT ref: 004D5EF0
_free.LIBCMT ref: 004D5EFB
_free.LIBCMT ref: 004D5F4F
_free.LIBCMT ref: 004D5F5A
_free.LIBCMT ref: 004D5F65
_free.LIBCMT ref: 004D5F70

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction ID: bf3f7f9d6a718193514a5b492f697af59ecc86486ee1370ebeec3fa3b4be90b1
Opcode Fuzzy Hash: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction Fuzzy Hash: B2111DB5540B04AAD920B772CC5BFCBB79D5F00B44F40082FB2AA66652EE7DBA144654

Uniqueness

Uniqueness Score: -1.00%

Function 00473CF0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

basic_string::insert, xrefs: 00473E7F, 00473E93
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00473E9B

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert
API String ID: 3510742995-684465245
Opcode ID: 1c58b56b24b4fa944c52b284c271ba90026e9bc86a977453b1b77e24abc4ca39
Instruction ID: ce698e09c2adf701795880b9d47467631f64c84eb14226051765efe3910f03df
Opcode Fuzzy Hash: 1c58b56b24b4fa944c52b284c271ba90026e9bc86a977453b1b77e24abc4ca39
Instruction Fuzzy Hash: 895192B16087558FC314AF2985841AEFBE1EF95745F14C92FE88C8B311D339CA44EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004A4850 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A486A
strlen.MSVCRT ref: 004A4874
memcpy.MSVCRT ref: 004A4891
setlocale.MSVCRT ref: 004A48A5
strtod.MSVCRT ref: 004A48B9
setlocale.MSVCRT ref: 004A48FD

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlenstrtod
String ID:
API String ID: 3458007262-0
Opcode ID: 65474e35444a011fd34000590d1a63ea5043f9e79308656599207dac1c2ade2e
Instruction ID: 1c2bad1b94329b6f78f23706997d3ddad71e78b355f4a62df5b7659d4da48e6e
Opcode Fuzzy Hash: 65474e35444a011fd34000590d1a63ea5043f9e79308656599207dac1c2ade2e
Instruction Fuzzy Hash: DD216BB09083099BC301BF25EA8426FBFE4FB86780F11885EE5C447250D7B98864CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D3E3A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 004D40C2

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: d9f21bb977954c2be618fe6ec3b10540a5bd52d2726cee83e5afc4b25d151230
Instruction ID: 91217285de91ed8a59d505ccc76321f6f864765a90533dc2db53fdda21be0c5b
Opcode Fuzzy Hash: d9f21bb977954c2be618fe6ec3b10540a5bd52d2726cee83e5afc4b25d151230
Instruction Fuzzy Hash: D1C12674E042459FDF11DF99C8A4BAEBBB0EF99304F14406FE504A7392C7389942CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422CA0 Relevance: 9.0, APIs: 6, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,?,?,?,00422DD1,?,?,?,?,?,?,?,0042376B), ref: 00422CC7
InterlockedExchange.KERNEL32 ref: 00422CF2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,00422DD1,?,?,?,?,?,?,?,0042376B), ref: 00422D05
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00422DD1,?,?,?,?,?,?,?), ref: 00422D14
atexit.MSVCRT ref: 00422D23
EnterCriticalSection.KERNEL32(?,?,?,?,?,00422DD1,?,?,?,?,?,?,?,0042376B), ref: 00422D3F

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$EnterExchangeInterlockedSleepatexit
String ID:
API String ID: 3593181116-0
Opcode ID: d5da97cac5d62e09ca2109e73e77cb340eeb123978251ad32170d1e11d63efa4
Instruction ID: 4246d6dec22cea3f566340ca8ba8198b9e831bd7236040a6f23578a65037808b
Opcode Fuzzy Hash: d5da97cac5d62e09ca2109e73e77cb340eeb123978251ad32170d1e11d63efa4
Instruction Fuzzy Hash: CA0152B1A0025066DB10BF75B68631E77E4AB50304FD0885ED88187311E3BDD598DB97

Uniqueness

Uniqueness Score: -1.00%

Function 00425580 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004255AA
strchr.MSVCRT ref: 004255BA
atoi.MSVCRT ref: 004255CD

Strings

., xrefs: 004255AF
LjS, xrefs: 00425604

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .$LjS
API String ID: 1223908000-2205395414
Opcode ID: 9898720a68c0f99282f3714e232d99fea6ae89af361e95dc178a52f4f67550ab
Instruction ID: 440cb56d58dc8dc7cb117c1615c49affba13da5796060876b77c4cbd66912d92
Opcode Fuzzy Hash: 9898720a68c0f99282f3714e232d99fea6ae89af361e95dc178a52f4f67550ab
Instruction Fuzzy Hash: 9E012DB56097119BC700DF29E48422BBBF1FF88304F94C82EF88887314D739D8409B86

Uniqueness

Uniqueness Score: -1.00%

Function 00425AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00425AD3
strchr.MSVCRT ref: 00425AE3
atoi.MSVCRT ref: 00425AF6
WideCharToMultiByte.KERNEL32 ref: 00425B36

Strings

., xrefs: 00425AD8

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWideatoisetlocalestrchr
String ID: .
API String ID: 130985476-248832578
Opcode ID: 8470c91bf611325d456b93b0d08867bc75d6a8a986dcd131119e4a40198f65e4
Instruction ID: d75f6852ea44b34df3bd5b787cd78d738038b0cdd7cee8078f4aed3b4b1308d5
Opcode Fuzzy Hash: 8470c91bf611325d456b93b0d08867bc75d6a8a986dcd131119e4a40198f65e4
Instruction Fuzzy Hash: DB11B7746087118AD304DF25D05536FBBE0AF84348F44CE1EE8985B345E7B9D6499B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00423920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00423952
strchr.MSVCRT ref: 00423962
atoi.MSVCRT ref: 00423975
MultiByteToWideChar.KERNEL32 ref: 004239A5

Strings

., xrefs: 00423957

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWideatoisetlocalestrchr
String ID: .
API String ID: 130985476-248832578
Opcode ID: 93d8535709abce6ef7ad4c1ff65b0e65e2803c5fde41e95d51312f859e8f84b1
Instruction ID: c480a439ec2a2455ec8a115a7996cd35f5a786c1d66d746378359623d5711860
Opcode Fuzzy Hash: 93d8535709abce6ef7ad4c1ff65b0e65e2803c5fde41e95d51312f859e8f84b1
Instruction Fuzzy Hash: 6301E9B45083508AC300AF28D44522EBBE1AF85318F848F1DF8985B3D5D7B9C6489B86

Uniqueness

Uniqueness Score: -1.00%

Function 00423B90 Relevance: 7.7, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

tolower.MSVCRT ref: 00423C25
tolower.MSVCRT ref: 00423C33
tolower.MSVCRT ref: 00423CCE
tolower.MSVCRT ref: 00423CDC

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: tolower
String ID:
API String ID: 3025214199-0
Opcode ID: b984782d11aa7f6c83685cffc65385e4d26a2500f3f380a1e02e22fc3b62db78
Instruction ID: 52f4685e2babd348193a521eee414cbef7a1cbb7fad42c344cde2d888270c41d
Opcode Fuzzy Hash: b984782d11aa7f6c83685cffc65385e4d26a2500f3f380a1e02e22fc3b62db78
Instruction Fuzzy Hash: 8C61F872B1C3754BC7208E19B480237BBF2AA85746FD9455BE8D9A7301D23DEF05878A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFB5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 183stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041B026
strlen.MSVCRT ref: 0041B12B
strlen.MSVCRT ref: 0041B182

Strings

_GLOBAL_, xrefs: 0041AFF2
_, xrefs: 0041B109

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen
String ID: _$_GLOBAL_
API String ID: 39653677-1011282467
Opcode ID: 19124ae85bb7b3b0c89dd91771f1f7b4eb86971a9b3139d694c16ae9beade998
Instruction ID: 682e562adaa065370a4549b8ab9ad495d0f52207f4762216f2cd1f931473eb57
Opcode Fuzzy Hash: 19124ae85bb7b3b0c89dd91771f1f7b4eb86971a9b3139d694c16ae9beade998
Instruction Fuzzy Hash: AE810671D002288FEB10DF69C8943DEBBF1FB49304F4481AAD859A7341D7799A89CF81

Uniqueness

Uniqueness Score: -1.00%

Function 004A4970 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A498A
strlen.MSVCRT ref: 004A4994
memcpy.MSVCRT ref: 004A49B1
setlocale.MSVCRT ref: 004A49C5
setlocale.MSVCRT ref: 004A4A20

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 6a544106f7027919e281688b40905647d21a12d2e12b0036eebc8917641f542b
Instruction ID: 8687345bbe487251fcaa0af2a86bcd3b9f6bdb8b6e2e6ce2db56d8c068dda11d
Opcode Fuzzy Hash: 6a544106f7027919e281688b40905647d21a12d2e12b0036eebc8917641f542b
Instruction Fuzzy Hash: 12217CB0A0C3459AD301BF25DA9426EBFE0ABC2740F14495FE5C487251E3BA8851CB8E

Uniqueness

Uniqueness Score: -1.00%

Function 004A4A90 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A4AAA
strlen.MSVCRT ref: 004A4AB4
memcpy.MSVCRT ref: 004A4AD1
setlocale.MSVCRT ref: 004A4AE5
setlocale.MSVCRT ref: 004A4B3D

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: bbec92a826b54bb5cb6c4f170f06f8f157b58604a5e35a203f4d39478bbeb555
Instruction ID: fbc9fc1eab471a27c72d9b10338533d15b3095fa948f1fb8b2089842064d557c
Opcode Fuzzy Hash: bbec92a826b54bb5cb6c4f170f06f8f157b58604a5e35a203f4d39478bbeb555
Instruction Fuzzy Hash: C521ABB09083059FC301BF25D94436EBBE4FB82390F11895EE59447351D7B99891CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 004A4C40 Relevance: 7.6, APIs: 5, Instructions: 65stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A4C5F
strlen.MSVCRT ref: 004A4CA3
memcpy.MSVCRT ref: 004A4CC0
setlocale.MSVCRT ref: 004A4CD4
setlocale.MSVCRT ref: 004A4D06

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 714b521b84fb65e29f2450c11b6a4d9ae83db5c034a3b78264dabb83cff331da
Instruction ID: 6457446ce2ea96e10c483196065656058beaf2cc32b189e1d495ee445c25e542
Opcode Fuzzy Hash: 714b521b84fb65e29f2450c11b6a4d9ae83db5c034a3b78264dabb83cff331da
Instruction Fuzzy Hash: 8D21DEB1A093149FC740EF69D58522EFBE4FF84754F85882EF6C887301E77998408B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C780 Relevance: 7.5, APIs: 5, Instructions: 43synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C789
InterlockedIncrement.KERNEL32 ref: 0041C793
WaitForSingleObject.KERNEL32(?,?,?,?,?,004ABC2D), ref: 0041C7B2
InterlockedDecrement.KERNEL32 ref: 0041C7D3
InterlockedDecrement.KERNEL32 ref: 0041C7F3

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$CurrentIncrementObjectSingleThreadWait
String ID:
API String ID: 2637438931-0
Opcode ID: 8a8b87cf778bc855bf66f309b9431519b17429eade67d14b5b3350bab0dd8be9
Instruction ID: 8e8d3d646e82aea7b6af4e59b806f550498da207d6d8fca1cbb37e740a4d00a0
Opcode Fuzzy Hash: 8a8b87cf778bc855bf66f309b9431519b17429eade67d14b5b3350bab0dd8be9
Instruction Fuzzy Hash: F6F044F250421047DB00BF39B9C515ABBA4AF00354F4A466EDC554B246E339D984C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 004D5DF6 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004D5E0E
_free.LIBCMT ref: 004D5E20
_free.LIBCMT ref: 004D5E32
_free.LIBCMT ref: 004D5E44
_free.LIBCMT ref: 004D5E56

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction ID: aea5625a3b6428b3705ee75edbcd0d7e1ea549dd2f9206033a117e2bbf740d85
Opcode Fuzzy Hash: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction Fuzzy Hash: 5AF0493A504600AB8664FB59F8E6D4B73DAAA447603660C2FF01CD7701CF2CFC808AAC

Uniqueness

Uniqueness Score: -1.00%

Function 004D71E7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 004D7302
__dosmaperr.LIBCMT ref: 004D7321
__dosmaperr.LIBCMT ref: 004D74C7

Strings

H, xrefs: 004D744C

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID: H
API String ID: 2332233096-2852464175
Opcode ID: c4315a732d6b7fe706bf0a0d1349a6886f3db0e4390b40a3245472f53330642a
Instruction ID: 170c621fe5f8e7cb5d68fedb595f53f430efe0a7e530bc5013f4b54265be8f90
Opcode Fuzzy Hash: c4315a732d6b7fe706bf0a0d1349a6886f3db0e4390b40a3245472f53330642a
Instruction Fuzzy Hash: 97A10532A041459FCF1A9F68DCA5BAE3BA1EF06324F24415FF811AB391D7399812CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004D44C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D465D

Strings

*?, xrefs: 004D4506

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction ID: b3ef1bfc36ef69799d1bdc7a263400cfbd6df46fb07fabb77000a38af4a7ca8e
Opcode Fuzzy Hash: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction Fuzzy Hash: 06612C75D00219AFCF14CFA9C8919AEFBF5EF88314B25816BE915E7300D739AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 004258C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004258E8
strchr.MSVCRT ref: 004258F8
atoi.MSVCRT ref: 0042590B

Strings

., xrefs: 004258ED

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 345e5ffb523812b8206c80da48dd49b7a2ed69e53c663393731874981f3a1eb5
Instruction ID: 39595e7dcf24a6de65c0e846561faa14cd7b5ab7aed4101adb6fabc6f9bfb06b
Opcode Fuzzy Hash: 345e5ffb523812b8206c80da48dd49b7a2ed69e53c663393731874981f3a1eb5
Instruction Fuzzy Hash: E0F037B5A09720DBD710AF26E58422FBBE4FF84754F85881EF4C49B315D778A8809B86

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFB9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0041BFDF
memcpy.MSVCRT ref: 0041BFFA
VirtualProtect.KERNEL32 ref: 0041C028

Strings

@, xrefs: 0041BFC8

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$memcpy
String ID: @
API String ID: 1565840913-2766056989
Opcode ID: 43e6b3ebf733b809cd8c91941375f0d303317e84ef8ba7a7ed2a6e4b0a2d0997
Instruction ID: 49eab0a9f663e923062b8753cf94db1b97f022a4db1994bb060e0c6ac3ddd230
Opcode Fuzzy Hash: 43e6b3ebf733b809cd8c91941375f0d303317e84ef8ba7a7ed2a6e4b0a2d0997
Instruction Fuzzy Hash: 60019AB5A083069FD340EF2AD18551EFBE0FB88748F90891EF89893314D338E9458F86

Uniqueness

Uniqueness Score: -1.00%

Function 004D7D61 Relevance: 6.4, APIs: 4, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D7DE3
_free.LIBCMT ref: 004D7E07
_free.LIBCMT ref: 004D7F94
_free.LIBCMT ref: 004D8160

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c5e2441d698ff167245ef21494c9b9b257c66e7d34532bae4d3280996dd97be3
Instruction ID: 2230370d815092f00d699561bc6eb5b1c2c7ef989f5851235d671f3fa77aca0d
Opcode Fuzzy Hash: c5e2441d698ff167245ef21494c9b9b257c66e7d34532bae4d3280996dd97be3
Instruction Fuzzy Hash: FCC14672908205ABDB25DF29C862BBF7BB99F45354F2540AFE481D7341FB388E068758

Uniqueness

Uniqueness Score: -1.00%

Function 0041B520 Relevance: 6.3, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041B5B2
memcpy.MSVCRT ref: 0041B5CD
free.MSVCRT(?,?,?,?,?,?,?,?,?,0042E02D), ref: 0041B5D7

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: fe43fd1d80a0f45163ea6e46f69a15ff4e4942125dd844486459ba9fc8486f00
Instruction ID: 2f291d576d9e0edd5f7ed5b0728b922d009665c11675ba69d6676d12ac7cc231
Opcode Fuzzy Hash: fe43fd1d80a0f45163ea6e46f69a15ff4e4942125dd844486459ba9fc8486f00
Instruction Fuzzy Hash: 913191712087158BD7109F1AD4843AFBBE2EFD5358F14092EE9948B340E739D8858BDB

Uniqueness

Uniqueness Score: -1.00%

Function 004D2DFA Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004D2E81

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction ID: cbb4a3396a4859761b78e3dff2ff6bed1c96ed02f112c609af3c02e4ed1bac28
Opcode Fuzzy Hash: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction Fuzzy Hash: 77B14632A002459FDB12CF28C9A17AFBBF5EF55340F1480ABE4559B345D67C8E01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

}::, xrefs: 0041A369
{default arg#, xrefs: 0041A250

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: {default arg#$}::
API String ID: 0-3706473490
Opcode ID: 75e6a42bf6f7f65a9989d0e031bb89eb98fcd971fb3fbfac3a1f489531751e05
Instruction ID: e7ebe1ed97cc12c2e3aa57e6feda326113fd218c7daa29a24123d7deebccb2dd
Opcode Fuzzy Hash: 75e6a42bf6f7f65a9989d0e031bb89eb98fcd971fb3fbfac3a1f489531751e05
Instruction Fuzzy Hash: A1B16D706097458BC721DF28C4843EBBBE1AF94314F14882ED9DA8B301D779A8D5DB97

Uniqueness

Uniqueness Score: -1.00%

Function 004173C8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

this, xrefs: 00417EC5
}, xrefs: 00417CCA
{parm#, xrefs: 004173D1

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: this${parm#$}
API String ID: 0-3278767634
Opcode ID: 1e19f2f5801a8ee133e45cfa72973589b62bd4bdac1d0da36b6eb6edafafb2db
Instruction ID: 96cb035e3569bbc34024f3beecf24900b3d3483cac682a87fdebd7d56975fc4e
Opcode Fuzzy Hash: 1e19f2f5801a8ee133e45cfa72973589b62bd4bdac1d0da36b6eb6edafafb2db
Instruction Fuzzy Hash: EC512F7150D251CBCB119F28C0843EA7BE1AFA5304F1984BEECC98F346D6BD98C59B66

Uniqueness

Uniqueness Score: -1.00%

Function 004253F0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00425445
MultiByteToWideChar.KERNEL32 ref: 00425487

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 9b9dead1ad5818bdf0d41cc0c2c5f59ca9815985fcd59b752d26f123936414ff
Instruction ID: c9dc50e0792fa78c6e5a5cf78c938a6f7b38ce7ee61ed8a5b0c1a3c151f6f453
Opcode Fuzzy Hash: 9b9dead1ad5818bdf0d41cc0c2c5f59ca9815985fcd59b752d26f123936414ff
Instruction Fuzzy Hash: 844137B06097608FD710EF29E44431BBBE0BF85315F948A5EF89487394D37AD9898B87

Uniqueness

Uniqueness Score: -1.00%

Function 004166D8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00416732

Strings

: , xrefs: 004194B6
, xrefs: 00416786
new , xrefs: 00416744

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: ff2ad678ee312e15f6694a27594c7d1b7ade25dda1213b62c13134f2d0e66754
Instruction ID: 71b00ea12b3583841e9e9ab592243d9c1775ff61cc4d724509cb39dd2424776a
Opcode Fuzzy Hash: ff2ad678ee312e15f6694a27594c7d1b7ade25dda1213b62c13134f2d0e66754
Instruction Fuzzy Hash: 70415D74704305CBC700DF19C5846AAB7E1AF84328F08847EE9998B356DB78DC99CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004CA434 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004CA450
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004CA469

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction ID: 12cbd2d6d819e2c97e51dc8c0141535391f3cc7d9f8f6a9dc12f4eb5af73ceb8
Opcode Fuzzy Hash: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction Fuzzy Hash: 7A01F53A608719AFE6AC2675BC49F6B2664EB4177E320023FFA10801F1EF9D5C22515E

Uniqueness

Uniqueness Score: -1.00%

Function 00426E00 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00426E22
_strdup.MSVCRT(?,?,?,?,?,?,?,?,00427599), ref: 00426E2D
localeconv.MSVCRT ref: 00426E4C
free.MSVCRT(?,?,?,?,?,?,?,?,00427599), ref: 00426EA5

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconv$_strdupfree
String ID:
API String ID: 611303462-0
Opcode ID: 9e1881c8929fd6ff0445c3d7695892d567f5a22a5e3fe5680f1f7506e94fb45b
Instruction ID: d7e45d38c7c9da7fd00f0905ab7b71b5fd67017a79e10acaff64eaa235028ce3
Opcode Fuzzy Hash: 9e1881c8929fd6ff0445c3d7695892d567f5a22a5e3fe5680f1f7506e94fb45b
Instruction Fuzzy Hash: 011163B46087318EC720DF26E04466BB7E1AF48314F868E5EE4D98B361E338D485DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041E670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,0041EC96), ref: 0041E7DE

Strings

@, xrefs: 0041E782

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 4a92dc209483a025addc4f35f708e6cc57bec7e41c43112be009efda565c61c2
Instruction ID: 5876e54ff5fe37f01a14dc1b18318355baa0d7588be70bfb387c1ad053179217
Opcode Fuzzy Hash: 4a92dc209483a025addc4f35f708e6cc57bec7e41c43112be009efda565c61c2
Instruction Fuzzy Hash: A251F3799042415FEB25CF2AD0843A7BBD0BF91318F58855EDD954B382D339EC86C785

Uniqueness

Uniqueness Score: -1.00%

Function 004DA947 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004DA9C1
_free.LIBCMT ref: 004DA9D0

Strings

-WM, xrefs: 004DA99C

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID: -WM
API String ID: 269201875-843315743
Opcode ID: b2705ce832e38e93ed40e17ac2a57d613976f7f523c97b0c0e98f217b7dc43d7
Instruction ID: e4b6525dc46e030dab05ad81d3959f86e674f226558e90bb603611f2345fca64
Opcode Fuzzy Hash: b2705ce832e38e93ed40e17ac2a57d613976f7f523c97b0c0e98f217b7dc43d7
Instruction Fuzzy Hash: 491142B1C01218ABDF119F9ACC92ADEFFB8BF18354F54446FE804B2211E7385955CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 0041EC7A

Strings

TpO, xrefs: 0041EC53, 0041ECB1
TpO, xrefs: 0041ECBE

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID: TpO$TpO
API String ID: 4206212132-382618481
Opcode ID: bd1117b92875b7820f05c98b40a1cdcf17a2e67654c1492972bdb9bc6abeb8f5
Instruction ID: 382311f08a43b120b0a463cf54f71581e4282a3a70e500459ea2a30b2d90a9c5
Opcode Fuzzy Hash: bd1117b92875b7820f05c98b40a1cdcf17a2e67654c1492972bdb9bc6abeb8f5
Instruction Fuzzy Hash: 49112A78A0020DABCF18DF96C8819DEB7B5AF85304F10846AEC0967301EA34AE85CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0041BF80
memcpy.MSVCRT ref: 0041BFA9
VirtualProtect.KERNEL32 ref: 0041BFDF
memcpy.MSVCRT ref: 0041BFFA
VirtualProtect.KERNEL32 ref: 0041C028

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 0041C044

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: 56e1092cac05fdd9af9eec3298b5017998f1ee2815c6cc44b422da3821c23cd9
Instruction ID: 2f0614d2a3e83a58778d3c74251199f3d0fc3f9a5696c20b4ee663e01874589f
Opcode Fuzzy Hash: 56e1092cac05fdd9af9eec3298b5017998f1ee2815c6cc44b422da3821c23cd9
Instruction Fuzzy Hash: 54F06DB06043049AD700AF2AD88555FBFE4EF84798F84882FF488C7310D379C8848A96

Uniqueness

Uniqueness Score: -1.00%

Function 004C92AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004C92B6

Part of subcall function 004C91E9: std::exception::exception.LIBCONCRT ref: 004C91F6

Strings

D$$t, xrefs: 004B844E
h+C, xrefs: 004B8440

Memory Dump Source

Source File: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: std::exception::exceptionstd::invalid_argument::invalid_argument
String ID: D$$t$h+C
API String ID: 688446690-2472099948
Opcode ID: 88fcb1c12ac631126c71379eb7a91123189db6f64200c3dded34078b076e9280
Instruction ID: 05ce0da7632b4af4c4d0153d646b33414782707cfbc79d3919e5993c22cab33f
Opcode Fuzzy Hash: 88fcb1c12ac631126c71379eb7a91123189db6f64200c3dded34078b076e9280
Instruction Fuzzy Hash: F4C0123880020C778A00FAE2D84EE8CBB285A04300F4040AEAA1092081AAB8AB0886C8

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC2 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0041BDF7
free.MSVCRT ref: 0041BE49
LeaveCriticalSection.KERNEL32 ref: 0041BE55

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 51a5f257e3f852d8aa6fb36438673866f5939e34b27ba6fb2ea6252636d77061
Instruction ID: e555dd2cdcd1cfb2f91bd8887f9d65b1310c17a5d36d41b9d54f112f93f8551e
Opcode Fuzzy Hash: 51a5f257e3f852d8aa6fb36438673866f5939e34b27ba6fb2ea6252636d77061
Instruction Fuzzy Hash: D801A1717043058BC704FF74D5856AAB7E2FB14304F54856EDA4987301E738A8959BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0041BCE0 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0041BF05,?,?,?,?,?,?,0041BC28), ref: 0041BCEC
TlsGetValue.KERNEL32(?,?,?,?,?,0041BF05,?,?,?,?,?,?,0041BC28), ref: 0041BD05
GetLastError.KERNEL32(?,?,?,?,?,?,0041BF05,?,?,?,?,?,?,0041BC28), ref: 0041BD0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,0041BF05,?,?,?,?,?,?,0041BC28), ref: 0041BD32

Memory Dump Source

Source File: 00000000.00000002.279133301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.279128791.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279227403.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279231356.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279234215.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279293033.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279297642.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.279313041.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: ba4cfd12d9c4ab02f3fc3d0c41d02a3c9e2104bf606d4890533f637a8e405d56
Instruction ID: 901e781f476060baeb217e0509a558ae9a442a4733415a61caac98aca264bcf8
Opcode Fuzzy Hash: ba4cfd12d9c4ab02f3fc3d0c41d02a3c9e2104bf606d4890533f637a8e405d56
Instruction Fuzzy Hash: C2F054B1A042548ADB14BF75B6C665F7BE4EE10304F0505AEDE854B306E738D888C6EB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 6860, Parent PID: 6464COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 00415391 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00415390,?,?,?,?,?,00416442), ref: 004153B3
TerminateProcess.KERNEL32(00000000,?,00415390,?,?,?,?,?,00416442), ref: 004153BA
ExitProcess.KERNEL32 ref: 004153CC

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 474f2a571a10c6b5d588eb5a9c8dd6d434d2b884cef2c402f38dbe37c319379d
Instruction ID: 8d724f3f6bdbb6cd1aace0564e3a3edcd45079e7585e9a666f0bf620fd200295
Opcode Fuzzy Hash: 474f2a571a10c6b5d588eb5a9c8dd6d434d2b884cef2c402f38dbe37c319379d
Instruction Fuzzy Hash: 09E04F3110064CEBCB212B14DC1D9DE3B79EB41381B940426F81586131CB79DDA2CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00413738 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00013744,0041323D), ref: 0041373D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c53b040f3baeafeed60e3e242a263a20fc811e8b7f85cd414fb6c64221208805
Instruction ID: 3d7660946c4c6e2bdc9d981756c31ba6c20195c910a17caf48f3b8c8d5d9e59f
Opcode Fuzzy Hash: c53b040f3baeafeed60e3e242a263a20fc811e8b7f85cd414fb6c64221208805
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA1A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0041DCA2

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: d9f21bb977954c2be618fe6ec3b10540a5bd52d2726cee83e5afc4b25d151230
Instruction ID: ffbfd817270d60441c671b66c245a9794294216d314ed78d7faa8a4a699b0c5a
Opcode Fuzzy Hash: d9f21bb977954c2be618fe6ec3b10540a5bd52d2726cee83e5afc4b25d151230
Instruction Fuzzy Hash: 98C114F0E042499FCF15DF99D880BEE7BB0AF49304F14406BE91597392D7789982CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420DC7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00420A80: CreateFileW.KERNELBASE(00000000,00000000,?,00420E70,?,?,00000000,?,00420E70,00000000,0000000C), ref: 00420A9D

GetLastError.KERNEL32 ref: 00420EDB
__dosmaperr.LIBCMT ref: 00420EE2
GetFileType.KERNELBASE(00000000), ref: 00420EEE
GetLastError.KERNEL32 ref: 00420EF8
__dosmaperr.LIBCMT ref: 00420F01
CloseHandle.KERNEL32(00000000), ref: 00420F21
CloseHandle.KERNEL32(0041966E), ref: 0042106E
GetLastError.KERNEL32 ref: 004210A0
__dosmaperr.LIBCMT ref: 004210A7

Strings

H, xrefs: 0042102C

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c4315a732d6b7fe706bf0a0d1349a6886f3db0e4390b40a3245472f53330642a
Instruction ID: be23aed905b86ebc22c3ecb63a47e8efe377f7c6536bbcb0bf29fb7692a15e0d
Opcode Fuzzy Hash: c4315a732d6b7fe706bf0a0d1349a6886f3db0e4390b40a3245472f53330642a
Instruction Fuzzy Hash: DAA11731B041688FCF199F68E851BAE3BE1EF06324F55415EE811AB3A2C7398C52C759

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE92 Relevance: 4.7, APIs: 3, Instructions: 177
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B627: GetConsoleCP.KERNEL32(?,004053F0,00000000), ref: 0041B66F

WriteFile.KERNELBASE(?,00000000,00432C68,00000000,00000000,00000000,004053F0,004053F0,004053F0,00000000,00000000,?,00415695,00000000,00432C68,00000010), ref: 0041BFE3
GetLastError.KERNEL32(?,00415695,00000000,00432C68,00000010,004053F0), ref: 0041BFED
__dosmaperr.LIBCMT ref: 0041C032

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: ab91ca60a20c287c1c5583eb1fbb47b81ff406306d8cd16cd83830bac05feb8c
Instruction ID: 837f5d78f9c66f60a6617cd9a952ced962186645de2e284402b4c87a35847b3c
Opcode Fuzzy Hash: ab91ca60a20c287c1c5583eb1fbb47b81ff406306d8cd16cd83830bac05feb8c
Instruction Fuzzy Hash: 2351C27190021DAFDB11DFA5CC85BEFBBB9EF09354F040057E500A7292D778D9828BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419924 Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,004053F0,?,00419852,004053F0,00432D88,0000000C,00419904,00432C68), ref: 0041997A
GetLastError.KERNEL32(?,00419852,004053F0,00432D88,0000000C,00419904,00432C68), ref: 00419984
__dosmaperr.LIBCMT ref: 004199AF

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 2b2aa1e17130052969f511920c8d9b7bd38c21e9ce4f40ccfeea4e6fafd09151
Instruction ID: 3b3cc6fbd97f1f066c9ae788ba2b2ff40a2ea36384badba486636077b6a2bee8
Opcode Fuzzy Hash: 2b2aa1e17130052969f511920c8d9b7bd38c21e9ce4f40ccfeea4e6fafd09151
Instruction Fuzzy Hash: 23010873A2511426D62512355966BFF6785CF82778F35025FE819873D2DB2C8CC1819C

Uniqueness

Uniqueness Score: -1.00%

Function 00412070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00412124

Strings

('@(LC, xrefs: 00412078, 00412101, 0041210F, 00412107, 00412108

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: ('@(LC
API String ID: 118556049-932154026
Opcode ID: dc9db9bb420bdee41f92c9bf44a1c53fe508b83e3fcbf0e6ead61f894747a729
Instruction ID: 5c5ec89dc58a3479aab1855ff2d7760f90176578a1ca486e164a426be0d05f44
Opcode Fuzzy Hash: dc9db9bb420bdee41f92c9bf44a1c53fe508b83e3fcbf0e6ead61f894747a729
Instruction Fuzzy Hash: A42195B16003019FD724CF68DA41696BBE8EB58354B100B3FF646C7341E7B5E9A4C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00419CBA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,BdA,0041EB72,00000220,?,?,?,?,?,?,00416442,?), ref: 00419CEC

Strings

BdA, xrefs: 00419CBC

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: BdA
API String ID: 1279760036-2350210841
Opcode ID: 626224e02596ec48c51616d106d09d7cd8318e7088108fd05f982d030daeea05
Instruction ID: ff2956a3bc9961dac5ee94a6f3f333ab6ebcafba817254e414bd46a918bf4ef1
Opcode Fuzzy Hash: 626224e02596ec48c51616d106d09d7cd8318e7088108fd05f982d030daeea05
Instruction Fuzzy Hash: 78E0E53120062666D6312B269C11BDB7ADCAB413A0F050027EDA7D6280EF28DCC181EE

Uniqueness

Uniqueness Score: -1.00%

Function 004083DF Relevance: 3.3, APIs: 2, Instructions: 336
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 00408476
__fread_nolock.LIBCMT ref: 004086DB

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Sleep__fread_nolock
String ID:
API String ID: 1389363356-0
Opcode ID: d91231124354b2797783899a19add89c56ea3bcd6e5851c56ea5c52acc7c78a2
Instruction ID: 70acacbd639602245d695e8ab80f0b01b2f2712202afba2cf85586245fc89fbd
Opcode Fuzzy Hash: d91231124354b2797783899a19add89c56ea3bcd6e5851c56ea5c52acc7c78a2
Instruction Fuzzy Hash: D2B12971500104ABDF04EF28CE85BDE3B26AF85318F64427EF884672C6EB3DD9818799

Uniqueness

Uniqueness Score: -1.00%

Function 00409653 Relevance: 3.1, APIs: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00409665
GetFileAttributesA.KERNELBASE(?), ref: 00409677

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 662882f61f34b18d666c8e192741379bd13ed4f13d8afa8fc71995a5b247f63b
Instruction ID: a460e110d0d0f5933110fcf23fd218f5a86b906106e467dd14a658ccb6e12c38
Opcode Fuzzy Hash: 662882f61f34b18d666c8e192741379bd13ed4f13d8afa8fc71995a5b247f63b
Instruction Fuzzy Hash: 1E41E772A101089BDB04EEA8CDC67DDBB36AF45314F64062AE950B32C3D7399E918695

Uniqueness

Uniqueness Score: -1.00%

Function 004183D1 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00418419

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 26a708c288b1dc58b1e15fcdb883a68f93b991a53d3ebeebe72b5f4a05ba0b24
Instruction ID: dfa9702255f62cb3cb4353a614b8a5ed4725a8f8debe2adf5da11e4d656e509c
Opcode Fuzzy Hash: 26a708c288b1dc58b1e15fcdb883a68f93b991a53d3ebeebe72b5f4a05ba0b24
Instruction Fuzzy Hash: B5E0E532601811429231263B7C412EB5581AB81339F25033FF930C61D2EF7C48C740AE

Uniqueness

Uniqueness Score: -1.00%

Function 004123E0 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00412501

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: af88cf782901df2c34e789cdfa042f728209936e147ff6aacf966c95e95add57
Instruction ID: 193c8c39d0e3e439ae626e2fd71d918cedb3ce1c8bb6da3de5f7e74544803e66
Opcode Fuzzy Hash: af88cf782901df2c34e789cdfa042f728209936e147ff6aacf966c95e95add57
Instruction Fuzzy Hash: 223139717003045BD724DE69DA84A9EB799EF85320B20432FF865C7392D6BCDDE08759

Uniqueness

Uniqueness Score: -1.00%

Function 0041962F Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00419669

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 39e51a9ae018aa96119cc8505797bbbfd6c23de372fe853808090607bbf11af8
Instruction ID: 7e5d8822000000ebba8045cea2736b59b79b9537bdc47353c1db78e732dc8f0f
Opcode Fuzzy Hash: 39e51a9ae018aa96119cc8505797bbbfd6c23de372fe853808090607bbf11af8
Instruction Fuzzy Hash: 53111871A0420AAFCB06DF59E9419DB7BF5EF48304F05406AF809AB351DA31ED11CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004155CB Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a904d00dda0d57bc17b92292b31e8e771987b195a79d7391280212123336c54
Instruction ID: 2777bc52c9a3c9182af6afd380e36f399095c82ca25c3784a46c28e84db93237
Opcode Fuzzy Hash: 0a904d00dda0d57bc17b92292b31e8e771987b195a79d7391280212123336c54
Instruction Fuzzy Hash: FEF0F932511A1496C6213A2A9C057DB73A89F9233CF54031FF879831C1DA7CDC8385DE

Uniqueness

Uniqueness Score: -1.00%

Function 00420D39 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00420D9C

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e43daa36d4e3b98fe9eaad37845bd71be2617df6f7e058b73db5456717152701
Instruction ID: d1fd3b94597a674e525cf6cba51770ef81cfb4d80bef7a8c46861990a5d999cc
Opcode Fuzzy Hash: e43daa36d4e3b98fe9eaad37845bd71be2617df6f7e058b73db5456717152701
Instruction Fuzzy Hash: C8017172D11119EFCF01AFE9DC019EE7FF5AF08300F544166F914E2192E6358A619B94

Uniqueness

Uniqueness Score: -1.00%

Function 00420A80 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00420E70,?,?,00000000,?,00420E70,00000000,0000000C), ref: 00420A9D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a6ad2ea90029b4c2e15957a97bae2e606db04cb1e580b5057d6e7233006ae40
Instruction ID: df6ee74224201c279f888e790554f52de9bf06fc31efb5333251f0d5694bd2f3
Opcode Fuzzy Hash: 9a6ad2ea90029b4c2e15957a97bae2e606db04cb1e580b5057d6e7233006ae40
Instruction Fuzzy Hash: F1D06C3210010DBFDF128F84DD06EDA3FAAFB48754F014110BE1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402150 Relevance: 53.4, APIs: 28, Strings: 2, Instructions: 931registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023C1
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023E9
RegCloseKey.ADVAPI32(?,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023F2
RegOpenKeyExA.ADVAPI32(80000001,00000001,00000000,000F003F,?), ref: 004024D9
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000001,?,?), ref: 00402507
RegCloseKey.ADVAPI32(80000001), ref: 00402510
GdiplusStartup.GDIPLUS(?,?,00000000,?,?,?), ref: 0040261B
GetDC.USER32(00000000), ref: 00402702
RegGetValueA.ADVAPI32(80000002,?,00000000,00000018,00000000,?,00000004), ref: 00402934
GetSystemMetrics.USER32 ref: 00402977
GetSystemMetrics.USER32 ref: 00402984
RegGetValueA.ADVAPI32(80000002,?,00000000,00000018,00000000,?,00000004), ref: 004029C9
GetSystemMetrics.USER32 ref: 00402A06
GetSystemMetrics.USER32 ref: 00402A13
CreateCompatibleDC.GDI32(?), ref: 00402A1C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00402A2E
SelectObject.GDI32(00000000,00000000), ref: 00402A3B
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00402A5B
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,00000010), ref: 00402A6F
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 00402A8B
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00402AB2
GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000), ref: 00402B3D
SelectObject.GDI32(00000000,?), ref: 00402B47
DeleteObject.GDI32(00000000), ref: 00402B54
DeleteObject.GDI32(?), ref: 00402B59
ReleaseDC.USER32 ref: 00402B60
GdipDisposeImage.GDIPLUS(00000000), ref: 00402B67
GdiplusShutdown.GDIPLUS(?), ref: 00402BEC

Strings

Prs, xrefs: 00402B3D
image/jpeg, xrefs: 00402AC4

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Gdip$ImageMetricsObjectSystemValue$Create$BitmapCloseCompatibleDeleteEncodersGdiplusOpenSelect$DisposeFileFromQueryReleaseSaveShutdownSizeStartup
String ID: Prs$image/jpeg
API String ID: 406439762-2992610449
Opcode ID: 19ee512250bed51e07828aa2531da8e91322f6523af8443702470ec29476a01c
Instruction ID: 2a3af97711393903ce044b0639feea91c60cc8dde71b0b5cd7786460444d51c8
Opcode Fuzzy Hash: 19ee512250bed51e07828aa2531da8e91322f6523af8443702470ec29476a01c
Instruction Fuzzy Hash: 58623931A002049BDF18DF64CE89BEDBB76EF45304F10816DF805A72C5DBB99A85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403170 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 155injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000000,00000000), ref: 0040318C
CreateProcessA.KERNEL32 ref: 004031E5
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,00000000), ref: 004031FE
GetThreadContext.KERNEL32(?,00000000,?,00000000,00000000), ref: 00403213
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,00000000), ref: 00403236
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,00000000), ref: 0040324E
GetProcAddress.KERNEL32(00000000), ref: 00403255
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,00000000), ref: 00403274
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000), ref: 0040328F
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00000000,00000000), ref: 004032CC
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000,?,00000000,00000000), ref: 004032FC
SetThreadContext.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00403312
ResumeThread.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 0040331B
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00000000), ref: 00403329
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000), ref: 00403340

Strings

ntdll.dll, xrefs: 00403249
NtUnmapViewOfSection, xrefs: 00403244

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1050664331
Opcode ID: 4a7e2e10a36cbe9272a2b1ae168a4c735c7f49e990834c585849c5ec26639a6e
Instruction ID: 4c7df23a3b05df76bd13a845669199dc5cdec4b584c30c15e13326d4a179f2db
Opcode Fuzzy Hash: 4a7e2e10a36cbe9272a2b1ae168a4c735c7f49e990834c585849c5ec26639a6e
Instruction Fuzzy Hash: 60518D71A40305BBDB218FA4DC85FEABB78FF08705F504025FA14EA2D0D775A955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402C50 Relevance: 27.2, APIs: 18, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00402C7A
GetProcessHeap.KERNEL32(00000008,?), ref: 00402C8F
HeapAlloc.KERNEL32(00000000), ref: 00402C92
GetUserNameW.ADVAPI32(00000000,?), ref: 00402CA0
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00402CC3
GetProcessHeap.KERNEL32(00000008,?), ref: 00402CCE
HeapAlloc.KERNEL32(00000000), ref: 00402CD1
GetProcessHeap.KERNEL32(00000008,?), ref: 00402CE1
HeapAlloc.KERNEL32(00000000), ref: 00402CE4
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00402D0E
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00402D21
GetProcessHeap.KERNEL32(00000000,?), ref: 00402E15
HeapFree.KERNEL32(00000000), ref: 00402E1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402E23
HeapFree.KERNEL32(00000000), ref: 00402E26
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402E2D
HeapFree.KERNEL32(00000000), ref: 00402E30
LocalFree.KERNEL32(00000000), ref: 00402E35

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 9bd27069bc94fc7f623474d1292228c9bbd8ae4ceab2626324286f747fefc4a4
Instruction ID: 17767c5e5f715745eb2a19f504d123cee3413f9eecb9746004963696690f799e
Opcode Fuzzy Hash: 9bd27069bc94fc7f623474d1292228c9bbd8ae4ceab2626324286f747fefc4a4
Instruction Fuzzy Hash: 5B518171A00219AFDB25DFA5DD88BEFBB78EF44304F10416AE905B3281DB749E45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407090 Relevance: 16.8, APIs: 11, Instructions: 303synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000000,?), ref: 004070F1
GetLastError.KERNEL32(?,00000000), ref: 004070F7

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: da75998b48bef68aa6f10fa19f126239f70301ff3929f7b23bf9581e2c0ab3b8
Instruction ID: bff0f4d6569e0080ddd45063cb45d7612aa7ea86238099fb1b50d538531b7cf2
Opcode Fuzzy Hash: da75998b48bef68aa6f10fa19f126239f70301ff3929f7b23bf9581e2c0ab3b8
Instruction Fuzzy Hash: 3FA1D431A00208ABEB14DF64CC85BEE7B79EF45301F60416AF915A72D1D738EA81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00421B1C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0042F678), ref: 00421B86
_free.LIBCMT ref: 00421B74

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 00421D40

Strings

hD`C, xrefs: 00421BF5

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: hD`C
API String ID: 2155170405-577592929
Opcode ID: 3195bc4e450a37b945fe6452d03102a9d4f29776c86756da530a540f3941e176
Instruction ID: d6623314087da33e64dc71423d0df748729e4de3c472c07ebb51a3c498b6291a
Opcode Fuzzy Hash: 3195bc4e450a37b945fe6452d03102a9d4f29776c86756da530a540f3941e176
Instruction Fuzzy Hash: 3C518E71A00229FBC714DF76EC819AE77B8EF54314F51016BE411D32A1E7389E418B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405230 Relevance: 6.1, APIs: 4, Instructions: 146libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00405286
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004052E5
GetProcAddress.KERNEL32(00000000), ref: 004052EC

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: d729cdea66af5482507bd6f854985f2093866732d81e239c58fee3b4fef9a107
Instruction ID: a9a4a664c9939211a76a92ae827ec43f77a99291f24eb1d3be409b64d8ed4571
Opcode Fuzzy Hash: d729cdea66af5482507bd6f854985f2093866732d81e239c58fee3b4fef9a107
Instruction Fuzzy Hash: A5414970D102089BDB24ABA8DD4A7DEBB75EF45314F4042BEEC00A73C1EB7959908BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1D0 Relevance: 5.1, APIs: 3, Instructions: 627COMMON

Download Yara Rule

APIs

Part of subcall function 00404B50: GetVersionExW.KERNEL32(0000011C,?,?,?), ref: 00404BA7

Part of subcall function 00405230: GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00405286

IsUserAnAdmin.SHELL32 ref: 0040F200

Part of subcall function 00402150: RegOpenKeyExA.ADVAPI32(?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023C1
Part of subcall function 00402150: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023E9
Part of subcall function 00402150: RegCloseKey.ADVAPI32(?,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023F2

GetUserNameW.ADVAPI32(?,?), ref: 0040F283

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: UserVersion$AdminCloseNameOpenQueryValue
String ID:
API String ID: 3568742309-0
Opcode ID: 998303f96477fce33a8b3c0a14a2d66a23358c958f99370110efa349fb1dc493
Instruction ID: 318857904b6ae6531e0aee8ebb6e6f46d784888546baca5de6a41ed6081915d8
Opcode Fuzzy Hash: 998303f96477fce33a8b3c0a14a2d66a23358c958f99370110efa349fb1dc493
Instruction Fuzzy Hash: 5E52C670E002188BEF24EB64C9997DEBB72AB45308F5041EAD409673C6DB795BC8CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00417C96 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00417D8E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00417D98
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417DA5

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7bb259621451575564cc74585fdf1fd9faebc5539d4cdaaece710669a9e8dcba
Instruction ID: ef4b843b8be3794603e6b46099549393e308f4ae5a5ba1698a6167967c884788
Opcode Fuzzy Hash: 7bb259621451575564cc74585fdf1fd9faebc5539d4cdaaece710669a9e8dcba
Instruction Fuzzy Hash: 5131B1B59013289BCB61DF65D8897D9BBB8BF08314F5041EAE41CA6290E7749FC58F48

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCFB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041FD3F

Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F8F5
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F907
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F919
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F92B
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F93D
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F94F
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F961
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F973
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F985
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F997
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F9A9
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F9BB
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F9CD

_free.LIBCMT ref: 0041FD34

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 0041FD56
_free.LIBCMT ref: 0041FD6B
_free.LIBCMT ref: 0041FD76
_free.LIBCMT ref: 0041FD98
_free.LIBCMT ref: 0041FDAB
_free.LIBCMT ref: 0041FDB9
_free.LIBCMT ref: 0041FDC4
_free.LIBCMT ref: 0041FDFC
_free.LIBCMT ref: 0041FE03
_free.LIBCMT ref: 0041FE20
_free.LIBCMT ref: 0041FE38

Strings

HC, xrefs: 0041FD11

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: HC
API String ID: 161543041-276384469
Opcode ID: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction ID: 6c2b2f9c1423f634d5d2e4989a3abe10d3c742480dff3217673163432e99a0de
Opcode Fuzzy Hash: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction Fuzzy Hash: 38314F71600705DFDB24AE79E885BE773E4BF00354F24452FE456D6AA1DB38ACC58B18

Uniqueness

Uniqueness Score: -1.00%

Function 00403350 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00431DD0,00000000,00000000,00000000,00000000), ref: 00403402
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00403414
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00403427
InternetCloseHandle.WININET(00000000), ref: 00403438
InternetCloseHandle.WININET(00000000), ref: 0040343B
InternetCloseHandle.WININET(00000000), ref: 00403449
InternetCloseHandle.WININET(00000000), ref: 0040344C

Strings

<, xrefs: 00403609
@, xrefs: 00403611

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: <$@
API String ID: 4294395943-1426351568
Opcode ID: 4fc6b67835ba28b26639925ba14c28df3d3cba1dd228b0d3c93132eb0a0182fc
Instruction ID: ed163326af9c022367dd3e1651a98257ffa9eaaeba18fa9e00627612e580516b
Opcode Fuzzy Hash: 4fc6b67835ba28b26639925ba14c28df3d3cba1dd228b0d3c93132eb0a0182fc
Instruction Fuzzy Hash: 6341E831A10218ABDF14DF64CC85BDE7F79EF45705F20456AE401BB291D7789B418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00419FAA Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00419FC0

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 00419FCC
_free.LIBCMT ref: 00419FD7
_free.LIBCMT ref: 00419FE2
_free.LIBCMT ref: 00419FED
_free.LIBCMT ref: 00419FF8
_free.LIBCMT ref: 0041A003
_free.LIBCMT ref: 0041A00E
_free.LIBCMT ref: 0041A019
_free.LIBCMT ref: 0041A027

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction ID: eb77e46a4e6e9bfa31741363ca0696c06c00237a0d049092c268abeb54ba950f
Opcode Fuzzy Hash: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction Fuzzy Hash: EE21D67A91010CEFCB05EF95D891CDE7BB8BF08344B1481ABF9159B561EB35EA84CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004116B0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 421threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00411B4A
CreateThread.KERNEL32 ref: 00411B5B
CreateThread.KERNEL32 ref: 00411B6C
CreateThread.KERNEL32 ref: 00411B7D
CreateThread.KERNEL32 ref: 00411B8E
Sleep.KERNEL32(00007530), ref: 00411BA0

Strings

pLC, xrefs: 00411743
LC, xrefs: 004119DC

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CreateThread$Sleep
String ID: pLC$LC
API String ID: 422425972-273439679
Opcode ID: 3a5bcc925e63895b1eb0ef7852e9336d0b8c88f2c64ee9819c3897e392084fe9
Instruction ID: 350e014705d43886901086a9a193a86acfdf06e92fd3e787c2a6e0ca18519df9
Opcode Fuzzy Hash: 3a5bcc925e63895b1eb0ef7852e9336d0b8c88f2c64ee9819c3897e392084fe9
Instruction Fuzzy Hash: CDD17C71F0010457EB18AB78DD86BDD7E239B82304F24821EE515AB3E6E77DA9C1878D

Uniqueness

Uniqueness Score: -1.00%

Function 00413C10 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00413C47
___except_validate_context_record.LIBVCRUNTIME ref: 00413C4F
_ValidateLocalCookies.LIBCMT ref: 00413CD8
__IsNonwritableInCurrentImage.LIBCMT ref: 00413D03
_ValidateLocalCookies.LIBCMT ref: 00413D58

Strings

csm, xrefs: 00413D81
csm, xrefs: 00413CED
n=A, xrefs: 00413CF5, 00413CFE, 00413D0F

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$csm$n=A
API String ID: 1170836740-3964275029
Opcode ID: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction ID: 366ffd5bc8328fd225cb54282e3971eabccdecd0aec22de41ca3de98d75bbf3b
Opcode Fuzzy Hash: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction Fuzzy Hash: 5051E634A002049FCF14DF69D881ADEBBB5EF44315F14809AE8145B352D739EB85CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00407FCB Relevance: 13.8, APIs: 9, Instructions: 334networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00431DD0,00000000,00000000,00000000,00000000), ref: 00407FF9
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00408018
HttpOpenRequestA.WININET(?,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00408062
HttpSendRequestA.WININET(?,?,?), ref: 00408109
InternetReadFile.WININET(?,?,000003FF,?), ref: 00408194
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0040820F
InternetCloseHandle.WININET(?), ref: 0040822D
InternetCloseHandle.WININET(?), ref: 00408232
InternetCloseHandle.WININET(?), ref: 00408237

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID:
API String ID: 1354133546-0
Opcode ID: 917e8b97e6fe85bf0a61f26bb5eff9ccc78060ff8062f834c28bb8283b0febe2
Instruction ID: 1032ec06e87d047a037b850dfe6119b4517cf87dd94c94d89d19c561b5359505
Opcode Fuzzy Hash: 917e8b97e6fe85bf0a61f26bb5eff9ccc78060ff8062f834c28bb8283b0febe2
Instruction Fuzzy Hash: 13C1E571A00108ABDB18DF68CE85BDE7B75EF85300F50416EF855A72D1DB399A81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041A37C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

BdA, xrefs: 0041A37E
api-ms-, xrefs: 0041A3D3
ext-ms-, xrefs: 0041A3E7

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: BdA$api-ms-$ext-ms-
API String ID: 0-3789593998
Opcode ID: 9df3d8af041b0fb0acc834ca29a1e5c71ca3f6008ef4501e141ea45a13f3b2e7
Instruction ID: a2fdcb114578986d5a87fa8071611b4d04316f5a6d5118550219b0692082a5b6
Opcode Fuzzy Hash: 9df3d8af041b0fb0acc834ca29a1e5c71ca3f6008ef4501e141ea45a13f3b2e7
Instruction Fuzzy Hash: AF212B31B02220ABCB314B24AD48BEF77589F017A4F254523ED16A7391D7B8ED61C5EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041F113 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0041F13D
_free.LIBCMT ref: 0041F216
_free.LIBCMT ref: 0041F243

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: ca01659455fb508c4bd91c1f995e9741b331cd2c3fa6758ffe16814a1a5f40ac
Instruction ID: 5314e4bc209a5114b902aa4e83cc3325d2b27779deee313c7bfda8026c4263c3
Opcode Fuzzy Hash: ca01659455fb508c4bd91c1f995e9741b331cd2c3fa6758ffe16814a1a5f40ac
Instruction Fuzzy Hash: FA51F9B1904209AFDB20EFB59891AEEB7A4AF01314F14417FED2097281DB3D998BC65D

Uniqueness

Uniqueness Score: -1.00%

Function 00415B13 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00415A45), ref: 00415B35
GetFileInformationByHandle.KERNEL32(?,?), ref: 00415B8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00415A45,?,000000FF,00000000,00000000), ref: 00415C1D
__dosmaperr.LIBCMT ref: 00415C24
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00415C61

Part of subcall function 00415E89: __dosmaperr.LIBCMT ref: 00415EBE

Strings

EZA, xrefs: 00415B2D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID: EZA
API String ID: 1206951868-3365884641
Opcode ID: cb71046afd0d09b288bb7a465b8dd8535858774d9283fa50bbf20633f1fcd82f
Instruction ID: d9140bdf70c9869e0d47a8e5bcf42d726cde482423235d4808ab002a302bcd39
Opcode Fuzzy Hash: cb71046afd0d09b288bb7a465b8dd8535858774d9283fa50bbf20633f1fcd82f
Instruction Fuzzy Hash: 3A412C75900B04EFDB249FA6DC459EFBBF9EF88304B10452EE956D3610E7389981CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415DDB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00415E1D

Strings

.com, xrefs: 00415E5D
PZA, xrefs: 00415DEA, 00415DF1, 00415E1C
.cmd, xrefs: 00415E3B
.bat, xrefs: 00415E4C
.exe, xrefs: 00415E2A

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe$PZA
API String ID: 1752292252-2765917712
Opcode ID: edcb7d1334c83e997cfdc33898eaa9ea829e5d0e002e30df8c59506e4174cc1b
Instruction ID: ec0f78f46ee6c46e55da1054bc3dcd7be93c0cf6397bb9fd9222bbbae0651466
Opcode Fuzzy Hash: edcb7d1334c83e997cfdc33898eaa9ea829e5d0e002e30df8c59506e4174cc1b
Instruction Fuzzy Hash: 7301C837B04F26665A14512A6D827EB13998BD1BB472A002FF854E73C1EE4CDE8141DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA77 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FA3F: _free.LIBCMT ref: 0041FA64

_free.LIBCMT ref: 0041FAC5

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 0041FAD0
_free.LIBCMT ref: 0041FADB
_free.LIBCMT ref: 0041FB2F
_free.LIBCMT ref: 0041FB3A
_free.LIBCMT ref: 0041FB45
_free.LIBCMT ref: 0041FB50

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction ID: b04470a26f13dcdf8409fc22173c18865a52ae34292e03d547bb1a44c51b1af0
Opcode Fuzzy Hash: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction Fuzzy Hash: 59116D31550B04EBD924BBB2CD47FCB77DCAF00744F44082FB2AD66492EA2CB98B4654

Uniqueness

Uniqueness Score: -1.00%

Function 0041B627 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,004053F0,00000000), ref: 0041B66F
__fassign.LIBCMT ref: 0041B84E
__fassign.LIBCMT ref: 0041B86B
WriteFile.KERNEL32(?,004053F0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B8B3
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0041B8F3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B99F

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: c82d8b84b24162b4166c50d1c6a0f8f4e1d104b348a4661558084caf8f76d6d6
Instruction ID: 1c8d79e4dc3511047e6628dbd079361964fbf8000fd0a02ffa1a1f8c65647122
Opcode Fuzzy Hash: c82d8b84b24162b4166c50d1c6a0f8f4e1d104b348a4661558084caf8f76d6d6
Instruction Fuzzy Hash: 02D1BEB5D002589FCF15CFA8C8809EDBBB5FF48314F28406AE955BB341D734A982CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414014 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0041400B,00413E79,00413788), ref: 00414022
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00414030
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00414049
SetLastError.KERNEL32(00000000,0041400B,00413E79,00413788), ref: 0041409B

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction ID: 651763f92c7eaca7bf3c78848c5ca57a44c47bc0da8610db98857e4fd3240ead
Opcode Fuzzy Hash: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction Fuzzy Hash: 9D01B5326093115DE6282AB6BC857EB2B64EBC9376320033FF718541F1EF595C81518C

Uniqueness

Uniqueness Score: -1.00%

Function 004037F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127threadsleepinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 004123E0: Concurrency::cancel_current_task.LIBCPMT ref: 00412501

CreateThread.KERNEL32 ref: 00403856
Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,?), ref: 00403863
SuspendThread.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040386A

Strings

IC, xrefs: 00403835
runas, xrefs: 004039AF

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Thread$Concurrency::cancel_current_taskCreateSleepSuspend
String ID: runas$IC
API String ID: 1039963361-4169786464
Opcode ID: d816b2fac8493bef7e983df8ea9bca1b7715045683a2aa19fd470b49bed40a9c
Instruction ID: c98d8b3c52aec822b90c3aff4e966c135d8648390da3e20006d0081df6a0283a
Opcode Fuzzy Hash: d816b2fac8493bef7e983df8ea9bca1b7715045683a2aa19fd470b49bed40a9c
Instruction Fuzzy Hash: 5C41C071210148ABEF18DF28CD85BCD3F6AAF85346F90812AF855972D5C77DD6C08B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E668 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 0041E66D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
API String ID: 0-448403072
Opcode ID: 57d106498db7899f3aa41c76d77319a9238ae015fec6294a597a1f848f499a36
Instruction ID: f9aceea7537a5da28f8af463aa3b3036826302d02d300322d48023da3746b8b8
Opcode Fuzzy Hash: 57d106498db7899f3aa41c76d77319a9238ae015fec6294a597a1f848f499a36
Instruction Fuzzy Hash: F621C87560010ABFEB20AF638C80DEB776CEF503A8751451AFD25D7281EB38EC919769

Uniqueness

Uniqueness Score: -1.00%

Function 00414324 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00414374

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: c8935d85e1b31c46e1a1174e1707af6fd839fca0fb0ccfeeb0e85a842d495f94
Instruction ID: ed88c8b2834a223bdf14af572603c0d18472ff94cd2ee3cbde75d3667026c296
Opcode Fuzzy Hash: c8935d85e1b31c46e1a1174e1707af6fd839fca0fb0ccfeeb0e85a842d495f94
Instruction Fuzzy Hash: 1A110B31B01629ABC7314B64DC407DF3768DF857A0B250122ED25E7390D738ED8185DC

Uniqueness

Uniqueness Score: -1.00%

Function 004153D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004153C8,?,?,00415390,?,?,?), ref: 004153E8
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004153FB
FreeLibrary.KERNEL32(00000000,?,?,004153C8,?,?,00415390,?,?,?), ref: 0041541E

Strings

CorExitProcess, xrefs: 004153F3
mscoree.dll, xrefs: 004153E1

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a9535ac66a763b308a31d4138c8bb1f9763dc39b12a82d4f91f4d3e5fd0fedcd
Instruction ID: 23f74303fc49eebe3cd52a59286832f74df74654cc3a6b5ebb9ff97ddc71e371
Opcode Fuzzy Hash: a9535ac66a763b308a31d4138c8bb1f9763dc39b12a82d4f91f4d3e5fd0fedcd
Instruction Fuzzy Hash: 4AF08230700629FBDB219B50ED0EBDEBB74EB44756F544075E400E1160CB788E41DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00411240 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00412070: Concurrency::cancel_current_task.LIBCPMT ref: 00412124

Part of subcall function 00402150: RegOpenKeyExA.ADVAPI32(?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023C1
Part of subcall function 00402150: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023E9
Part of subcall function 00402150: RegCloseKey.ADVAPI32(?,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023F2

Part of subcall function 00402150: RegOpenKeyExA.ADVAPI32(80000001,00000001,00000000,000F003F,?), ref: 004024D9
Part of subcall function 00402150: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000001,?,?), ref: 00402507
Part of subcall function 00402150: RegCloseKey.ADVAPI32(80000001), ref: 00402510

Part of subcall function 004058C0: GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 004059EF

Part of subcall function 00402150: GdiplusStartup.GDIPLUS(?,?,00000000,?,?,?), ref: 0040261B
Part of subcall function 00402150: GetDC.USER32(00000000), ref: 00402702

Part of subcall function 00402150: RegGetValueA.ADVAPI32(80000002,?,00000000,00000018,00000000,?,00000004), ref: 00402934
Part of subcall function 00402150: GetSystemMetrics.USER32 ref: 00402977
Part of subcall function 00402150: GetSystemMetrics.USER32 ref: 00402984

Sleep.KERNEL32(0000EA60), ref: 00411511
Sleep.KERNEL32(0000EA60), ref: 00411573

Strings

LC, xrefs: 00411398
LC, xrefs: 004113EF
LC, xrefs: 00411342

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Value$CloseMetricsOpenSleepSystem$Concurrency::cancel_current_taskGdiplusPathQueryStartupTemp
String ID: LC$LC$LC
API String ID: 831712969-2682578208
Opcode ID: 29f1a96bda5647c2a7f8ec4644e9e6490b7d8f5e87eea835b8e4ec8f886c3a58
Instruction ID: e9469f0f1e0da6fe2dc0e8ea04e20df7b24d509912d80d10ffce1298b6795629
Opcode Fuzzy Hash: 29f1a96bda5647c2a7f8ec4644e9e6490b7d8f5e87eea835b8e4ec8f886c3a58
Instruction Fuzzy Hash: 0371297170030067C514F776CE47ADE7A56ABC9344F400A2EF986472D2EEBCA69486EF

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9D6 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041F9EE

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 0041FA00
_free.LIBCMT ref: 0041FA12
_free.LIBCMT ref: 0041FA24
_free.LIBCMT ref: 0041FA36

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction ID: 55d8c1c312ccc6df442b1b98d7c33def846be27a355c33498b5175c58c7c1ddd
Opcode Fuzzy Hash: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction Fuzzy Hash: 1CF03C32514240AB8628FB59F9C5CD677D9BE44754768082BF018D7E41CB2CFCC24A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0A3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E23D

Strings

*?, xrefs: 0041E0E6

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction ID: 5e425355c12d974568bb548033aa60d16b1c26af46b0fccae62f2204a7509920
Opcode Fuzzy Hash: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction Fuzzy Hash: 3E614275D00219AFCB14CFA9C8815EEFBF5FF48714B2441AAE815E7340D6759E818B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041A815 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32("YA,?,00415922,?,?,?,761B6490), ref: 0041A81D
GetLastError.KERNEL32(?,00415922,?,?,?,761B6490), ref: 0041A827
__dosmaperr.LIBCMT ref: 0041A82E

Strings

"YA, xrefs: 0041A81A

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID: "YA
API String ID: 1545401867-2922044551
Opcode ID: 30fdd2c409c4bad255c4f159128a497a02e132b4c39620862fbdc9ada95b35ad
Instruction ID: 8e075638032bcf6d74262af286868be27c0c82466ee7119c10b6ee37084d7c44
Opcode Fuzzy Hash: 30fdd2c409c4bad255c4f159128a497a02e132b4c39620862fbdc9ada95b35ad
Instruction Fuzzy Hash: 4DD01232205108678F102FF7BC0886B3B5CDF813B53540626F53CC51A1DF39C8A29599

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9DA Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0041CA61

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction ID: 9620395ee9e12497a63a361969e3660bae85d4d778e8df5e26e7870268c703a9
Opcode Fuzzy Hash: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction Fuzzy Hash: 29B11232A442559FDB11CF68CCC27EEBBA5EF45340F1440ABE855DB341E2389D82CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042482E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004248FE
_free.LIBCMT ref: 00424927
SetEndOfFile.KERNEL32(00000000,00420D15,00000000,0041966E,?,?,?,?,?,?,?,00420D15,0041966E,00000000), ref: 00424959
GetLastError.KERNEL32(?,?,?,?,?,?,?,00420D15,0041966E,00000000,?,?,?,?,00000000), ref: 00424975

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 0d2d9d757cf6aed2bdd106ecb705ab1b764b673a3646ffda88b220e1af19787a
Instruction ID: 0f261516778d2096c749c3491e82d0972e6ef1b7a1d3217b1bc2d7bd17767fe9
Opcode Fuzzy Hash: 0d2d9d757cf6aed2bdd106ecb705ab1b764b673a3646ffda88b220e1af19787a
Instruction Fuzzy Hash: FF4109B27002649ADB11ABB9DC02B9F77B5EF84364F65011BF924E7291E77CC8808728

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFD4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00415857: _free.LIBCMT ref: 00415865

Part of subcall function 0041EFAB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,004243A0,?,00000000,00000000), ref: 0041F04D

GetLastError.KERNEL32 ref: 0041E03C
__dosmaperr.LIBCMT ref: 0041E043
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041E082
__dosmaperr.LIBCMT ref: 0041E089

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: ac9a91d088df7ad3c6297044535d68f775ea6ecc37c2bc8585d32e8d52ebe420
Instruction ID: bad5de3afdbab7419ed868d74ac9601967bcef00b3555543ad58ec50f7c269c1
Opcode Fuzzy Hash: ac9a91d088df7ad3c6297044535d68f775ea6ecc37c2bc8585d32e8d52ebe420
Instruction Fuzzy Hash: FD21F975600219AF9B206F638C809EBBBADEF48368700451EFE2987241DB78DCC19764

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0C2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004157D5,?,?,?,?,00416442,?), ref: 0041A0C7
_free.LIBCMT ref: 0041A124
_free.LIBCMT ref: 0041A15A
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,004157D5,?,?,?,?,00416442,?), ref: 0041A165

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 1229307545459ea8145b8442967844ccb04685c5202c0af5c1f8958671a179fa
Instruction ID: d3c397e29b4898678e00c072fdae1153a4e8fcaebafeee38e52bad19040b405a
Opcode Fuzzy Hash: 1229307545459ea8145b8442967844ccb04685c5202c0af5c1f8958671a179fa
Instruction Fuzzy Hash: B011E732302201AA96102AB55CC59EB255A9BC5378F2A413BF228962D1FE6D8CE7412E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A219 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004163DC,004197F7,?,?,004188F1), ref: 0041A21E
_free.LIBCMT ref: 0041A27B
_free.LIBCMT ref: 0041A2B1
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,004163DC,004197F7,?,?,004188F1), ref: 0041A2BC

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b0e27a0edda7edbf14f0382f119cbe8d66f6f371dfed80e8716c648d85c20c1b
Instruction ID: 63a088f93977ff4232b5ee2fa60897efe122cd2ca353554d96c00f597a248294
Opcode Fuzzy Hash: b0e27a0edda7edbf14f0382f119cbe8d66f6f371dfed80e8716c648d85c20c1b
Instruction Fuzzy Hash: 1A11E9323025016AD6112675ACC19EB215A9FC1378B2A017BF238863D1FF3E9CF7412E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A975 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041AA71,00000000,?,00421360,00000000,00000000,0041AA71,?,?,00000000,00000000,00000001), ref: 0041A98B
GetLastError.KERNEL32(?,00421360,00000000,00000000,0041AA71,?,?,00000000,00000000,00000001,00000000,00000000,?,0041AA71,00000000,00000104), ref: 0041A995
__dosmaperr.LIBCMT ref: 0041A99C

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: b30198ee55c8f58e1c523fe8a5f3f81ee2b3d097f0754e1d9721cecd51747ce4
Instruction ID: 67408b9c56af1e9e3b55c33259d7aed4586a1093df18e063c47774dc333a864d
Opcode Fuzzy Hash: b30198ee55c8f58e1c523fe8a5f3f81ee2b3d097f0754e1d9721cecd51747ce4
Instruction Fuzzy Hash: 7EF06D72201115BBCB211BA2DC08D9BBFA9EF443A03168926B91CC6520CB39E8F1D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A90C Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041AA71,00000000,?,004213D5,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041A922
GetLastError.KERNEL32(?,004213D5,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041AA71,00000000,00000104,?), ref: 0041A92C
__dosmaperr.LIBCMT ref: 0041A933

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 4e3ef60bf99aa9c8dc574cbeac2ebf4faaa1304fdc1414aef9f4919b6bb13d01
Instruction ID: 894c6f99f00fcf9e4f20ce7b33afa91ddcee0cc65c0a7edee271e323af5a41ba
Opcode Fuzzy Hash: 4e3ef60bf99aa9c8dc574cbeac2ebf4faaa1304fdc1414aef9f4919b6bb13d01
Instruction Fuzzy Hash: 12F08172201115BB8B211BA2DC08DABFFA9FF443A03464926F62DD6120DB35E8F1D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00424D55 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(004053F0,00000000,00432C68,00000000,004053F0,?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0), ref: 00424D6C
GetLastError.KERNEL32(?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0,00000000,004053F0,?,0041BF50,004053F0), ref: 00424D78

Part of subcall function 00424D3E: CloseHandle.KERNEL32(FFFFFFFE,00424D88,?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0,00000000,004053F0), ref: 00424D4E

___initconout.LIBCMT ref: 00424D88

Part of subcall function 00424D00: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00424D2F,0042218C,004053F0,?,0041B9FC,00000000,?,004053F0,00000000), ref: 00424D13

WriteConsoleW.KERNEL32(004053F0,00000000,00432C68,00000000,?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0,00000000), ref: 00424D9D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e6ed42e9dcef8d0bdb4e0254b1a8b2f08fb405fd5705a56b80d057d723c09720
Instruction ID: e72ba080592b69d8bdb2598ea6e3dbbb09e221423feeb610223fbcdc20f528a7
Opcode Fuzzy Hash: e6ed42e9dcef8d0bdb4e0254b1a8b2f08fb405fd5705a56b80d057d723c09720
Instruction Fuzzy Hash: C5F01C36210224BBCF221FA1FC04A8F7F26EF897A0B954025FA6885170D73699209B98

Uniqueness

Uniqueness Score: -1.00%

Function 00418A2F Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00418A38

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 00418A4B
_free.LIBCMT ref: 00418A5C
_free.LIBCMT ref: 00418A6D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9acdbd920adba65c76876f41f827beacdfaebc5141fecd10a79f6dcd22e9f832
Instruction ID: cdee1fedf35c5adb3dbe72967fc13678c506c91b1062e63496eb77d44ff44c68
Opcode Fuzzy Hash: 9acdbd920adba65c76876f41f827beacdfaebc5141fecd10a79f6dcd22e9f832
Instruction Fuzzy Hash: 47E08C70820D60DB8B027F22BC8188D7EA5FF08714364202FF42002AB5C73918929F8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0041E8DE: GetOEMCP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E909

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,BdA,0041EB97,?,00000000,?,?,?,?,?,?,00416442), ref: 0041EDA7
GetCPInfo.KERNEL32(00000000,0041EB97,?,BdA,0041EB97,?,00000000,?,?,?,?,?,?,00416442,?), ref: 0041EDE9

Strings

BdA, xrefs: 0041ED4B

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: BdA
API String ID: 546120528-2350210841
Opcode ID: 549c5f8514ec9fdaaceff0aefc6bfcf3a7793426e157da9cd553846999f8db9f
Instruction ID: 74fb6c3509f3d8b7149d03fbfbd358b4cbcff78a11e884dee8f19f371720f225
Opcode Fuzzy Hash: 549c5f8514ec9fdaaceff0aefc6bfcf3a7793426e157da9cd553846999f8db9f
Instruction Fuzzy Hash: C7511378A003459EDB208F27C4416FBBBF5EF91304F14446FD89687291E778E986CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004034E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

<, xrefs: 00403609
@, xrefs: 00403611

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: e4da5fb10817215c6d34d4800e39e97c9494ef9a8a5f7ddec8679b0ac741b795
Instruction ID: c1d28ec82e107c9024910f62fb74406015039795ff1139e17df5437d1bf62e25
Opcode Fuzzy Hash: e4da5fb10817215c6d34d4800e39e97c9494ef9a8a5f7ddec8679b0ac741b795
Instruction Fuzzy Hash: 2E512171600304ABDB24DF38C94579E7FE6AF89304F50962EFC4597281D7B9DA848BCA

Uniqueness

Uniqueness Score: -1.00%

Function 0041809E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 004180E1, 0041811E

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
API String ID: 0-448403072
Opcode ID: 549f3bcfde5244f4871942ead8448d2f8bdddd0e9c24185eaae1fb5dce747299
Instruction ID: d36e66f545824ca804fc8053fc630a4bbdae804a28a8c965339656ba13d9aa6b
Opcode Fuzzy Hash: 549f3bcfde5244f4871942ead8448d2f8bdddd0e9c24185eaae1fb5dce747299
Instruction Fuzzy Hash: F5417372A00618BBDB119B9ADC819EFBBF8EF85310F14016FF914E7351DA749A82C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB35 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0041E8DE: GetOEMCP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E909

_free.LIBCMT ref: 0041EBAD

Strings

BdA, xrefs: 0041EB3D

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID: BdA
API String ID: 269201875-2350210841
Opcode ID: e31ade47a6fb6a04a11e17d8df6cb296b10916224dbc0c7d5a9cd2e457d10c63
Instruction ID: dde0c45b74e42a11158e88ee4a6f334abb21f81567eecd5436c50b5576c35a3a
Opcode Fuzzy Hash: e31ade47a6fb6a04a11e17d8df6cb296b10916224dbc0c7d5a9cd2e457d10c63
Instruction Fuzzy Hash: 2731DE75904249AFCF01DF6AD880ADA7BE4AF80314F15006BF8119B291EB39EC80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00419153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00419181
_free.LIBCMT ref: 004191A7

Strings

P@C, xrefs: 004191C0

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID: P@C
API String ID: 269201875-2354161805
Opcode ID: 0c022580b5e46047273e3257fd6a31c985556c591599556947bb399249f9252e
Instruction ID: 7e2fc13560020531a2af8256f38dd64580a6055bc5c6248e04891097817f4845
Opcode Fuzzy Hash: 0c022580b5e46047273e3257fd6a31c985556c591599556947bb399249f9252e
Instruction Fuzzy Hash: 18119371E0071166E7249B29AC15BD63398BB41738F582637FA26DA2E0E778DCC2478D

Uniqueness

Uniqueness Score: -1.00%

Function 00413972 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004139B6
___raise_securityfailure.LIBCMT ref: 00413A9D

Strings

`VC, xrefs: 00413A98

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: `VC
API String ID: 3761405300-3030579402
Opcode ID: 88cca52f03d3994def1460f4c1c68c41a99f6ced113eff2d7c52e2e230f43919
Instruction ID: 896eb7b363f77d9f09391d49b58fd09572d27c93906a82c102befcc5e6cdfba7
Opcode Fuzzy Hash: 88cca52f03d3994def1460f4c1c68c41a99f6ced113eff2d7c52e2e230f43919
Instruction Fuzzy Hash: 7D21F0B8610B04DAE710DF15F982A547BE4FB48314FA4753AE5088B3B0E3B49580CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00413B26 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,< @,?,?,?,0040203C,?,0043310C), ref: 00413B86

Strings

< @, xrefs: 00413B73, 00413B76
< @, xrefs: 00413B31

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID: < @$< @
API String ID: 3997070919-1284050056
Opcode ID: 794ae15e6e0db31f4291640b4f98a2b51644340bbcec8a8c6aa1363c38b5e95a
Instruction ID: 0ad63414873f9063e310b4a06ccfcd64d21eb3c6bdbcdee7f5ad414051d72530
Opcode Fuzzy Hash: 794ae15e6e0db31f4291640b4f98a2b51644340bbcec8a8c6aa1363c38b5e95a
Instruction Fuzzy Hash: F0018F35A00209ABD7019F5CD894BEEBBB8FF48710F15405BE904AB3A1E774AE41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00415E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 00415EBE

Part of subcall function 0041A868: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,0041AA71), ref: 0041A8A1

Strings

PZA, xrefs: 00415E91
PZA, xrefs: 00415E92

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CurrentDirectory__dosmaperr
String ID: PZA$PZA
API String ID: 4125400436-1952235168
Opcode ID: 5452fbf11968b411c1a532657a6425d2d0525fc4897d72563acfebefe6a954f6
Instruction ID: d086cddc0e12b9d26e490a5c56d3e7692402d825e2fa94f014aae7412e84f72b
Opcode Fuzzy Hash: 5452fbf11968b411c1a532657a6425d2d0525fc4897d72563acfebefe6a954f6
Instruction Fuzzy Hash: 97F0CD72914705D6DB24EF0680804EAF3B9EFE2765764845FE06CCB241E778DAC28799

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E909
GetACP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E920

Strings

BdA, xrefs: 0041E8E0

Memory Dump Source

Source File: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.267809520.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267865920.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.267870132.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: BdA
API String ID: 0-2350210841
Opcode ID: f44a37c09522bfef1b69cd337f9f7d8865e41a94d0d20ab1285a71c04382f6f6
Instruction ID: 96b3e8e4f5bc6eaa85a0a2fcf11f2aedbb4a0545bbbb59a037271787e00b6168
Opcode Fuzzy Hash: f44a37c09522bfef1b69cd337f9f7d8865e41a94d0d20ab1285a71c04382f6f6
Instruction Fuzzy Hash: 98F0F0B4514601CBDB10CB6AD808BED77B0AB00339F644399E8758A6E1D7B999C1CF49

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: orxds.exePID: 6924, Parent PID: 6860COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	1096
Total number of Limit Nodes:	4

Executed Functions

Function 00DCF13B Relevance: 10.6, APIs: 7, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00DCF13B() {
				int _t11;
				intOrPtr _t15;
				void* _t22;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t40;
				void* _t45;

				_push(0x10);
				_push(0xdd1b98);
				E00DCF8A0(_t22, _t38, _t40);
				 *((intOrPtr*)(_t45 - 4)) = 0;
				_t37 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t39 = 0;
				while(1) {
					asm("lock cmpxchg [esi], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t37) {
						continue;
					} else {
						_t43 = 1;
						_t39 = 1;
					}
					L5:
					if( *0xdd35b4 != _t43) {
						__eflags =  *0xdd35b4;
						if(__eflags != 0) {
							 *0xdd2180 = _t43;
							goto L11;
						} else {
							 *0xdd35b4 = _t43;
							_push(0xdc102c);
							_push(0xdc101c);
							L00DCF88E();
							__eflags = 0;
							if(0 == 0) {
								goto L11;
							} else {
								 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
								goto L23;
							}
						}
					} else {
						_push(0x1f);
						L00DCF5E4();
						L11:
						if( *0xdd35b4 == _t43) {
							_push(0xdc1018);
							_push(0xdc1000); // executed
							L00DCF894(); // executed
							 *0xdd35b4 = 2;
						}
						if(_t39 == 0) {
							 *0xdd35b0 = 0;
						}
						_t55 =  *0xdd35c0;
						if( *0xdd35c0 != 0 && E00DCF640(_t55, 0xdd35c0) != 0) {
							_t43 =  *0xdd35c0;
							 *0xdd41d0(0, 2, 0);
							 *((intOrPtr*)( *0xdd35c0))();
						}
						_t25 =  *0xdd2194; // 0xc2ccd8
						_t11 = __imp____winitenv;
						 *_t11 = _t25;
						_push( *0xdd2194);
						E00DC8F5F( *0xdd218c,  *0xdd2190); // executed
						 *0xdd2184 = _t11;
						if( *0xdd2188 != 0) {
							__eflags =  *0xdd2180;
							if( *0xdd2180 == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
							L23:
							return E00DCF8E8(0, _t39, _t43);
						} else {
							exit(_t11);
							_t26 =  *((intOrPtr*)(_t45 - 0x14));
							_t15 =  *((intOrPtr*)( *_t26));
							 *((intOrPtr*)(_t45 - 0x20)) = _t15;
							_push(_t26);
							_push(_t15);
							L00DCF5DE();
							return _t15;
						}
					}
				}
				_t43 = 1;
				__eflags = 1;
				goto L5;
			}

0x00dcf13b
0x00dcf13d
0x00dcf142
0x00dcf149
0x00dcf152
0x00dcf155
0x00dcf15c
0x00dcf160
0x00dcf166
0x00000000
0x00000000
0x00dcf16a
0x00000000
0x00dcf16c
0x00dcf16e
0x00dcf16f
0x00dcf16f
0x00dcf176
0x00dcf17c
0x00dcf188
0x00dcf18e
0x00dcf1bc
0x00000000
0x00dcf190
0x00dcf190
0x00dcf196
0x00dcf19b
0x00dcf1a0
0x00dcf1a7
0x00dcf1a9
0x00000000
0x00dcf1ab
0x00dcf1ab
0x00000000
0x00dcf1b2
0x00dcf1a9
0x00dcf17e
0x00dcf17e
0x00dcf180
0x00dcf1c2
0x00dcf1c8
0x00dcf1ca
0x00dcf1cf
0x00dcf1d4
0x00dcf1db
0x00dcf1db
0x00dcf1e7
0x00dcf1f0
0x00dcf1f0
0x00dcf1f2
0x00dcf1f9
0x00dcf20e
0x00dcf216
0x00dcf21c
0x00dcf21c
0x00dcf21e
0x00dcf224
0x00dcf229
0x00dcf22b
0x00dcf23d
0x00dcf245
0x00dcf251
0x00dcf289
0x00dcf290
0x00dcf292
0x00dcf298
0x00dcf29d
0x00dcf2a4
0x00dcf2a9
0x00dcf253
0x00dcf254
0x00dcf25a
0x00dcf25f
0x00dcf261
0x00dcf264
0x00dcf265
0x00dcf266
0x00dcf26d
0x00dcf26d
0x00dcf251
0x00dcf17c
0x00dcf175
0x00dcf175
0x00000000

APIs

_amsg_exit.MSVCR120_CLR0400 ref: 00DCF180
_initterm_e.MSVCR120_CLR0400 ref: 00DCF1A0
_initterm.MSVCR120_CLR0400 ref: 00DCF1D4
__IsNonwritableInCurrentImage.LIBCMT ref: 00DCF200
exit.MSVCR120_CLR0400 ref: 00DCF254
_XcptFilter.MSVCR120_CLR0400 ref: 00DCF266

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: CurrentFilterImageNonwritableXcpt_amsg_exit_initterm_initterm_eexit
String ID:
API String ID: 3071723359-0
Opcode ID: c06f552cf6b1f016d8c926be590f3b3eea140f1b582e731a74cabb87cc9b4163
Instruction ID: 83e4f31f5e283e1b63108a605ef6bb18246ec4ab00b49fc60a5d82381ce16e75
Opcode Fuzzy Hash: c06f552cf6b1f016d8c926be590f3b3eea140f1b582e731a74cabb87cc9b4163
Instruction Fuzzy Hash: 9031BA79602313EFCB249F24ED05FA8B7A2EB18320F28413FE505C73A0DB3099449A71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC99F3 Relevance: 9.1, APIs: 6, Instructions: 125
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00DC99F3(void* __ecx, void* __edx) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v532;
				short _v8724;
				int _v8728;
				int _v8732;
				long _v8736;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t32;
				short* _t34;
				intOrPtr _t35;
				void _t42;
				intOrPtr _t49;
				void* _t50;
				void* _t52;
				signed int _t54;
				void* _t55;
				intOrPtr* _t57;
				void* _t62;
				void* _t68;
				intOrPtr* _t69;
				void* _t76;
				void* _t79;
				void* _t80;
				int _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int _t87;

				E00DCFBE0(0x2214);
				_t31 =  *0xdd2018; // 0x36238578
				_t32 = _t31 ^ _t87;
				_v20 = _t32;
				 *[fs:0x0] =  &_v16;
				_t81 = 0;
				_v8732 = 0;
				_v8728 = 0;
				_v8 = 3;
				_t34 =  &_v8724;
				__imp___vsnwprintf_s(_t34, 0x1000, 0xffffffff, __ecx, __edx, _t32, _t80, _t84, _t52,  *[fs:0x0], E00DD0070, 0xffffffff);
				if(_t34 == 0xffffffff) {
					_push(0x100);
					_t68 = 0xc;
					if(E00DC98B0(_t68,  &_v532) != 0) {
						_t69 =  &_v532;
						_t79 = _t69 + 2;
						do {
							_t49 =  *_t69;
							_t69 = _t69 + 2;
						} while (_t49 != 0);
						_t50 = (_t69 - _t79 >> 1) + 1;
						__imp__wcscpy_s( &_v532 - _t50 + _t50, _t50,  &_v532);
					}
				}
				_t57 =  &_v8724;
				_t76 = _t57 + 2;
				do {
					_t35 =  *_t57;
					_t57 = _t57 + 2;
				} while (_t35 != 0);
				_t54 = ((_t57 - _t76 >> 1) + 1) * 3;
				_t85 = E00DC9EED(_t54, _t76);
				_v8732 = _t85;
				if(_t85 != 0) {
					_t81 = 1;
					_v8728 = 1;
				}
				_t18 = _t54 - 1; // -1
				WideCharToMultiByte(GetConsoleOutputCP(), 0,  &_v8724, 0xffffffff, _t85, _t18, 0, 0);
				_t62 = _t85;
				_t20 = _t62 + 1; // 0x1
				_t77 = _t20;
				do {
					_t42 =  *_t62;
					_t62 = _t62 + 1;
				} while (_t42 != 0);
				WriteFile(GetStdHandle(0xfffffff5), _t85, _t62 - _t77,  &_v8736, 0); // executed
				_v8 = _v8 | 0xffffffff;
				if(_t81 != 0) {
					if(_t85 != 0) {
						_t77 = _t85;
						E00DC9EC7(_t85);
					}
					_v8728 = _v8728 & 0x00000000;
				}
				 *[fs:0x0] = _v16;
				_pop(_t82);
				_pop(_t86);
				_pop(_t55);
				return E00DCF2C0(_t55, _v20 ^ _t87, _t77, _t82, _t86);
			}

0x00dc9a09
0x00dc9a0e
0x00dc9a13
0x00dc9a15
0x00dc9a1f
0x00dc9a27
0x00dc9a29
0x00dc9a2f
0x00dc9a35
0x00dc9a3c
0x00dc9a4c
0x00dc9a58
0x00dc9a5a
0x00dc9a67
0x00dc9a6f
0x00dc9a71
0x00dc9a77
0x00dc9a7a
0x00dc9a7a
0x00dc9a7d
0x00dc9a80
0x00dc9a89
0x00dc9a9f
0x00dc9aa5
0x00dc9a6f
0x00dc9aa8
0x00dc9aae
0x00dc9ab1
0x00dc9ab1
0x00dc9ab4
0x00dc9ab7
0x00dc9ac3
0x00dc9acd
0x00dc9acf
0x00dc9ad7
0x00dc9adb
0x00dc9adc
0x00dc9adc
0x00dc9ae4
0x00dc9afc
0x00dc9b02
0x00dc9b04
0x00dc9b04
0x00dc9b07
0x00dc9b07
0x00dc9b09
0x00dc9b0a
0x00dc9b24
0x00dc9b2a
0x00dc9b30
0x00dc9b34
0x00dc9b36
0x00dc9b38
0x00dc9b38
0x00dc9b3d
0x00dc9b3d
0x00dc9b47
0x00dc9b4f
0x00dc9b50
0x00dc9b51
0x00dc9b5f

APIs

_vsnwprintf_s.MSVCR120_CLR0400 ref: 00DC9A4C
wcscpy_s.MSVCR120_CLR0400 ref: 00DC9A9F
GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,-00000001,00000000,00000000,?,00DC8C4B), ref: 00DC9AF5
WideCharToMultiByte.KERNEL32(00000000,?,00DC8C4B), ref: 00DC9AFC
GetStdHandle.KERNEL32(000000F5,00000000,00000001,?,00000000,?,00DC8C4B), ref: 00DC9B1D
WriteFile.KERNELBASE(00000000,?,00DC8C4B), ref: 00DC9B24

Part of subcall function 00DC98B0: LoadStringW.USER32(00000000,0000000C,?,00DC9A6D), ref: 00DC98C2
Part of subcall function 00DC98B0: LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,?,00000000,?,00DC9A6D,00000100,?,00DC8C4B), ref: 00DC98D3
Part of subcall function 00DC98B0: FreeLibrary.KERNEL32(00000000,00DC9A6D,?,?,00000000,?,00DC9A6D,00000100,?,00DC8C4B), ref: 00DC98F5

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: LibraryLoad$ByteCharConsoleFileFreeHandleMultiOutputStringWideWrite_vsnwprintf_swcscpy_s
String ID:
API String ID: 348151980-0
Opcode ID: ad6c987da1fe49c41fb2ef4421d698a7c538d87cf55d998016a44eee584e5972
Instruction ID: 2586dc70d61b98f4a2b0e718a9eab03d5d2ec8c087547456a98d72900bde1f3c
Opcode Fuzzy Hash: ad6c987da1fe49c41fb2ef4421d698a7c538d87cf55d998016a44eee584e5972
Instruction Fuzzy Hash: BC41057190021AAFDB18DF64CC99FFAF768EB54710F14079EE92AD7280E7715A41CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8F5F Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

exit.MSVCR120_CLR0400 ref: 00DC8FB4

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: ad05d559cc9b32dbeea0ddf062ea116e0ac7e1c5a4abbc03708346fa74d13a0e
Instruction ID: 2f3273b0e917b4aaa9abdb109d5fc4aa11daa27898ffe39294bae8f474e81ff4
Opcode Fuzzy Hash: ad05d559cc9b32dbeea0ddf062ea116e0ac7e1c5a4abbc03708346fa74d13a0e
Instruction Fuzzy Hash: 260192714083429BC700EF55C841E6BFBE8AEA4314F00461DF8A5D3290DF30E504EBB2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DC915E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00DC915E(void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t11;
				void* _t16;
				intOrPtr* _t17;
				struct HINSTANCE__* _t23;
				CHAR* _t26;

				_t21 = __edx;
				_t26 = __edx;
				_t23 = LoadLibraryExW(L"user32", 0, 0);
				if(_t23 == 0) {
					_t5 = L"<null>";
					if(_t26 == 0) {
						_t26 = L"<null>";
					}
					E00DC90DA(_t16, _t21, _t23, _t26, L"**** MessageBox invoked, title \'%s\' ****\n", _t5);
					E00DC90DA(_t16, _t21, _t23, _t26, L"  %s\n", _t26);
					E00DC90DA(_t16, _t21, _t23, _t26);
					E00DC90DA(_t16, _t21, _t23, _t26, "\n", L"********\n");
					if(IsDebuggerPresent() != 0) {
						DebugBreak();
					}
					_t11 = 2;
				} else {
					_push(_t16);
					_v8 = 2;
					_t17 = GetProcAddress(_t23, "MessageBoxW");
					if(_t17 != 0) {
						 *0xdd41d0(0, _t26, 0, 0x10);
						_v8 =  *_t17();
					}
					FreeLibrary(_t23);
					_t11 = _v8;
				}
				return _t11;
			}

0x00dc915e
0x00dc916d
0x00dc9175
0x00dc9179
0x00dc91b6
0x00dc91bd
0x00dc91bf
0x00dc91bf
0x00dc91c7
0x00dc91d2
0x00dc91dc
0x00dc91e6
0x00dc91f6
0x00dc91f8
0x00dc91f8
0x00dc9200
0x00dc917b
0x00dc917b
0x00dc9182
0x00dc918f
0x00dc9193
0x00dc919e
0x00dc91a6
0x00dc91a6
0x00dc91aa
0x00dc91b0
0x00dc91b3
0x00dc9206

APIs

LoadLibraryExW.KERNEL32(user32,00000000,00000000,?,?,?,?,00DC999F,?,?), ref: 00DC916F
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 00DC9189
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00DC999F), ref: 00DC91AA
IsDebuggerPresent.KERNEL32(?,?,?,00DC999F,?,?), ref: 00DC91EE
DebugBreak.KERNEL32(?,?,?,00DC999F,?,?), ref: 00DC91F8

Strings

<null>, xrefs: 00DC91B6, 00DC91C1, 00DC91CC
**** MessageBox invoked, title '%s' ****, xrefs: 00DC91C2
%s, xrefs: 00DC91CD
********, xrefs: 00DC91D7
user32, xrefs: 00DC9168
MessageBoxW, xrefs: 00DC917C

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: Library$AddressBreakDebugDebuggerFreeLoadPresentProc
String ID: %s$**** MessageBox invoked, title '%s' ****$********$<null>$MessageBoxW$user32
API String ID: 2820363182-3536105985
Opcode ID: 5f49947c0f76fa5b1f2cfa1cf7c3f076c47b7d83a77eb7656fb7bf661413ad99
Instruction ID: 05f680fd2e15ebaa8f77b32becbd028bba81b367c31807e78fb6aca621614c05
Opcode Fuzzy Hash: 5f49947c0f76fa5b1f2cfa1cf7c3f076c47b7d83a77eb7656fb7bf661413ad99
Instruction Fuzzy Hash: 9101C8767413177BE72067A55C1FF3AB768EB92B11F14411EF905E7382DAB08C049571

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00DCF580(intOrPtr* _a4) {
				intOrPtr* _t5;
				intOrPtr _t7;

				_t5 =  *_a4;
				if( *_t5 != 0xe06d7363 ||  *((intOrPtr*)(_t5 + 0x10)) != 3) {
					L6:
					return 0;
				} else {
					_t7 =  *((intOrPtr*)(_t5 + 0x14));
					if(_t7 == 0x19930520 || _t7 == 0x19930521 || _t7 == 0x19930522 || _t7 == 0x1994000) {
						L00DCFA46();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(E00DCF580);
						L00DCFA4C();
						return 0;
					} else {
						goto L6;
					}
				}
			}

0x00dcf586
0x00dcf58e
0x00dcf5b5
0x00dcf5b8
0x00dcf596
0x00dcf596
0x00dcf59e
0x00dcf5bb
0x00dcf5c0
0x00dcf5c1
0x00dcf5c2
0x00dcf5c3
0x00dcf5c4
0x00dcf5c5
0x00dcf5c6
0x00dcf5c7
0x00dcf5c8
0x00dcf5c9
0x00dcf5ca
0x00dcf5cb
0x00dcf5cc
0x00dcf5cd
0x00dcf5ce
0x00dcf5cf
0x00dcf5d0
0x00dcf5d5
0x00dcf5dd
0x00000000
0x00000000
0x00000000
0x00dcf59e

APIs

?terminate@@YAXXZ.MSVCR120_CLR0400 ref: 00DCF5BB
__crtSetUnhandledExceptionFilter.MSVCR120_CLR0400(00DCF580), ref: 00DCF5D5

Strings

csm, xrefs: 00DCF588

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: ?terminate@@ExceptionFilterUnhandled__crt
String ID: csm
API String ID: 327099231-1018135373
Opcode ID: d6053caae3f35356f3934a3c81579494b566cfe7024595525da60932e9e227ae
Instruction ID: 3e89b26c7fe350e35a0271239016ed1f754e9f6bf94fb585f1fa38b57e12e84c
Opcode Fuzzy Hash: d6053caae3f35356f3934a3c81579494b566cfe7024595525da60932e9e227ae
Instruction Fuzzy Hash: 8BE092775242075B4B289F68D084E99B79B9B10301B9C187DE648CB621DAA0DD80C5B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD53A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
Instruction ID: 515e982fcc113093bc8b9341a6cdcd2dd9e3cb9215dfa8f3b5e9b2f25e208636
Opcode Fuzzy Hash: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8A34 Relevance: 19.7, APIs: 7, Strings: 6, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcsicmp.MSVCR120_CLR0400 ref: 00DC8B8A

Strings

silent, xrefs: 00DC8B66
parameters, xrefs: 00DC8B84
manifests, xrefs: 00DC8BBB
help, xrefs: 00DC8BFD
nologo, xrefs: 00DC8BA2
activate, xrefs: 00DC8BD4

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: _wcsicmp
String ID: activate$help$manifests$nologo$parameters$silent
API String ID: 2081463915-2231040261
Opcode ID: 02f10d6fc0a159e2fe56ca391ab76bde71e77c1e04cae7bf3be5cdffff951b6f
Instruction ID: b10f1f05bbf60272b00bb4e6fe97feac56eca82145d1eef536a2b549b1a5bda4
Opcode Fuzzy Hash: 02f10d6fc0a159e2fe56ca391ab76bde71e77c1e04cae7bf3be5cdffff951b6f
Instruction Fuzzy Hash: 6551E5B6605303AFCB289E68D959F66B7A5EB09320B18452FE556C7690EF30E904B730

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC282 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00DCC282(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				signed int _v8;
				signed short _v16;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed short _t50;
				signed int _t61;
				intOrPtr _t62;
				void* _t63;
				char _t65;
				intOrPtr _t70;
				signed int _t82;
				void* _t92;
				signed short _t94;
				signed short _t95;
				signed int _t96;
				char* _t99;
				signed int _t101;
				signed int _t110;
				signed short _t112;
				signed int _t113;
				signed int _t116;
				void* _t119;
				signed short _t130;

				_t110 = __edx;
				_push(4);
				E00DCFB02(E00DD01B7, __ebx, __edi, __esi);
				_t115 = __ecx;
				if(E00DCD95F() != 0) {
					E00DCD9C4(_t110, 5, 0x4000, 1, "ThrowHR: HR = %x\n", __ecx);
					_t119 = _t119 + 0x14;
				}
				if(_t115 == 0x8007000e) {
					L18();
				}
				if(_t115 == 0) {
					_t115 = 0x80004005;
				}
				_t94 = 0xc;
				_t112 = E00DC9EED(_t94, _t110);
				_v16 = _t112;
				_v4 = 0;
				if(_t112 == 0) {
					_t112 = 0;
				} else {
					 *_t112 = 0xdc1434;
					 *((intOrPtr*)(_t112 + 4)) = 0;
					_v4 = 1;
					 *_t112 = 0xdc149c;
					 *((intOrPtr*)(_t112 + 8)) = _t115;
					_v4 = 0;
				}
				_v4 = _v4 | 0xffffffff;
				if(E00DCD95F() != 0) {
					_t115 =  *((intOrPtr*)( *_t112 + 8));
					 *0xdd41d0(0x658);
					_t94 = _t112;
					_push( *((intOrPtr*)( *((intOrPtr*)( *_t112 + 8))))());
					E00DCD9C4(_t110, 5, 0x4000, 3, "EX_THROW Type = 0x%x HR = 0x%x,  line %d\n", 0x48522020);
					_t119 = _t119 + 0x1c;
				}
				_push(0xdd1c60);
				_v16 = _t112;
				_push( &_v16);
				L00DCFAC6();
				asm("int3");
				_t50 = _t94;
				_push(_t94);
				if(_t50 == 8) {
					L18();
				}
				if(_t50 > 0) {
					_t50 = _t50 & 0x0000ffff | 0x80070000;
					_t130 = _t50;
				}
				_t95 = _t50;
				E00DCC282(0x4000, _t95, _t110, _t112, _t115, _t130);
				asm("int3");
				_push(_t95);
				_t96 = GetLastError();
				L12();
				asm("int3");
				_push(_t96);
				 *0xdd2910 = 0x8007000e;
				_v24 = E00DCAE48(_t112, _t115, _t130);
				_push(0xdd1c70);
				_push( &_v24);
				L00DCFAC6();
				asm("int3");
				_push(0x28);
				E00DCFB02(E00DD0388, 0x4000, _t112, _t115);
				_t116 = _t110;
				_t113 = _t96;
				_push(0xdc7000);
				E00DCA7B4(0x4000,  &_v56, _t113, _t116, _t130);
				_v8 = _v8 & 0x00000000;
				E00DCA852(_t116,  &_v56);
				_v8 = _v8 | 0xffffffff;
				_t99 =  &_v56;
				E00DCA914(_t99);
				_t61 = 2;
				_v40 = _t61;
				_v36 = _t61;
				_v32 = 0x10;
				_v28 = 0xdc1624;
				_v8 = _t61;
				if(_t113 >= 0 || (_t113 & 0x1fff0000) != 0x130000) {
					L23:
					_t62 =  *0xdd2918; // 0x0
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t62);
					_push(_t99);
					_push(_t113);
					_push(_t99);
					_push(_t99);
					_t63 = E00DCCDFE(0x4000,  &_v40, _t113, _t116, __eflags);
				} else {
					_t82 = _t113 & 0x0000ffff;
					_t133 = _t82 - 0x3000;
					if(_t82 >= 0x3000) {
						goto L23;
					} else {
						_t63 = E00DCDC70( &_v40, _t133, _t99, _t82 + 0x6000);
					}
				}
				_t101 = _t113;
				_t92 = _t63;
				_v24 = E00DCB110(_t101);
				_t134 = _t92;
				if(_t92 != 0) {
					E00DCA87E(_t92, _t116, _t110, _t113, _t134,  &_v40);
					_push(L" (");
					_t101 = _t116;
					E00DCA8D3(_t92, _t101, _t110, _t113, _t116, _t134);
				}
				_t65 = 2;
				_v56 = _t65;
				_v52 = _t65;
				_v48 = 0x10;
				_v44 = 0xdc1624;
				_v8 = 4;
				_push(0x1709);
				_push(_t101);
				_push(_t101);
				E00DCDC8A(_t92,  &_v56, _t113, _t116, _t134);
				_t103 = _t116;
				E00DCA87E(_t92, _t116, _t110, _t113, _t134,  &_v56);
				E00DCCD51(_t92, _t116, _t134, _t116, L"0x%.8X", _t113);
				_t70 = _v24;
				_t135 = _t70;
				if(_t70 != 0) {
					E00DCCD51(_t92, _t103, _t135, _t116, L" (%S)", _t70);
				}
				_t136 = _t92;
				if(_t92 != 0) {
					_push(")");
					E00DCA8D3(_t92, _t116, _t110, _t113, _t116, _t136);
				}
				_v8 = 2;
				E00DCA914( &_v56);
				_v8 = _v8 | 0xffffffff;
				return E00DCFAD0(E00DCA914( &_v40));
			}

0x00dcc282
0x00dcc282
0x00dcc289
0x00dcc28e
0x00dcc29c
0x00dcc2a9
0x00dcc2ae
0x00dcc2ae
0x00dcc2b7
0x00dcc2b9
0x00dcc2b9
0x00dcc2c0
0x00dcc2c2
0x00dcc2c2
0x00dcc2c9
0x00dcc2cf
0x00dcc2d1
0x00dcc2d6
0x00dcc2db
0x00dcc2f8
0x00dcc2dd
0x00dcc2dd
0x00dcc2e3
0x00dcc2e6
0x00dcc2ea
0x00dcc2f0
0x00dcc2f3
0x00dcc2f3
0x00dcc2fa
0x00dcc305
0x00dcc30e
0x00dcc313
0x00dcc319
0x00dcc31d
0x00dcc32d
0x00dcc332
0x00dcc332
0x00dcc335
0x00dcc33d
0x00dcc340
0x00dcc341
0x00dcc346
0x00dcc347
0x00dcc349
0x00dcc34d
0x00dcc34f
0x00dcc34f
0x00dcc356
0x00dcc35b
0x00dcc35b
0x00dcc35b
0x00dcc360
0x00dcc362
0x00dcc367
0x00dcc368
0x00dcc36f
0x00dcc371
0x00dcc376
0x00dcc37a
0x00dcc37b
0x00dcc38a
0x00dcc390
0x00dcc395
0x00dcc396
0x00dcc39b
0x00dcc39c
0x00dcc3a3
0x00dcc3a8
0x00dcc3aa
0x00dcc3ac
0x00dcc3b4
0x00dcc3b9
0x00dcc3c3
0x00dcc3c8
0x00dcc3cc
0x00dcc3cf
0x00dcc3d6
0x00dcc3d7
0x00dcc3da
0x00dcc3dd
0x00dcc3e4
0x00dcc3eb
0x00dcc3f0
0x00dcc41f
0x00dcc41f
0x00dcc424
0x00dcc425
0x00dcc426
0x00dcc427
0x00dcc428
0x00dcc429
0x00dcc42a
0x00dcc42b
0x00dcc42c
0x00dcc42d
0x00dcc42e
0x00dcc42f
0x00dcc430
0x00dcc431
0x00dcc435
0x00dcc400
0x00dcc402
0x00dcc407
0x00dcc40c
0x00000000
0x00dcc40e
0x00dcc418
0x00dcc418
0x00dcc40c
0x00dcc43a
0x00dcc43c
0x00dcc443
0x00dcc446
0x00dcc448
0x00dcc450
0x00dcc455
0x00dcc45a
0x00dcc45c
0x00dcc45c
0x00dcc463
0x00dcc464
0x00dcc467
0x00dcc46a
0x00dcc471
0x00dcc478
0x00dcc47c
0x00dcc481
0x00dcc482
0x00dcc486
0x00dcc48e
0x00dcc491
0x00dcc49d
0x00dcc4a2
0x00dcc4a8
0x00dcc4aa
0x00dcc4b3
0x00dcc4b8
0x00dcc4bb
0x00dcc4bd
0x00dcc4bf
0x00dcc4c6
0x00dcc4c6
0x00dcc4cb
0x00dcc4d2
0x00dcc4d7
0x00dcc4e8

APIs

__EH_prolog3.LIBCMT ref: 00DCC289
_CxxThrowException.MSVCR120_CLR0400(00000000,00DD1C60), ref: 00DCC341
GetLastError.KERNEL32(?,00DCCA45,?,?,00DC1624,?,?,?,00DCC8C8,?,?,?,00000001,00000004,00000214,00DCCE51), ref: 00DCC369
_CxxThrowException.MSVCR120_CLR0400(00000000,00DD1C70), ref: 00DCC396
__EH_prolog3.LIBCMT ref: 00DCC3A3

Part of subcall function 00DCD9C4: _vsnprintf_s.MSVCR120_CLR0400 ref: 00DCDA95

Part of subcall function 00DCA8D3: __EH_prolog3.LIBCMT ref: 00DCA8DA

Strings

0x%.8X, xrefs: 00DCC497
(%S), xrefs: 00DCC4AD
EX_THROW Type = 0x%x HR = 0x%x, line %d, xrefs: 00DCC323
ThrowHR: HR = %x, xrefs: 00DCC29F

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: H_prolog3$ExceptionThrow$ErrorLast_vsnprintf_s
String ID: (%S)$0x%.8X$EX_THROW Type = 0x%x HR = 0x%x, line %d$ThrowHR: HR = %x
API String ID: 2874708496-3244535534
Opcode ID: 47a183b970915c4e3c4103f86b3fc1ff4662348958e79940531aa77c6bbfd845
Instruction ID: 9f43df9ef1e3a26302ce3a7de7f3fd4e36385f8497795343b7d85c427ca4bc11
Opcode Fuzzy Hash: 47a183b970915c4e3c4103f86b3fc1ff4662348958e79940531aa77c6bbfd845
Instruction Fuzzy Hash: BA51D8B1A1020BABDB14EBA4CD16FAEB6B5DF44310F14412DF619E7282DB749E04CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF30C Relevance: 13.5, APIs: 9, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00DCF30C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				signed int _t18;
				void* _t31;

				_t28 = __edi;
				_t24 = __ebx;
				_t16 = E00DCF8A0(__ebx, __edi, __esi);
				 *(_t31 - 0x28) =  *(_t31 - 0x28) & 0x00000000;
				__imp__DecodePointer( *0xdd35bc, 0xdd1bb8, 0x18);
				 *(_t31 - 0x20) = _t16;
				if(_t16 != 0xffffffff) {
					L00DCF932();
					 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
					__imp__DecodePointer( *0xdd35bc, 8);
					 *(_t31 - 0x20) = _t16;
					__imp__DecodePointer( *0xdd35b8);
					 *((intOrPtr*)(_t31 - 0x24)) = _t16;
					_t18 = _t31 - 0x20;
					__imp__EncodePointer( *((intOrPtr*)(_t31 + 8)), _t18, _t31 - 0x24);
					L00DCF93E();
					_t30 = _t18;
					 *(_t31 - 0x28) = _t18;
					__imp__EncodePointer( *(_t31 - 0x20), _t18);
					 *0xdd35bc = _t18;
					__imp__EncodePointer( *((intOrPtr*)(_t31 - 0x24)));
					 *0xdd35b8 = _t18;
					 *(_t31 - 4) = 0xfffffffe;
					E00DCF3C2(_t18);
				} else {
					_t30 = __imp___onexit;
					 *0xdd41d0( *((intOrPtr*)(_t31 + 8)));
					 *__imp___onexit();
				}
				return E00DCF8E8(_t24, _t28, _t30);
			}

0x00dcf30c
0x00dcf30c
0x00dcf313
0x00dcf318
0x00dcf322
0x00dcf328
0x00dcf32e
0x00dcf348
0x00dcf34e
0x00dcf358
0x00dcf35e
0x00dcf367
0x00dcf36d
0x00dcf374
0x00dcf37b
0x00dcf382
0x00dcf38a
0x00dcf38c
0x00dcf392
0x00dcf398
0x00dcf3a0
0x00dcf3a6
0x00dcf3ab
0x00dcf3b2
0x00dcf330
0x00dcf333
0x00dcf33b
0x00dcf341
0x00dcf343
0x00dcf3be

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,00DD1BB8,00000018,00DCF3D6,?), ref: 00DCF322
_onexit.MSVCR120_CLR0400 ref: 00DCF341
_lock.MSVCR120_CLR0400 ref: 00DCF348
DecodePointer.KERNEL32(?,?,?,?,?,?,00DD1BB8,00000018,00DCF3D6,?), ref: 00DCF358
DecodePointer.KERNEL32(?,?,?,?,?,?,00DD1BB8,00000018,00DCF3D6,?), ref: 00DCF367
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00DD1BB8,00000018,00DCF3D6,?), ref: 00DCF37B
__dllonexit.MSVCR120_CLR0400 ref: 00DCF382
EncodePointer.KERNEL32(?), ref: 00DCF392
EncodePointer.KERNEL32(?), ref: 00DCF3A0

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: Pointer$DecodeEncode$__dllonexit_lock_onexit
String ID:
API String ID: 3085583964-0
Opcode ID: 2b2b0b6fb03a2b0eceada9f718f53bbe76059388da10af72f43c52efade75c77
Instruction ID: 5f9634233ab783880b097682236a0fd5a3489634dcdb75468f1feda8aea36d00
Opcode Fuzzy Hash: 2b2b0b6fb03a2b0eceada9f718f53bbe76059388da10af72f43c52efade75c77
Instruction Fuzzy Hash: AE11B676942315AFCB01AFA0EC09ADC7B75FB08321F20416AE945E22A0DB355A489F75

Uniqueness

Uniqueness Score: -1.00%

Function 00DC94E5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 174
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00DC94E5(void* __ebx, intOrPtr __ecx, void* __edi, signed short __esi, void* __eflags) {
				signed int _t68;
				signed short _t70;
				intOrPtr* _t75;
				signed int _t80;
				_Unknown_base(*)()* _t85;
				signed short _t93;
				signed short _t94;
				struct HINSTANCE__* _t95;
				signed short _t97;
				signed int* _t104;
				signed int _t125;
				void* _t133;
				void* _t137;
				signed short _t144;
				signed short _t145;

				_t137 = __eflags;
				_t126 = __esi;
				_push(0x438);
				E00DCFB35(E00DCFFAD, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t133 - 0x42c)) = __ecx;
				_t125 =  *(_t133 + 0x14);
				_t104 =  *(_t133 + 0x18);
				 *(_t133 - 0x428) =  *(_t133 - 0x428) & 0x00000000;
				if(E00DC9449(_t104, _t133 - 0x428, _t125, __esi, _t137) < 0) {
					L22:
					return E00DCFAE4(_t104, _t125, _t126);
				}
				_t68 =  *(_t133 - 0x428);
				 *(_t133 - 0x430) = 0;
				 *0xdd41d0(_t68, 0x40, 0, 0, 0, 0, _t125, _t104, _t133 - 0x430, 0xdc12e8,  *((intOrPtr*)(_t133 - 0x42c)));
				_t70 =  *((intOrPtr*)( *_t68 + 0xc))();
				_t126 = _t70;
				if(_t70 == 0) {
					L19:
					__eflags = ( *(_t133 - 0x430) & 0x00000003) - 1;
					if(( *(_t133 - 0x430) & 0x00000003) == 1) {
						_t75 =  *((intOrPtr*)( *((intOrPtr*)(_t133 - 0x42c))));
						 *0xdd41d0(_t75);
						_t126 =  *((intOrPtr*)( *((intOrPtr*)( *_t75 + 0x34))))();
					}
					L21:
					goto L22;
				}
				 *(_t133 - 0x424) = 0x100;
				__imp__wcscpy_s(_t133 - 0x210, 0x100, L"v4.0.0");
				_t80 =  *(_t133 - 0x428);
				 *0xdd41d0(_t80, 0x48, 0, 0, _t133 - 0x210, _t133 - 0x424, _t125, _t104, _t133 - 0x430, 0xdc12e8,  *((intOrPtr*)(_t133 - 0x42c)));
				_t126 =  *((intOrPtr*)( *_t80 + 0xc))();
				_t140 = _t126;
				if(_t126 == 0) {
					goto L19;
				}
				 *(_t133 - 0x424) =  *(_t133 - 0x424) & 0x00000000;
				if(E00DC9229(_t104, _t133 - 0x424, _t125, _t126, _t140) < 0) {
					goto L22;
				}
				 *((short*)(_t133 - 0x43c)) = 0;
				 *((intOrPtr*)(_t133 - 0x434)) = _t133 - 0x440;
				 *(_t133 - 4) = 2;
				_t85 = GetProcAddress( *(_t133 - 0x424), "GetRequestedRuntimeInfo");
				if(_t85 != 0) {
					 *(_t133 - 0x438) = _t85;
					_t126 = 0;
					__eflags = 0;
					L8:
					_t144 = _t126;
					L9:
					if(_t144 < 0) {
						L15:
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t133 - 0x434)) = _t133 - 0x440;
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						E00DC9CE6(_t133 - 0x440);
						goto L21;
					}
					 *(_t133 - 0x444) = 0x104;
					 *(_t133 - 0x428) = 0x104;
					 *0xdd41d0(0, 0, 0, 0, 0x41, _t133 - 0x420, 0x104, _t133 - 0x444, _t133 - 0x218, 0x104, _t133 - 0x428);
					_t93 =  *( *(_t133 - 0x438))();
					_t126 = _t93;
					_t145 = _t93;
					if(_t145 < 0) {
						goto L15;
					}
					if(_t145 != 0) {
						L14:
						_t126 = 0x80131700;
						goto L15;
					}
					 *(_t133 - 0x424) =  *(_t133 - 0x424) & 0x00000000;
					_t94 = E00DC933F(_t104, _t133 - 0x424, _t125, _t126, _t145);
					_t126 = _t94;
					if(_t94 < 0) {
						goto L15;
					}
					_t95 =  *(_t133 - 0x424);
					 *0xdd41d0(_t95, _t133 - 0x218, 0xdc12e8,  *((intOrPtr*)(_t133 - 0x42c)));
					_t97 =  *((intOrPtr*)(_t95->i + 0xc))();
					_t126 = _t97;
					if(_t97 == 0) {
						__eflags = _t125;
						if(_t125 != 0) {
							__imp__wcsncpy_s(_t125,  *_t104, _t133 - 0x218,  *(_t133 - 0x428));
							 *_t104 =  *(_t133 - 0x428);
						}
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t133 - 0x434)) = _t133 - 0x440;
						_t59 = _t133 - 4;
						 *_t59 =  *(_t133 - 4) | 0xffffffff;
						__eflags =  *_t59;
						E00DC9CE6(_t133 - 0x440);
						goto L19;
					}
					goto L14;
				}
				_t126 = GetLastError();
				if(_t126 <= 0) {
					goto L9;
				}
				_t126 = _t126 & 0x0000ffff | 0x80070000;
				goto L8;
			}

0x00dc94e5
0x00dc94e5
0x00dc94e5
0x00dc94ef
0x00dc94f4
0x00dc94fa
0x00dc9503
0x00dc9506
0x00dc9514
0x00dc9755
0x00dc975a
0x00dc975a
0x00dc9520
0x00dc9539
0x00dc9548
0x00dc954e
0x00dc9551
0x00dc9555
0x00dc972d
0x00dc9735
0x00dc9737
0x00dc973f
0x00dc9749
0x00dc9751
0x00dc9751
0x00dc9753
0x00000000
0x00dc9753
0x00dc9566
0x00dc9573
0x00dc9579
0x00dc95b0
0x00dc95b9
0x00dc95bb
0x00dc95bd
0x00000000
0x00000000
0x00dc95c3
0x00dc95d7
0x00000000
0x00000000
0x00dc95e3
0x00dc95ec
0x00dc95f2
0x00dc9604
0x00dc960c
0x00dc9625
0x00dc962b
0x00dc962b
0x00dc962d
0x00dc962d
0x00dc962f
0x00dc962f
0x00dc96d0
0x00dc96d0
0x00dc96da
0x00dc96e0
0x00dc96e6
0x00000000
0x00dc96e6
0x00dc9655
0x00dc9663
0x00dc9676
0x00dc967c
0x00dc967e
0x00dc9680
0x00dc9682
0x00000000
0x00000000
0x00dc9684
0x00dc96cb
0x00dc96cb
0x00000000
0x00dc96cb
0x00dc9686
0x00dc9693
0x00dc9698
0x00dc969c
0x00000000
0x00000000
0x00dc969e
0x00dc96bc
0x00dc96c2
0x00dc96c5
0x00dc96c9
0x00dc96ed
0x00dc96ef
0x00dc9701
0x00dc9710
0x00dc9710
0x00dc9712
0x00dc971c
0x00dc9722
0x00dc9722
0x00dc9722
0x00dc9728
0x00000000
0x00dc9728
0x00000000
0x00dc96c9
0x00dc9614
0x00dc9618
0x00000000
0x00000000
0x00dc961d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00DC94EF

Part of subcall function 00DC9449: __EH_prolog3.LIBCMT ref: 00DC9450

wcscpy_s.MSVCR120_CLR0400 ref: 00DC9573

Part of subcall function 00DC9229: __EH_prolog3.LIBCMT ref: 00DC9230
Part of subcall function 00DC9229: LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,00000008,00DC92FA,?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C), ref: 00DC9249
Part of subcall function 00DC9229: GetLastError.KERNEL32(?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C,?,00000000), ref: 00DC9255

GetProcAddress.KERNEL32(00000000,GetRequestedRuntimeInfo), ref: 00DC9604
GetLastError.KERNEL32 ref: 00DC960E
wcsncpy_s.MSVCR120_CLR0400 ref: 00DC9701

Strings

v4.0.0, xrefs: 00DC9560
GetRequestedRuntimeInfo, xrefs: 00DC95F9

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: ErrorH_prolog3Last$AddressH_prolog3_LibraryLoadProcwcscpy_swcsncpy_s
String ID: GetRequestedRuntimeInfo$v4.0.0
API String ID: 408365154-1665928025
Opcode ID: 743ff7da7b691a4b28c3c3c8ed479f799fbd248bcf0ff46da6cb543b016e8aa6
Instruction ID: b7fcae1848855cb1ed6925a983fff983b39144a93f31cc9656f0e783fb706e2f
Opcode Fuzzy Hash: 743ff7da7b691a4b28c3c3c8ed479f799fbd248bcf0ff46da6cb543b016e8aa6
Instruction Fuzzy Hash: A8614FB1A0122A9FDB21DB54CC59F99B7B8EB48710F4041D9FA09A7290D730AE85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCC44 Relevance: 10.7, APIs: 7, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00DCCC44(void* __ebx, unsigned int* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v60;
				intOrPtr _v68;
				void* _v72;
				void* _v80;
				void* _v88;
				void* _v584;
				void* _v600;
				char _v608;
				void* _v616;
				void* _v620;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t30;
				intOrPtr _t31;
				unsigned int _t34;
				signed int* _t35;
				signed int _t42;
				signed int _t44;
				intOrPtr* _t57;
				intOrPtr* _t63;
				signed char _t72;
				void* _t84;
				unsigned int _t87;
				void* _t90;
				unsigned int* _t92;
				void* _t95;
				signed int _t98;
				signed int _t100;

				_push(__ebx);
				_t92 = __ecx;
				_t57 = _a4;
				_t30 = ( *__ecx >> ( !(__ecx[2]) & 0x00000001)) - 1;
				if(_t30 == 0) {
					L2:
					_t63 = _t57;
					_t84 = _t63 + 2;
					do {
						_t31 =  *_t63;
						_t63 = _t63 + 2;
					} while (_t31 != 0);
					_t87 = (_t63 - _t84 >> 1) + 1;
					_t34 = ( *_t92 >> ( !(_t92[2]) & 0x00000001)) - 1;
					if(_t87 < _t34) {
						_t87 = _t34;
					}
					if(_t87 < 0x14) {
						_t87 = 0x14;
					}
					while(1) {
						_t87 = _t87 + _t87;
						_t35 = E00DCD115(_t34, _t92, _t87, _t92, _t87, 4, 0);
						__imp___errno();
						 *_t35 =  *_t35 & 0x00000000;
						_t72 =  !(_t92[2]) & 0x00000001;
						_t34 =  *_t92 >> _t72;
						__imp___vsnwprintf_s(_t92[3], _t34, 0xffffffff, _t57, _a8);
						_t98 = _t98 + 0x14;
						if(_t34 >= 0) {
							goto L14;
						}
						__imp___errno();
						if( *_t34 == 0xc) {
							L16:
							E00DCC377(_t72, _t84);
							asm("int3");
							_push(0xffffffff);
							_push(E00DD0560);
							_push( *[fs:0x0]);
							_t100 = (_t98 & 0xfffffff8) - 0x21c;
							_t42 =  *0xdd2018; // 0x36238578
							 *(_t100 + 0x214) = _t42 ^ _t100;
							_push(_t92);
							_push(_t87);
							_t44 =  *0xdd2018; // 0x36238578
							_push(_t44 ^ _t100);
							 *[fs:0x0] = _t100 + 0x228;
							_push(_t100 + 0x20);
							E00DCA733(_t100 + 0x14, _t111);
							 *((intOrPtr*)(_t100 + 0x230)) = 1;
							E00DCCC44(_t57, _t100 + 0x14,  *((intOrPtr*)(_t98 + 0xc)),  &_v20);
							E00DCA87E(_t57,  *((intOrPtr*)(_t98 + 8)), _t84,  *((intOrPtr*)(_t98 + 8)), _t111, _t100 + 0xc);
							_v60 = _v60 | 0xffffffff;
							E00DCA914( &_v608);
							 *[fs:0x0] = _v68;
							_pop(_t90);
							_t95 = _t72;
							return E00DCF2C0(_t57,  *(_t100 + 0x214) ^ _t100, _t84, _t90, _t95);
						} else {
							__imp___errno();
							if( *_t34 == 0) {
								continue;
							} else {
								__imp___errno();
								if( *_t34 == 9) {
									continue;
								} else {
									__imp___errno();
									_t111 =  *_t34 - 0x22;
									if( *_t34 == 0x22) {
										continue;
									} else {
										_t72 = 0x80070459;
										E00DCC282(_t57, 0x80070459, _t84, _t87, _t92, _t111);
										goto L16;
									}
								}
							}
						}
						goto L18;
					}
					goto L14;
				} else {
					_t34 = _t30 + 1;
					__imp___vsnwprintf_s(__ecx[3], _t34, 0xffffffff, _t57, _a8);
					_t98 = _t98 + 0x14;
					if(_t34 >= 0) {
						L14:
						E00DCD115(_t34, _t92, _t87, _t92, _t34, 4, 1);
						_push(_t57);
						E00DCA7B4(_t57,  &_v20, _t87, _t92, __eflags);
						return E00DCA914( &_v20);
					} else {
						goto L2;
					}
				}
				L18:
			}

0x00dccc4a
0x00dccc4d
0x00dccc56
0x00dccc5e
0x00dccc61
0x00dccc7f
0x00dccc7f
0x00dccc83
0x00dccc86
0x00dccc86
0x00dccc89
0x00dccc8c
0x00dccc95
0x00dccca4
0x00dccca7
0x00dccca9
0x00dccca9
0x00dcccae
0x00dcccb2
0x00dcccb2
0x00dcccb3
0x00dcccb7
0x00dcccbc
0x00dcccc1
0x00dcccc7
0x00dcccd1
0x00dcccd4
0x00dccce0
0x00dccce6
0x00dccceb
0x00000000
0x00000000
0x00dccced
0x00dcccf6
0x00dccd4b
0x00dccd4b
0x00dccd50
0x00dccd57
0x00dccd59
0x00dccd64
0x00dccd65
0x00dccd6b
0x00dccd72
0x00dccd79
0x00dccd7a
0x00dccd7b
0x00dccd82
0x00dccd8a
0x00dccd9b
0x00dccda0
0x00dccda5
0x00dccdb9
0x00dccdc5
0x00dccdca
0x00dccdd6
0x00dccde2
0x00dccdea
0x00dccdeb
0x00dccdfd
0x00dcccf8
0x00dcccf8
0x00dccd01
0x00000000
0x00dccd03
0x00dccd03
0x00dccd0c
0x00000000
0x00dccd0e
0x00dccd0e
0x00dccd14
0x00dccd17
0x00000000
0x00dccd19
0x00dccd41
0x00dccd46
0x00000000
0x00dccd46
0x00dccd17
0x00dccd0c
0x00dccd01
0x00000000
0x00dcccf6
0x00000000
0x00dccc63
0x00dccc66
0x00dccc6e
0x00dccc74
0x00dccc79
0x00dccd1b
0x00dccd22
0x00dccd27
0x00dccd2b
0x00dccd3e
0x00000000
0x00000000
0x00000000
0x00dccc79
0x00000000

APIs

_vsnwprintf_s.MSVCR120_CLR0400 ref: 00DCCC6E
_errno.MSVCR120_CLR0400 ref: 00DCCCC1
_vsnwprintf_s.MSVCR120_CLR0400 ref: 00DCCCE0
_errno.MSVCR120_CLR0400 ref: 00DCCCED
_errno.MSVCR120_CLR0400 ref: 00DCCCF8
_errno.MSVCR120_CLR0400 ref: 00DCCD03
_errno.MSVCR120_CLR0400 ref: 00DCCD0E

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: _errno$_vsnwprintf_s
String ID:
API String ID: 254546658-0
Opcode ID: 02f57e7da9524f4a8478d242f872ea6eb04e121fe34b3e7c158d8bd3b919dd0a
Instruction ID: e1457e4ae5809e95b902a21c6440d8adc1df597d8b6be383cb89db4b65bda585
Opcode Fuzzy Hash: 02f57e7da9524f4a8478d242f872ea6eb04e121fe34b3e7c158d8bd3b919dd0a
Instruction Fuzzy Hash: 5751F5711103069FD725EF28DD46FBA77A9EB94320F04462DFA6AC72A0DB309900CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCB1F Relevance: 10.6, APIs: 7, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 29%

			E00DCCB1F(void* __ebx, unsigned int* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				char _v24;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				signed int _v84;
				signed int _v88;
				intOrPtr _v96;
				signed int _v104;
				char _v600;
				char _v616;
				void* _v624;
				char _v632;
				char _v636;
				void* __esi;
				void* __ebp;
				void* _t44;
				signed int _t45;
				signed int _t48;
				signed int* _t49;
				void* _t53;
				signed int _t57;
				signed int _t58;
				signed int _t61;
				signed int* _t62;
				signed int _t69;
				signed int _t71;
				void* _t83;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr* _t95;
				signed char _t103;
				unsigned int* _t104;
				intOrPtr* _t110;
				signed char _t119;
				void* _t134;
				void* _t135;
				signed int _t137;
				signed int _t140;
				void* _t143;
				unsigned int* _t147;
				void* _t150;
				void* _t152;
				void* _t154;
				signed int _t155;
				signed int _t157;

				_t136 = __edi;
				_push(__ebx);
				_t145 = __ecx;
				_t87 = _a4;
				_t44 = ( *__ecx >> ( !(__ecx[2]) & 0x00000001)) - 1;
				if(_t44 == 0) {
					L3:
					_t95 = _t87;
					_t134 = _t95 + 1;
					do {
						_t45 =  *_t95;
						_t95 = _t95 + 1;
						__eflags = _t45;
					} while (_t45 != 0);
					_t137 = _t95 - _t134 + 1;
					_t48 = ( *_t145 >> ( !(_t145[2]) & 0x00000001)) - 1;
					__eflags = _t137 - _t48;
					if(_t137 < _t48) {
						_t137 = _t48;
					}
					__eflags = _t137 - 0x14;
					if(_t137 < 0x14) {
						_t137 = 0x14;
					}
					while(1) {
						_t137 = _t137 + _t137;
						_t49 = E00DCD115(_t48, _t145, _t137, _t145, _t137, 7, 0);
						__imp___errno();
						 *_t49 =  *_t49 & 0x00000000;
						_t103 =  !(_t145[2]) & 0x00000001;
						_t48 =  *_t145 >> _t103;
						__imp___vsnprintf_s(_t145[3], _t48, 0xffffffff, _t87, _a8);
						_t154 = _t154 + 0x14;
						__eflags = _t48;
						if(_t48 >= 0) {
							break;
						}
						__imp___errno();
						__eflags =  *_t48 - 0xc;
						if( *_t48 == 0xc) {
							L18:
							E00DCC377(_t103, _t134);
							asm("int3");
							_t152 = _t154;
							_t155 = _t154 - 0x14;
							_push(_t87);
							_push(_t145);
							_push(_t137);
							_t147 = _t103;
							_t89 = _v24;
							_t57 = ( *_t147 >> ( !(_t147[2]) & 0x00000001)) - 1;
							__eflags = _t57;
							if(_t57 == 0) {
								L21:
								_t110 = _t89;
								__eflags = 0;
								_t135 = _t110 + 2;
								do {
									_t58 =  *_t110;
									_t110 = _t110 + 2;
									__eflags = _t58;
								} while (_t58 != 0);
								_t140 = (_t110 - _t135 >> 1) + 1;
								_t61 = ( *_t147 >> ( !(_t147[2]) & 0x00000001)) - 1;
								__eflags = _t140 - _t61;
								if(_t140 < _t61) {
									_t140 = _t61;
								}
								__eflags = _t140 - 0x14;
								if(_t140 < 0x14) {
									_t140 = 0x14;
								}
								while(1) {
									_t140 = _t140 + _t140;
									_t62 = E00DCD115(_t61, _t147, _t140, _t147, _t140, 4, 0);
									__imp___errno();
									 *_t62 =  *_t62 & 0x00000000;
									_t119 =  !(_t147[2]) & 0x00000001;
									_t61 =  *_t147 >> _t119;
									__imp___vsnwprintf_s(_t147[3], _t61, 0xffffffff, _t89, _a4);
									_t155 = _t155 + 0x14;
									__eflags = _t61;
									if(_t61 >= 0) {
										goto L33;
									}
									__imp___errno();
									__eflags =  *_t61 - 0xc;
									if( *_t61 == 0xc) {
										L35:
										E00DCC377(_t119, _t135);
										asm("int3");
										_push(_t152);
										_push(0xffffffff);
										_push(E00DD0560);
										_push( *[fs:0x0]);
										_t157 = (_t155 & 0xfffffff8) - 0x21c;
										_t69 =  *0xdd2018; // 0x36238578
										_v84 = _t69 ^ _t157;
										_push(_t147);
										_push(_t140);
										_t71 =  *0xdd2018; // 0x36238578
										_push(_t71 ^ _t157);
										 *[fs:0x0] =  &_v76;
										_push(_t119);
										_push( &_v600);
										E00DCA733( &_v616, __eflags);
										_v76 = 1;
										_push( &_v48);
										_push(_v52);
										L19();
										E00DCA87E(_t89, _v56, _t135, _v56, __eflags,  &_v632);
										_v88 = _v88 | 0xffffffff;
										E00DCA914( &_v636);
										 *[fs:0x0] = _v96;
										_pop(_t143);
										_pop(_t150);
										__eflags = _v104 ^ _t157;
										return E00DCF2C0(_t89, _v104 ^ _t157, _t135, _t143, _t150);
									} else {
										__imp___errno();
										__eflags =  *_t61;
										if( *_t61 == 0) {
											continue;
										} else {
											__imp___errno();
											__eflags =  *_t61 - 9;
											if( *_t61 == 9) {
												continue;
											} else {
												__imp___errno();
												__eflags =  *_t61 - 0x22;
												if(__eflags == 0) {
													continue;
												} else {
													_t119 = 0x80070459;
													E00DCC282(_t89, 0x80070459, _t135, _t140, _t147, __eflags);
													goto L35;
												}
											}
										}
									}
									goto L37;
								}
								goto L33;
							} else {
								_t61 = _t57 + 1;
								__imp___vsnwprintf_s(_t147[3], _t61, 0xffffffff, _t89, _a4);
								_t155 = _t155 + 0x14;
								__eflags = _t61;
								if(_t61 >= 0) {
									L33:
									E00DCD115(_t61, _t147, _t140, _t147, _t61, 4, 1);
									_push(_t89);
									E00DCA7B4(_t89,  &_v24, _t140, _t147, __eflags);
									return E00DCA914( &_v24);
								} else {
									goto L21;
								}
							}
						} else {
							__imp___errno();
							__eflags =  *_t48;
							if( *_t48 == 0) {
								continue;
							} else {
								__imp___errno();
								__eflags =  *_t48 - 9;
								if( *_t48 == 9) {
									continue;
								} else {
									__imp___errno();
									__eflags =  *_t48 - 0x22;
									if(__eflags == 0) {
										continue;
									} else {
										_t103 = 0x80070459;
										E00DCC282(_t87, 0x80070459, _t134, _t137, _t145, __eflags);
										goto L18;
									}
								}
							}
						}
						goto L37;
					}
					_t104 = _t145;
					E00DCD115(_t48, _t104, _t137, _t145, _t48, 7, 1);
					_push(_t87);
					_push(_t104);
					E00DCC607(_t87,  &_v20, _t137, _t145, __eflags);
					_t53 = E00DCA914( &_v20);
					goto L16;
				} else {
					_t83 = _t44 + 1;
					__imp___vsnprintf_s(__ecx[3], _t83, 0xffffffff, _t87, _a8);
					_t154 = _t154 + 0x14;
					_t159 = _t83;
					if(_t83 < 0) {
						goto L3;
					} else {
						E00DCD115(_t83, __ecx, __edi, __ecx, _t83, 7, 1);
						_push(_t87);
						_push(__ecx);
						E00DCC607(_t87,  &_v20, __edi, __ecx, _t159);
						_t53 = E00DCA914( &_v20);
						L16:
						return _t53;
					}
				}
				L37:
			}

0x00dccb1f
0x00dccb25
0x00dccb27
0x00dccb30
0x00dccb38
0x00dccb3b
0x00dccb78
0x00dccb78
0x00dccb7a
0x00dccb7d
0x00dccb7d
0x00dccb7f
0x00dccb80
0x00dccb80
0x00dccb87
0x00dccb96
0x00dccb97
0x00dccb99
0x00dccb9b
0x00dccb9b
0x00dccb9d
0x00dccba0
0x00dccba4
0x00dccba4
0x00dccba5
0x00dccba9
0x00dccbae
0x00dccbb3
0x00dccbb9
0x00dccbc3
0x00dccbc6
0x00dccbd2
0x00dccbd8
0x00dccbdb
0x00dccbdd
0x00000000
0x00000000
0x00dccbdf
0x00dccbe5
0x00dccbe8
0x00dccc3e
0x00dccc3e
0x00dccc43
0x00dccc45
0x00dccc47
0x00dccc4a
0x00dccc4b
0x00dccc4c
0x00dccc4d
0x00dccc56
0x00dccc5e
0x00dccc5e
0x00dccc61
0x00dccc7f
0x00dccc7f
0x00dccc81
0x00dccc83
0x00dccc86
0x00dccc86
0x00dccc89
0x00dccc8c
0x00dccc8c
0x00dccc95
0x00dccca4
0x00dccca5
0x00dccca7
0x00dccca9
0x00dccca9
0x00dcccab
0x00dcccae
0x00dcccb2
0x00dcccb2
0x00dcccb3
0x00dcccb7
0x00dcccbc
0x00dcccc1
0x00dcccc7
0x00dcccd1
0x00dcccd4
0x00dccce0
0x00dccce6
0x00dccce9
0x00dccceb
0x00000000
0x00000000
0x00dccced
0x00dcccf3
0x00dcccf6
0x00dccd4b
0x00dccd4b
0x00dccd50
0x00dccd51
0x00dccd57
0x00dccd59
0x00dccd64
0x00dccd65
0x00dccd6b
0x00dccd72
0x00dccd79
0x00dccd7a
0x00dccd7b
0x00dccd82
0x00dccd8a
0x00dccd96
0x00dccd9b
0x00dccda0
0x00dccda5
0x00dccdb3
0x00dccdb4
0x00dccdb9
0x00dccdc5
0x00dccdca
0x00dccdd6
0x00dccde2
0x00dccdea
0x00dccdeb
0x00dccdf3
0x00dccdfd
0x00dcccf8
0x00dcccf8
0x00dcccfe
0x00dccd01
0x00000000
0x00dccd03
0x00dccd03
0x00dccd09
0x00dccd0c
0x00000000
0x00dccd0e
0x00dccd0e
0x00dccd14
0x00dccd17
0x00000000
0x00dccd19
0x00dccd41
0x00dccd46
0x00000000
0x00dccd46
0x00dccd17
0x00dccd0c
0x00dccd01
0x00000000
0x00dcccf6
0x00000000
0x00dccc63
0x00dccc66
0x00dccc6e
0x00dccc74
0x00dccc77
0x00dccc79
0x00dccd1b
0x00dccd22
0x00dccd27
0x00dccd2b
0x00dccd3e
0x00000000
0x00000000
0x00000000
0x00dccc79
0x00dccbea
0x00dccbea
0x00dccbf0
0x00dccbf3
0x00000000
0x00dccbf5
0x00dccbf5
0x00dccbfb
0x00dccbfe
0x00000000
0x00dccc00
0x00dccc00
0x00dccc06
0x00dccc09
0x00000000
0x00dccc0b
0x00dccc34
0x00dccc39
0x00000000
0x00dccc39
0x00dccc09
0x00dccbfe
0x00dccbf3
0x00000000
0x00dccbe8
0x00dccc12
0x00dccc14
0x00dccc19
0x00dccc1a
0x00dccc1e
0x00dccc26
0x00000000
0x00dccb3d
0x00dccb40
0x00dccb48
0x00dccb4e
0x00dccb51
0x00dccb53
0x00000000
0x00dccb55
0x00dccb5c
0x00dccb61
0x00dccb62
0x00dccb66
0x00dccb6e
0x00dccc2c
0x00dccc31
0x00dccc31
0x00dccb53
0x00000000

APIs

_vsnprintf_s.MSVCR120_CLR0400 ref: 00DCCB48

Part of subcall function 00DCC607: __EH_prolog3.LIBCMT ref: 00DCC60E

Part of subcall function 00DCA914: __EH_prolog3.LIBCMT ref: 00DCA91B

_errno.MSVCR120_CLR0400 ref: 00DCCBB3
_vsnprintf_s.MSVCR120_CLR0400 ref: 00DCCBD2
_errno.MSVCR120_CLR0400 ref: 00DCCBDF
_errno.MSVCR120_CLR0400 ref: 00DCCBEA
_errno.MSVCR120_CLR0400 ref: 00DCCBF5
_errno.MSVCR120_CLR0400 ref: 00DCCC00

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: _errno$H_prolog3_vsnprintf_s
String ID:
API String ID: 926918570-0
Opcode ID: a325720039b3746a1d2ce4e7af21a6eb716adbe62e5df866826e8f8fcf623a1f
Instruction ID: a4937a23077e0d77b74a11f58d07b8f4920832154b926d414880644827064468
Opcode Fuzzy Hash: a325720039b3746a1d2ce4e7af21a6eb716adbe62e5df866826e8f8fcf623a1f
Instruction Fuzzy Hash: AA312231220306EFE7196B68CD4AF79376AEB61311F14521CF69AA72A1CB325C00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9BE4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000012FF,00000000,?,00000000,00DD2DA0,00000400,00000000), ref: 00DC9C59
wcsncpy_s.MSVCR120_CLR0400 ref: 00DC9C7B
_snprintf_s.MSVCR120_CLR0400 ref: 00DC9C92
wcscat_s.MSVCR120_CLR0400 ref: 00DC9CBA

Part of subcall function 00DC98B0: LoadStringW.USER32(00000000,0000000C,?,00DC9A6D), ref: 00DC98C2
Part of subcall function 00DC98B0: LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,?,00000000,?,00DC9A6D,00000100,?,00DC8C4B), ref: 00DC98D3
Part of subcall function 00DC98B0: FreeLibrary.KERNEL32(00000000,00DC9A6D,?,?,00000000,?,00DC9A6D,00000100,?,00DC8C4B), ref: 00DC98F5

Strings

Unable to format error message , xrefs: 00DC9C74
%08X, xrefs: 00DC9C85

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: LibraryLoad$FormatFreeMessageString_snprintf_swcscat_swcsncpy_s
String ID: %08X$Unable to format error message
API String ID: 2437734733-1207046165
Opcode ID: d3d841e36528e308d157ed0f749989682c11b3de5164feb649f46bf588e3deeb
Instruction ID: 4b9e36c10e4b0f7d1a0700b12d9880b8875f3a008f282c89e7b9d5d65cba62ea
Opcode Fuzzy Hash: d3d841e36528e308d157ed0f749989682c11b3de5164feb649f46bf588e3deeb
Instruction Fuzzy Hash: 91210571A012196AEB249B249D5AFFBBBACEF45320F10016EF509D3281EA308D4187F4

Uniqueness

Uniqueness Score: -1.00%

Function 00DCECCA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,80004005,00000000), ref: 00DCECF4

Part of subcall function 00DCDFD2: GetLastError.KERNEL32(00DCE7FC,?,00DCECAF,?,?), ref: 00DCDFD2

Strings

v4.0.30319, xrefs: 00DCED5E
mscorrc.dll, xrefs: 00DCED30

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: mscorrc.dll$v4.0.30319
API String ID: 2776309574-2820514680
Opcode ID: 47d67c2a2ac7e8d8f4780e2cb073e302956aac66a826bc7d3268b2aa41371329
Instruction ID: 9f3f39491bd9a71fe4a6afed4571d96a95abe4590a962da60bfa9e1329e9981b
Opcode Fuzzy Hash: 47d67c2a2ac7e8d8f4780e2cb073e302956aac66a826bc7d3268b2aa41371329
Instruction Fuzzy Hash: 7A212CB1A01219ABEB20DB949C89FFFB76CDB44715F10016AB90AE3140E6749E888A75

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA0BD Relevance: 10.6, APIs: 7, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00DCA0BD(void* __ecx, void* __edx) {
				long _t2;
				signed int _t11;
				void* _t14;
				signed int _t17;
				long _t21;
				void* _t22;
				void* _t25;

				_t2 =  *0xdd202c; // 0xffffffff
				_t14 = __edx;
				_t22 = __ecx;
				if(_t2 == 0xffffffff) {
					_t11 = TlsAlloc();
					_t21 = _t11;
					asm("lock cmpxchg [esi], ecx");
					if((_t11 | 0xffffffff) != 0xffffffff) {
						TlsFree(_t21);
					}
					_t2 =  *0xdd202c; // 0xffffffff
					 *0xdd2028 = 0xdca0b0;
				}
				_t25 = TlsGetValue(_t2);
				if(_t25 != 0 || _t14 == 0) {
					L11:
					return _t25;
				} else {
					_t25 = HeapAlloc(GetProcessHeap(), 0, 0x58);
					if(_t25 != 0) {
						L10:
						_t17 = 0x16;
						memset(_t25, 0, _t17 << 2);
						TlsSetValue( *0xdd202c, _t25);
						goto L11;
					}
					if(_t22 == 9 || _t22 == 6) {
						return 0;
					} else {
						RaiseException(0xc0000017, 0, 0, 0);
						goto L10;
					}
				}
			}

0x00dca0bd
0x00dca0c3
0x00dca0c7
0x00dca0cc
0x00dca0ce
0x00dca0d4
0x00dca0e0
0x00dca0e7
0x00dca0ea
0x00dca0ea
0x00dca0f0
0x00dca0f5
0x00dca0f5
0x00dca106
0x00dca10a
0x00dca156
0x00000000
0x00dca110
0x00dca122
0x00dca126
0x00dca140
0x00dca142
0x00dca147
0x00dca150
0x00000000
0x00dca150
0x00dca12b
0x00000000
0x00dca132
0x00dca13a
0x00000000
0x00dca13a
0x00dca12b

APIs

TlsAlloc.KERNEL32(?,?,?,00DCA211), ref: 00DCA0CE
TlsFree.KERNEL32(00000000,?,?,?,00DCA211), ref: 00DCA0EA
TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00DCA211), ref: 00DCA100
GetProcessHeap.KERNEL32(00000000,00000058,?,?,?,00DCA211), ref: 00DCA115
HeapAlloc.KERNEL32(00000000,?,?,?,00DCA211), ref: 00DCA11C
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,00DCA211), ref: 00DCA13A
TlsSetValue.KERNEL32(00000000,?,?,?,00DCA211), ref: 00DCA150

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: AllocHeapValue$ExceptionFreeProcessRaise
String ID:
API String ID: 594535578-0
Opcode ID: 52d9517735641088802c6d3d614c84b801509dfa86eab29947e2e17577d7c610
Instruction ID: 0dd74ee76225a9e383b6301702fa40c7fae2ab862e84d367a425edcf3541980a
Opcode Fuzzy Hash: 52d9517735641088802c6d3d614c84b801509dfa86eab29947e2e17577d7c610
Instruction Fuzzy Hash: F01156326023169FC7250B7CAC48F7677699B593B571D462BFA19D33A0DA308C409675

Uniqueness

Uniqueness Score: -1.00%

Function 00DC90DA Relevance: 10.5, APIs: 7, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00DC90DA(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				char _v8200;
				signed int _t9;
				int _t13;
				char* _t14;
				int _t16;
				void* _t20;
				void* _t23;
				void* _t24;
				void* _t25;
				signed int _t26;

				_t25 = __esi;
				_t24 = __edi;
				_t23 = __edx;
				_t20 = __ebx;
				E00DCFBE0(0x2004);
				_t9 =  *0xdd2018; // 0x36238578
				_v8 = _t9 ^ _t26;
				__imp___vsnwprintf_s( &_v8200, 0x1000, 0xffffffff, _a4,  &_a8);
				_t13 = IsDebuggerPresent();
				_t14 =  &_v8200;
				_push(_t14);
				if(_t13 == 0) {
					__imp____iob_func();
					_t16 = fwprintf(_t14 + 0x20, 0xdc14d0);
					__imp____iob_func();
					fflush(_t16 + 0x20);
				} else {
					OutputDebugStringW();
				}
				return E00DCF2C0(_t20, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x00dc90da
0x00dc90da
0x00dc90da
0x00dc90da
0x00dc90e2
0x00dc90e7
0x00dc90ee
0x00dc9106
0x00dc910f
0x00dc9117
0x00dc911d
0x00dc911e
0x00dc912d
0x00dc9137
0x00dc913d
0x00dc9147
0x00dc9120
0x00dc9120
0x00dc9120
0x00dc915d

APIs

_vsnwprintf_s.MSVCR120_CLR0400 ref: 00DC9106
IsDebuggerPresent.KERNEL32(?,?,00DC999F,?,?), ref: 00DC910F
OutputDebugStringW.KERNEL32(?,?,?,00DC999F,?,?), ref: 00DC9120
__iob_func.MSVCR120_CLR0400 ref: 00DC912D
fwprintf.MSVCR120_CLR0400 ref: 00DC9137
__iob_func.MSVCR120_CLR0400 ref: 00DC913D
fflush.MSVCR120_CLR0400 ref: 00DC9147

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: __iob_func$DebugDebuggerOutputPresentString_vsnwprintf_sfflushfwprintf
String ID:
API String ID: 623727150-0
Opcode ID: a80703371579566fa1413c0aa16a0bb25615ff8526969263bc79e219a4b7d222
Instruction ID: ff1fbff01bcfc77cf6a07a79ea6f53eb30c248277f37a195783e5d04650fad91
Opcode Fuzzy Hash: a80703371579566fa1413c0aa16a0bb25615ff8526969263bc79e219a4b7d222
Instruction Fuzzy Hash: 6701817550130A9FDB10AFA4DC4EF9A7768EF04305B040166F61ED7392DA309A94CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE804 Relevance: 9.2, APIs: 6, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00DCE804(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t113;
				signed int _t116;
				intOrPtr _t121;
				intOrPtr _t123;
				intOrPtr _t132;
				signed int _t153;
				intOrPtr* _t173;
				signed int _t175;
				void* _t179;
				void* _t184;
				intOrPtr* _t185;
				signed int _t187;
				intOrPtr* _t190;
				intOrPtr* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				unsigned int* _t239;
				signed int _t240;
				void* _t241;
				unsigned int* _t242;
				unsigned int _t243;
				unsigned int* _t244;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t250;

				_push(0x278);
				E00DCFBA1(E00DD0962, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t246 - 0x240)) = __ecx;
				 *((intOrPtr*)(_t246 - 0x23c)) = __ecx;
				 *((intOrPtr*)(_t246 - 0x254)) =  *((intOrPtr*)(_t246 + 8));
				 *((intOrPtr*)(_t246 - 0x248)) =  *((intOrPtr*)(_t246 + 0xc));
				_t237 = 0x80004005;
				_t173 =  *((intOrPtr*)(__ecx + 0x18));
				_t179 = _t173 + 2;
				_t235 = 0;
				do {
					_t113 =  *_t173;
					_t173 = _t173 + 2;
					_t254 = _t113;
				} while (_t113 != 0);
				_t175 = _t173 - _t179 >> 1;
				 *(_t246 - 0x234) = _t175;
				E00DCC648(0x80004005, _t254);
				 *(_t246 - 0x274) = 0;
				 *((intOrPtr*)(_t246 - 0x270)) = 0;
				 *((intOrPtr*)(_t246 - 0x26c)) = 5;
				 *(_t246 - 4) = 1;
				_t116 =  *( *((intOrPtr*)(_t246 - 0x240)) + 0x20);
				 *(_t246 - 0x238) = _t116;
				if(_t116 == 0) {
					 *(_t246 - 0x250) = 0;
					 *(_t246 - 0x24c) = 0;
					 *(_t246 - 4) = 2;
					 *(_t246 - 4) = 3;
					_push( *0xdd2918);
					E00DCE1DE(_t175, _t246 - 0x274, __edx, 0, 0x80004005, __eflags);
					 *(_t246 - 4) = 2;
					 *(_t246 - 4) = 1;
					__eflags =  *(_t246 - 0x250) & 0x00000002;
					if(( *(_t246 - 0x250) & 0x00000002) != 0) {
						E00DCE15C();
					}
				} else {
					 *0xdd41d0(_t246 - 0x274);
					_t237 =  *(_t246 - 0x238)();
				}
				if(_t237 != 0x8007000e) {
					 *((short*)(_t246 - 0x22c)) = 0;
					 *((short*)(_t246 - 0x20)) = 0;
					__eflags = 0;
					 *((short*)( *((intOrPtr*)(_t246 - 0x248)) + 0x206)) = 0;
					_t248 = _t247 - 0x14;
					E00DCEE75( *((intOrPtr*)(_t246 - 0x248)), _t246 - 0x20, _t246 - 0x22c, _t246 - 0x22c);
					_t228 = _t246 - 0x20;
					_t184 = _t228 + 2;
					do {
						_t121 =  *_t228;
						_t228 = _t228 + 2;
						__eflags = _t121 - _t235;
					} while (_t121 != _t235);
					_t229 = _t228 - _t184;
					__eflags = _t229;
					_t230 = _t229 >> 1;
					 *(_t246 - 0x24c) = _t230;
					_t185 = _t246 - 0x22c;
					 *((intOrPtr*)(_t246 - 0x23c)) = _t185 + 2;
					do {
						_t123 =  *_t185;
						_t185 = _t185 + 2;
						__eflags = _t123 - _t235;
					} while (_t123 != _t235);
					_t187 = _t185 -  *((intOrPtr*)(_t246 - 0x23c)) >> 1;
					 *(_t246 - 0x238) = _t187;
					 *((intOrPtr*)(_t246 - 0x23c)) = _t230 + 1 + _t187 + _t175;
					__eflags =  *(_t246 - 0x274);
					if( *(_t246 - 0x274) <= 0) {
						L24:
						__eflags = _t237;
						if(_t237 < 0) {
							_t237 = E00DCE7CF( *((intOrPtr*)(_t246 - 0x240)),  *((intOrPtr*)(_t246 - 0x254)),  *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x240)) + 0x18)));
						}
						L26:
						_t107 = _t246 - 4;
						 *_t107 =  *(_t246 - 4) | 0xffffffff;
						__eflags =  *_t107;
						E00DCE299(_t246 - 0x274);
						goto L27;
					} else {
						goto L14;
					}
					do {
						L14:
						_t238 = _t235;
						_t190 = _t246 - 0x270;
						_t132 =  *((intOrPtr*)(_t246 - 0x26c));
						__eflags = _t235 - _t132;
						if(_t235 < _t132) {
							L16:
							_t239 =  *(_t190 + 8 + _t238 * 4);
							 *(_t246 - 0x234) = _t239;
							E00DCA95D(_t175, _t239, _t235, _t239);
							__eflags = ( *_t239 >> ( !(_t239[2]) & 0x00000001)) +  *((intOrPtr*)(_t246 - 0x23c)) - 1 - 0x104;
							if(( *_t239 >> ( !(_t239[2]) & 0x00000001)) +  *((intOrPtr*)(_t246 - 0x23c)) - 1 > 0x104) {
								_t237 = 0x80004005;
								goto L23;
							}
							_t240 =  *(_t246 - 0x24c);
							__imp__wcscpy_s( *((intOrPtr*)(_t246 - 0x248)), _t240 + 1, _t246 - 0x20);
							_t241 =  *((intOrPtr*)(_t246 - 0x248)) + _t240 * 2;
							__imp__wcscpy_s(_t241,  *(_t246 - 0x238) + 1, _t246 - 0x22c);
							_t250 = _t248 + 0x18;
							 *((intOrPtr*)(_t246 - 0x230)) = _t241 +  *(_t246 - 0x238) * 2;
							_t242 =  *(_t246 - 0x234);
							__eflags = ( *_t242 >> ( !(_t242[2]) & 0x00000001)) - 1;
							if(__eflags == 0) {
								E00DCA95D(_t175, _t242, _t235, _t242);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x240)) + 0x18)));
								_push(_t175 + 1);
								_t153 =  *((intOrPtr*)(_t246 - 0x230)) + ( *_t242 >> ( !(_t242[2]) & 0x00000001)) * 2 + 0xfffffffe;
								__eflags = _t153;
							} else {
								E00DCC86D(_t175, _t242, _t235, _t242, __eflags);
								_t243 = _t242[3];
								E00DCA95D(_t175,  *(_t246 - 0x234), _t235, _t243);
								_t244 =  *(_t246 - 0x234);
								__imp__wcscpy_s( *((intOrPtr*)(_t246 - 0x230)),  *( *(_t246 - 0x234)) >> ( !(_t244[2]) & 0x00000001), _t243);
								E00DCA95D(_t175, _t244, _t235, _t244);
								_t245 = _t175 + 1;
								__imp__wcscpy_s( *((intOrPtr*)(_t246 - 0x230)) - 2 + ( *_t244 >> ( !(( *(_t246 - 0x234))[2]) & 0x00000001)) * 2, _t245, "\\");
								_t250 = _t250 + 0x18;
								E00DCA95D(_t175,  *(_t246 - 0x234), _t235, _t245);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x240)) + 0x18)));
								_push(_t245);
								_t153 =  *((intOrPtr*)(_t246 - 0x230)) + ( *( *(_t246 - 0x234)) >> ( !(( *(_t246 - 0x234))[2]) & 0x00000001)) * 2;
							}
							__imp__wcscpy_s(_t153);
							_t248 = _t250 + 0xc;
							_t237 = E00DCE7CF( *((intOrPtr*)(_t246 - 0x240)),  *((intOrPtr*)(_t246 - 0x254)),  *((intOrPtr*)(_t246 - 0x248)));
							__eflags = _t237;
							if(_t237 >= 0) {
								goto L26;
							} else {
								goto L23;
							}
						} else {
							goto L15;
						}
						do {
							L15:
							_t238 = _t238 - _t132;
							_t190 =  *_t190;
							_t132 =  *((intOrPtr*)(_t190 + 4));
							__eflags = _t238 - _t132;
						} while (_t238 >= _t132);
						goto L16;
						L23:
						_t235 = _t235 + 1;
						__eflags = _t235 -  *(_t246 - 0x274);
					} while (_t235 <  *(_t246 - 0x274));
					goto L24;
				} else {
					 *(_t246 - 4) =  *(_t246 - 4) | 0xffffffff;
					E00DCE299(_t246 - 0x274);
					L27:
					return E00DCFAF3(_t175, _t235, _t237);
				}
			}

0x00dce804
0x00dce80e
0x00dce815
0x00dce81b
0x00dce824
0x00dce82d
0x00dce833
0x00dce838
0x00dce83b
0x00dce83e
0x00dce840
0x00dce840
0x00dce843
0x00dce846
0x00dce846
0x00dce84d
0x00dce84f
0x00dce855
0x00dce85a
0x00dce860
0x00dce866
0x00dce870
0x00dce87d
0x00dce880
0x00dce888
0x00dce8a6
0x00dce8ac
0x00dce8b2
0x00dce8b6
0x00dce8ba
0x00dce8c6
0x00dce8cb
0x00dce8d2
0x00dcea15
0x00dcea1c
0x00dcea1e
0x00dcea1e
0x00dce88a
0x00dce893
0x00dce89f
0x00dce89f
0x00dcea29
0x00dcea43
0x00dcea4a
0x00dcea4e
0x00dcea56
0x00dcea5d
0x00dcea6d
0x00dcea72
0x00dcea75
0x00dcea78
0x00dcea78
0x00dcea7b
0x00dcea7e
0x00dcea7e
0x00dcea83
0x00dcea83
0x00dcea85
0x00dcea87
0x00dcea8d
0x00dcea96
0x00dcea9c
0x00dcea9c
0x00dcea9f
0x00dceaa2
0x00dceaa2
0x00dceaad
0x00dceaaf
0x00dceabc
0x00dceac2
0x00dceac9
0x00dcec95
0x00dcec95
0x00dcec97
0x00dcecaf
0x00dcecaf
0x00dcecb1
0x00dcecb1
0x00dcecb1
0x00dcecb1
0x00dcecbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00dceacf
0x00dceacf
0x00dceacf
0x00dcead1
0x00dcead7
0x00dceadd
0x00dceadf
0x00dceaec
0x00dceaec
0x00dceaf0
0x00dceaf8
0x00dceb12
0x00dceb17
0x00dcec83
0x00000000
0x00dcec83
0x00dceb21
0x00dceb31
0x00dceb40
0x00dceb53
0x00dceb59
0x00dceb65
0x00dceb6b
0x00dceb7d
0x00dceb80
0x00dcec30
0x00dcec3d
0x00dcec43
0x00dcec57
0x00dcec57
0x00dceb86
0x00dceb88
0x00dceb8d
0x00dceb96
0x00dceba4
0x00dcebbb
0x00dcebc6
0x00dcebcd
0x00dcebf3
0x00dcebf9
0x00dcec02
0x00dcec15
0x00dcec18
0x00dcec29
0x00dcec29
0x00dcec5b
0x00dcec61
0x00dcec7b
0x00dcec7d
0x00dcec7f
0x00000000
0x00dcec81
0x00000000
0x00dcec81
0x00000000
0x00000000
0x00000000
0x00dceae1
0x00dceae1
0x00dceae1
0x00dceae3
0x00dceae5
0x00dceae8
0x00dceae8
0x00000000
0x00dcec88
0x00dcec88
0x00dcec89
0x00dcec89
0x00000000
0x00dcea2b
0x00dcea2b
0x00dcea35
0x00dcecc2
0x00dcecc7
0x00dcecc7

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00DCE80E

Part of subcall function 00DCE1DE: __EH_prolog3.LIBCMT ref: 00DCE1E5

wcscpy_s.MSVCR120_CLR0400 ref: 00DCEB31
wcscpy_s.MSVCR120_CLR0400 ref: 00DCEB53
wcscpy_s.MSVCR120_CLR0400 ref: 00DCEBBB

Part of subcall function 00DCA95D: __EH_prolog3_GS.LIBCMT ref: 00DCC877

wcscpy_s.MSVCR120_CLR0400 ref: 00DCEBF3
wcscpy_s.MSVCR120_CLR0400 ref: 00DCEC5B

Part of subcall function 00DCE7CF: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00DCECAF,?,?), ref: 00DCE7E8

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: wcscpy_s$H_prolog3H_prolog3_H_prolog3_catch_LibraryLoad
String ID:
API String ID: 2790227069-0
Opcode ID: 7800282e97181c73cbe3f26bd5604803cb400988520e8b7293b7441a56efd6fd
Instruction ID: 9426e0242c937ffcfc5627bd660b5eca8dd7efba1bdf0cfd0beb2132b10bafe9
Opcode Fuzzy Hash: 7800282e97181c73cbe3f26bd5604803cb400988520e8b7293b7441a56efd6fd
Instruction Fuzzy Hash: B1A1497590122A9BCB24EF68CC99BACB7B5FF48304F0441DDE40AA7251DB35AE85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC347 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00DCC347(signed short __ecx, signed int __edx) {
				signed int _v8;
				void* _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed short _t32;
				signed int _t44;
				intOrPtr _t45;
				void* _t46;
				char _t48;
				intOrPtr _t53;
				signed int _t65;
				void* _t68;
				void* _t69;
				signed int _t72;
				char* _t75;
				signed int _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed short _t97;

				_t85 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				if(__ecx == 8) {
					L6();
				}
				if(_t32 > 0) {
					_t32 = _t32 & 0x0000ffff | 0x80070000;
					_t97 = _t32;
				}
				_t71 = _t32;
				E00DCC282(_t68, _t32, _t85, _t86, _t88, _t97);
				asm("int3");
				_t72 = GetLastError();
				E00DCC347(_t72, _t85, _t71);
				asm("int3");
				_push(_t72);
				 *0xdd2910 = 0x8007000e;
				_v8 = E00DCAE48(_t86, _t88, _t97);
				_push(0xdd1c70);
				_push( &_v8);
				L00DCFAC6();
				asm("int3");
				_push(0x28);
				E00DCFB02(E00DD0388, _t68, _t86, _t88);
				_t89 = _t85;
				_t87 = _t72;
				_push(0xdc7000);
				E00DCA7B4(_t68,  &_v56, _t87, _t89, _t97);
				_v8 = _v8 & 0x00000000;
				E00DCA852(_t89,  &_v56);
				_v8 = _v8 | 0xffffffff;
				_t75 =  &_v56;
				E00DCA914(_t75);
				_t44 = 2;
				_v40 = _t44;
				_v36 = _t44;
				_v32 = 0x10;
				_v28 = 0xdc1624;
				_v8 = _t44;
				if(_t87 >= 0 || (_t87 & 0x1fff0000) != 0x130000) {
					L11:
					_t45 =  *0xdd2918; // 0x0
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t45);
					_push(_t75);
					_push(_t87);
					_push(_t75);
					_push(_t75);
					_t46 = E00DCCDFE(_t68,  &_v40, _t87, _t89, __eflags);
				} else {
					_t65 = _t87 & 0x0000ffff;
					_t100 = _t65 - 0x3000;
					if(_t65 >= 0x3000) {
						goto L11;
					} else {
						_t46 = E00DCDC70( &_v40, _t100, _t75, _t65 + 0x6000);
					}
				}
				_t77 = _t87;
				_t69 = _t46;
				_v24 = E00DCB110(_t77);
				_t101 = _t69;
				if(_t69 != 0) {
					E00DCA87E(_t69, _t89, _t85, _t87, _t101,  &_v40);
					_push(L" (");
					_t77 = _t89;
					E00DCA8D3(_t69, _t77, _t85, _t87, _t89, _t101);
				}
				_t48 = 2;
				_v56 = _t48;
				_v52 = _t48;
				_v48 = 0x10;
				_v44 = 0xdc1624;
				_v8 = 4;
				_push(0x1709);
				_push(_t77);
				_push(_t77);
				E00DCDC8A(_t69,  &_v56, _t87, _t89, _t101);
				_t79 = _t89;
				E00DCA87E(_t69, _t89, _t85, _t87, _t101,  &_v56);
				E00DCCD51(_t69, _t89, _t101, _t89, L"0x%.8X", _t87);
				_t53 = _v24;
				_t102 = _t53;
				if(_t53 != 0) {
					E00DCCD51(_t69, _t79, _t102, _t89, L" (%S)", _t53);
				}
				_t103 = _t69;
				if(_t69 != 0) {
					_push(")");
					E00DCA8D3(_t69, _t89, _t85, _t87, _t89, _t103);
				}
				_v8 = 2;
				E00DCA914( &_v56);
				_v8 = _v8 | 0xffffffff;
				return E00DCFAD0(E00DCA914( &_v40));
			}

0x00dcc347
0x00dcc347
0x00dcc349
0x00dcc34d
0x00dcc34f
0x00dcc34f
0x00dcc356
0x00dcc35b
0x00dcc35b
0x00dcc35b
0x00dcc360
0x00dcc362
0x00dcc367
0x00dcc36f
0x00dcc371
0x00dcc376
0x00dcc37a
0x00dcc37b
0x00dcc38a
0x00dcc390
0x00dcc395
0x00dcc396
0x00dcc39b
0x00dcc39c
0x00dcc3a3
0x00dcc3a8
0x00dcc3aa
0x00dcc3ac
0x00dcc3b4
0x00dcc3b9
0x00dcc3c3
0x00dcc3c8
0x00dcc3cc
0x00dcc3cf
0x00dcc3d6
0x00dcc3d7
0x00dcc3da
0x00dcc3dd
0x00dcc3e4
0x00dcc3eb
0x00dcc3f0
0x00dcc41f
0x00dcc41f
0x00dcc424
0x00dcc425
0x00dcc426
0x00dcc427
0x00dcc428
0x00dcc429
0x00dcc42a
0x00dcc42b
0x00dcc42c
0x00dcc42d
0x00dcc42e
0x00dcc42f
0x00dcc430
0x00dcc431
0x00dcc435
0x00dcc400
0x00dcc402
0x00dcc407
0x00dcc40c
0x00000000
0x00dcc40e
0x00dcc418
0x00dcc418
0x00dcc40c
0x00dcc43a
0x00dcc43c
0x00dcc443
0x00dcc446
0x00dcc448
0x00dcc450
0x00dcc455
0x00dcc45a
0x00dcc45c
0x00dcc45c
0x00dcc463
0x00dcc464
0x00dcc467
0x00dcc46a
0x00dcc471
0x00dcc478
0x00dcc47c
0x00dcc481
0x00dcc482
0x00dcc486
0x00dcc48e
0x00dcc491
0x00dcc49d
0x00dcc4a2
0x00dcc4a8
0x00dcc4aa
0x00dcc4b3
0x00dcc4b8
0x00dcc4bb
0x00dcc4bd
0x00dcc4bf
0x00dcc4c6
0x00dcc4c6
0x00dcc4cb
0x00dcc4d2
0x00dcc4d7
0x00dcc4e8

APIs

GetLastError.KERNEL32(?,00DCCA45,?,?,00DC1624,?,?,?,00DCC8C8,?,?,?,00000001,00000004,00000214,00DCCE51), ref: 00DCC369
_CxxThrowException.MSVCR120_CLR0400(00000000,00DD1C70), ref: 00DCC396
__EH_prolog3.LIBCMT ref: 00DCC3A3

Strings

0x%.8X, xrefs: 00DCC497
(%S), xrefs: 00DCC4AD

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: ErrorExceptionH_prolog3LastThrow
String ID: (%S)$0x%.8X
API String ID: 367115216-2048090024
Opcode ID: 3476953b4e15da381b3f34fb1157a53e43d1913e87439b24d30f6882c7711b2f
Instruction ID: a84a4b9f71578f8fd6ffaeea23646519cfbcdf847a71eaebe2241d0a9a0cf325
Opcode Fuzzy Hash: 3476953b4e15da381b3f34fb1157a53e43d1913e87439b24d30f6882c7711b2f
Instruction Fuzzy Hash: 7141C1B1A1120AABDB04EBA4D917FEE7AB5DF04310F24412DF609E7282DB749F049B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC368 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00DCC368(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed int _t42;
				intOrPtr _t43;
				void* _t44;
				char _t46;
				intOrPtr _t51;
				signed int _t63;
				void* _t65;
				void* _t66;
				signed int _t68;
				char* _t71;
				signed int _t73;
				signed int _t81;
				void* _t82;
				signed int _t83;
				void* _t84;
				signed int _t85;
				void* _t91;

				_t91 = __eflags;
				_t81 = __edx;
				_t68 = GetLastError();
				E00DCC347(_t68, _t81, __ecx);
				asm("int3");
				_push(_t68);
				 *0xdd2910 = 0x8007000e;
				_v8 = E00DCAE48(_t82, _t84, _t91);
				_push(0xdd1c70);
				_push( &_v8);
				L00DCFAC6();
				asm("int3");
				_push(0x28);
				E00DCFB02(E00DD0388, _t65, _t82, _t84);
				_t85 = _t81;
				_t83 = _t68;
				_push(0xdc7000);
				E00DCA7B4(_t65,  &_v56, _t83, _t85, _t91);
				_v8 = _v8 & 0x00000000;
				E00DCA852(_t85,  &_v56);
				_v8 = _v8 | 0xffffffff;
				_t71 =  &_v56;
				E00DCA914(_t71);
				_t42 = 2;
				_v40 = _t42;
				_v36 = _t42;
				_v32 = 0x10;
				_v28 = 0xdc1624;
				_v8 = _t42;
				if(_t83 >= 0 || (_t83 & 0x1fff0000) != 0x130000) {
					L6:
					_t43 =  *0xdd2918; // 0x0
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t43);
					_push(_t71);
					_push(_t83);
					_push(_t71);
					_push(_t71);
					_t44 = E00DCCDFE(_t65,  &_v40, _t83, _t85, __eflags);
				} else {
					_t63 = _t83 & 0x0000ffff;
					_t94 = _t63 - 0x3000;
					if(_t63 >= 0x3000) {
						goto L6;
					} else {
						_t44 = E00DCDC70( &_v40, _t94, _t71, _t63 + 0x6000);
					}
				}
				_t73 = _t83;
				_t66 = _t44;
				_v24 = E00DCB110(_t73);
				_t95 = _t66;
				if(_t66 != 0) {
					E00DCA87E(_t66, _t85, _t81, _t83, _t95,  &_v40);
					_push(L" (");
					_t73 = _t85;
					E00DCA8D3(_t66, _t73, _t81, _t83, _t85, _t95);
				}
				_t46 = 2;
				_v56 = _t46;
				_v52 = _t46;
				_v48 = 0x10;
				_v44 = 0xdc1624;
				_v8 = 4;
				_push(0x1709);
				_push(_t73);
				_push(_t73);
				E00DCDC8A(_t66,  &_v56, _t83, _t85, _t95);
				_t75 = _t85;
				E00DCA87E(_t66, _t85, _t81, _t83, _t95,  &_v56);
				E00DCCD51(_t66, _t85, _t95, _t85, L"0x%.8X", _t83);
				_t51 = _v24;
				_t96 = _t51;
				if(_t51 != 0) {
					E00DCCD51(_t66, _t75, _t96, _t85, L" (%S)", _t51);
				}
				_t97 = _t66;
				if(_t66 != 0) {
					_push(")");
					E00DCA8D3(_t66, _t85, _t81, _t83, _t85, _t97);
				}
				_v8 = 2;
				E00DCA914( &_v56);
				_v8 = _v8 | 0xffffffff;
				return E00DCFAD0(E00DCA914( &_v40));
			}

0x00dcc368
0x00dcc368
0x00dcc36f
0x00dcc371
0x00dcc376
0x00dcc37a
0x00dcc37b
0x00dcc38a
0x00dcc390
0x00dcc395
0x00dcc396
0x00dcc39b
0x00dcc39c
0x00dcc3a3
0x00dcc3a8
0x00dcc3aa
0x00dcc3ac
0x00dcc3b4
0x00dcc3b9
0x00dcc3c3
0x00dcc3c8
0x00dcc3cc
0x00dcc3cf
0x00dcc3d6
0x00dcc3d7
0x00dcc3da
0x00dcc3dd
0x00dcc3e4
0x00dcc3eb
0x00dcc3f0
0x00dcc41f
0x00dcc41f
0x00dcc424
0x00dcc425
0x00dcc426
0x00dcc427
0x00dcc428
0x00dcc429
0x00dcc42a
0x00dcc42b
0x00dcc42c
0x00dcc42d
0x00dcc42e
0x00dcc42f
0x00dcc430
0x00dcc431
0x00dcc435
0x00dcc400
0x00dcc402
0x00dcc407
0x00dcc40c
0x00000000
0x00dcc40e
0x00dcc418
0x00dcc418
0x00dcc40c
0x00dcc43a
0x00dcc43c
0x00dcc443
0x00dcc446
0x00dcc448
0x00dcc450
0x00dcc455
0x00dcc45a
0x00dcc45c
0x00dcc45c
0x00dcc463
0x00dcc464
0x00dcc467
0x00dcc46a
0x00dcc471
0x00dcc478
0x00dcc47c
0x00dcc481
0x00dcc482
0x00dcc486
0x00dcc48e
0x00dcc491
0x00dcc49d
0x00dcc4a2
0x00dcc4a8
0x00dcc4aa
0x00dcc4b3
0x00dcc4b8
0x00dcc4bb
0x00dcc4bd
0x00dcc4bf
0x00dcc4c6
0x00dcc4c6
0x00dcc4cb
0x00dcc4d2
0x00dcc4d7
0x00dcc4e8

APIs

GetLastError.KERNEL32(?,00DCCA45,?,?,00DC1624,?,?,?,00DCC8C8,?,?,?,00000001,00000004,00000214,00DCCE51), ref: 00DCC369

Part of subcall function 00DCC347: _CxxThrowException.MSVCR120_CLR0400(00000000,00DD1C70), ref: 00DCC396
Part of subcall function 00DCC347: __EH_prolog3.LIBCMT ref: 00DCC3A3

Strings

0x%.8X, xrefs: 00DCC497
(%S), xrefs: 00DCC4AD

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: ErrorExceptionH_prolog3LastThrow
String ID: (%S)$0x%.8X
API String ID: 367115216-2048090024
Opcode ID: 62a1d4d80ca06414c70ff3ad05ee4e3ba52c5400b018a3cb3d460accc00afebe
Instruction ID: 68f77993b630c1f82f90c0997849ee19ac0ac4a5409b7b51c7596987e4e3dbc1
Opcode Fuzzy Hash: 62a1d4d80ca06414c70ff3ad05ee4e3ba52c5400b018a3cb3d460accc00afebe
Instruction Fuzzy Hash: A131B2B190120AABDB05EBA4C917FEE7AB5DF04310F10412DF609E7282DB749F048B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC9229 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
libraryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00DC9229(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t11;
				signed short _t12;
				intOrPtr _t17;
				signed int _t20;
				struct HINSTANCE__* _t23;
				intOrPtr* _t27;
				void* _t28;

				_push(8);
				E00DCFB02(E00DCFE6C, __ebx, __edi, __esi);
				_t27 = __ecx;
				_t11 =  *0xdd28d8; // 0x0
				if(_t11 != 0) {
					L9:
					 *_t27 = _t11;
					_t12 = 0;
					L10:
					return E00DCFAD0(_t12);
				}
				_t20 = 0;
				_t23 = LoadLibraryExW(L"mscoree.dll", 0, 0);
				if(_t23 != 0) {
					 *((short*)(_t28 - 0x10)) = 0;
					 *(_t28 - 0x14) = _t23;
					 *((char*)(_t28 - 0x10)) = 1;
					 *(_t28 - 4) = 1;
					asm("lock cmpxchg [edi], ecx");
					if(0 == 0) {
						_t17 =  *0xdd28d8; // 0x0
						_t20 = 1;
						 *0xdd2d90 = _t17;
						 *0xdd2d94 = 1;
						 *((char*)(_t28 - 0xf)) = 1;
					}
					 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
					if(_t20 == 0) {
						FreeLibrary(_t23);
					}
					_t11 =  *0xdd28d8; // 0x0
					 *((short*)(_t28 - 0x10)) = 0;
					goto L9;
				}
				_t12 = GetLastError();
				if(_t12 > 0) {
					_t12 = _t12 & 0x0000ffff | 0x80070000;
				}
				goto L10;
			}

0x00dc9229
0x00dc9230
0x00dc9235
0x00dc9237
0x00dc923e
0x00dc92bc
0x00dc92bc
0x00dc92be
0x00dc92c0
0x00dc92c5
0x00dc92c5
0x00dc9240
0x00dc924f
0x00dc9253
0x00dc9269
0x00dc926d
0x00dc9270
0x00dc9274
0x00dc9284
0x00dc928a
0x00dc928c
0x00dc9291
0x00dc9293
0x00dc9298
0x00dc929f
0x00dc929f
0x00dc92a2
0x00dc92a8
0x00dc92ab
0x00dc92ab
0x00dc92b1
0x00dc92b6
0x00000000
0x00dc92b6
0x00dc9255
0x00dc925d
0x00dc9262
0x00dc9262
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00DC9230
LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,00000008,00DC92FA,?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C), ref: 00DC9249
GetLastError.KERNEL32(?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C,?,00000000), ref: 00DC9255
FreeLibrary.KERNEL32(00000000,?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425), ref: 00DC92AB

Strings

mscoree.dll, xrefs: 00DC9244

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: Library$ErrorFreeH_prolog3LastLoad
String ID: mscoree.dll
API String ID: 1432486926-1912557249
Opcode ID: 4c8ad0914e18fd5df772effd332fd2cf3307a3f6732772489a4946f8943280fc
Instruction ID: f3978fa32caa4822f6deec5e77774d35cba7b41f982a5ace45899293da6136a5
Opcode Fuzzy Hash: 4c8ad0914e18fd5df772effd332fd2cf3307a3f6732772489a4946f8943280fc
Instruction Fuzzy Hash: 1A117974A013469FEB009BA89858B6AF7E1AF24304F58852EE884D7361E77189449775

Uniqueness

Uniqueness Score: -1.00%

Function 00DC98B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00DC98B0(int __ecx, WCHAR* __edx, int _a4) {
				struct HINSTANCE__* _t5;
				void* _t6;
				signed short _t9;
				int _t12;
				WCHAR* _t16;
				struct HINSTANCE__* _t18;

				_t12 = __ecx;
				_t16 = __edx;
				_t9 = __ecx;
				_t5 = LoadStringW(0, __ecx, __edx, _a4);
				if(_t5 == 0) {
					_t5 = LoadLibraryExW(L"mscoree.dll", 0, 0);
					_t18 = _t5;
					_t20 = _t18;
					if(_t18 != 0) {
						_push(_t12);
						_t6 = E00DC9847(_t9 & 0x0000ffff, _t16, _t20, _a4);
						FreeLibrary(_t18);
						return 0 | _t6 > 0x00000000;
					}
				}
				return _t5;
			}

0x00dc98b0
0x00dc98b9
0x00dc98bb
0x00dc98c2
0x00dc98ca
0x00dc98d3
0x00dc98d9
0x00dc98db
0x00dc98dd
0x00dc98df
0x00dc98e8
0x00dc98f5
0x00000000
0x00dc98fb
0x00dc98dd
0x00dc9901

APIs

LoadStringW.USER32(00000000,0000000C,?,00DC9A6D), ref: 00DC98C2
LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,?,00000000,?,00DC9A6D,00000100,?,00DC8C4B), ref: 00DC98D3
FreeLibrary.KERNEL32(00000000,00DC9A6D,?,?,00000000,?,00DC9A6D,00000100,?,00DC8C4B), ref: 00DC98F5

Strings

mscoree.dll, xrefs: 00DC98CE

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: LibraryLoad$FreeString
String ID: mscoree.dll
API String ID: 2997845976-1912557249
Opcode ID: 04cb314425ce61bea385ed95b9699b17251935e89e12ef134fd06a5f4b5e96c9
Instruction ID: e9f3c2970690f82f11b8463a6bb7aeb3c1d0ccc6563d58683298a736d489df31
Opcode Fuzzy Hash: 04cb314425ce61bea385ed95b9699b17251935e89e12ef134fd06a5f4b5e96c9
Instruction Fuzzy Hash: A7F030727063267B57211AA69C9DD6BFE5DEF86BA1305413AFE48C3210EA70DC1495F0

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCDFE Relevance: 6.2, APIs: 4, Instructions: 210
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00DCCDFE(void* __ebx, unsigned int* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t95;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR** _t118;
				void* _t120;
				signed int _t128;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				void* _t140;
				signed char _t154;
				intOrPtr* _t157;
				WCHAR* _t168;
				unsigned int _t170;
				signed int _t171;
				unsigned int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;

				_push(0x54);
				E00DCFB35(E00DD05D6, __ebx, __edi, __esi);
				_t179 = __ecx;
				_t131 =  *((intOrPtr*)(_t184 + 0x18));
				_t181 =  *((intOrPtr*)(_t184 + 0x1c));
				 *((intOrPtr*)(_t184 - 0x5c)) =  *((intOrPtr*)(_t184 + 0x20));
				 *((intOrPtr*)(_t184 - 0x50)) =  *((intOrPtr*)(_t184 + 0x24));
				 *((intOrPtr*)(_t184 - 0x58)) =  *((intOrPtr*)(_t184 + 0x28));
				 *((intOrPtr*)(_t184 - 0x60)) =  *((intOrPtr*)(_t184 + 0x2c));
				 *((intOrPtr*)(_t184 - 0x48)) =  *((intOrPtr*)(_t184 + 0x30));
				 *((intOrPtr*)(_t184 - 0x54)) =  *((intOrPtr*)(_t184 + 0x34));
				 *((intOrPtr*)(_t184 - 0x4c)) =  *((intOrPtr*)(_t184 + 0x38));
				 *((intOrPtr*)(_t184 - 0x3c)) =  *((intOrPtr*)(_t184 + 0x3c));
				if(_t131 != 0) {
					E00DCC86D(_t131, _t131, __ecx, _t181, __eflags);
					_t19 = _t131 + 0xc; // 0x3037332e
					_t95 =  *_t19;
				} else {
					_t95 = 0;
				}
				 *(_t184 - 0x38) = _t95;
				if(_t181 != 0) {
					E00DCC86D(_t131, _t181, _t179, _t181, __eflags);
					_t97 =  *((intOrPtr*)(_t181 + 0xc));
				} else {
					_t97 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x34)) = _t97;
				_t132 =  *((intOrPtr*)(_t184 - 0x5c));
				if(_t132 != 0) {
					E00DCC86D(_t132, _t132, _t179, _t181, __eflags);
					_t99 =  *((intOrPtr*)(_t132 + 0xc));
				} else {
					_t99 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x30)) = _t99;
				_t133 =  *((intOrPtr*)(_t184 - 0x50));
				if(_t133 != 0) {
					E00DCC86D(_t133, _t133, _t179, _t181, __eflags);
					_t101 =  *((intOrPtr*)(_t133 + 0xc));
				} else {
					_t101 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x2c)) = _t101;
				_t134 =  *((intOrPtr*)(_t184 - 0x58));
				if(_t134 != 0) {
					E00DCC86D(_t134, _t134, _t179, _t181, __eflags);
					_t103 =  *((intOrPtr*)(_t134 + 0xc));
				} else {
					_t103 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x28)) = _t103;
				_t135 =  *((intOrPtr*)(_t184 - 0x60));
				if(_t135 != 0) {
					E00DCC86D(_t135, _t135, _t179, _t181, __eflags);
					_t105 =  *((intOrPtr*)(_t135 + 0xc));
				} else {
					_t105 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x24)) = _t105;
				_t136 =  *((intOrPtr*)(_t184 - 0x48));
				if(_t136 != 0) {
					E00DCC86D(_t136, _t136, _t179, _t181, __eflags);
					_t107 =  *((intOrPtr*)(_t136 + 0xc));
				} else {
					_t107 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x20)) = _t107;
				_t137 =  *((intOrPtr*)(_t184 - 0x54));
				if(_t137 != 0) {
					E00DCC86D(_t137, _t137, _t179, _t181, __eflags);
					_t109 =  *((intOrPtr*)(_t137 + 0xc));
				} else {
					_t109 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x1c)) = _t109;
				_t138 =  *((intOrPtr*)(_t184 - 0x4c));
				if(_t138 != 0) {
					E00DCC86D(_t138, _t138, _t179, _t181, __eflags);
					_t111 =  *((intOrPtr*)(_t138 + 0xc));
				} else {
					_t111 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x18)) = _t111;
				_t139 =  *((intOrPtr*)(_t184 - 0x3c));
				if(_t139 != 0) {
					E00DCC86D(_t139, _t139, _t179, _t181, __eflags);
					_t113 =  *((intOrPtr*)(_t139 + 0xc));
				} else {
					_t113 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x14)) = _t113;
				_t170 =  *_t179;
				_t183 = 1;
				_t154 =  !(_t179[2]) & 1;
				_t116 = _t170 >> _t154 == 1;
				if(_t170 >> _t154 == 1) {
					_t140 = 0;
					__eflags = 0;
					goto L37;
				} else {
					_t140 = 0;
					E00DCD115(_t116, _t179, _t179, 1, (_t170 >> _t154) - 1, 4, 0);
					_t128 = FormatMessageW(0x30ff, 0,  *(_t184 + 0x10), 0x400, _t179[3],  *_t179 >> ( !(_t179[2]) & 1), _t184 - 0x38);
					if(_t128 == 0 || _t128 >= ( *_t179 >> ( !(_t179[2]) & 1)) - 1) {
						L37:
						 *(_t184 - 0x44) = _t140;
						 *(_t184 - 0x40) = _t140;
						 *(_t184 - 4) = 3;
						_push(_t184 - 0x3c);
						_t118 = E00DCD1E6(_t140, _t184 - 0x44, _t179, _t183, __eflags);
						 *(_t184 - 4) = 4;
						_t171 = FormatMessageW(0x31ff, _t140,  *(_t184 + 0x10), 0x400,  *_t118, _t140, _t184 - 0x38);
						 *(_t184 - 4) = 3;
						_t157 =  *((intOrPtr*)(_t184 - 0x3c));
						__eflags =  *_t157 - _t140;
						if( *_t157 != _t140) {
							 *(_t157 + 4) = _t183;
						}
						__eflags = _t171;
						if(_t171 != 0) {
							_t120 =  *(_t184 - 0x44);
							__eflags =  *((short*)(_t120 + _t171 * 2 - 2)) - 0x20;
							if( *((short*)(_t120 + _t171 * 2 - 2)) == 0x20) {
								__eflags = 0;
								 *((short*)(_t120 + _t171 * 2 - 2)) = 0;
								_t120 =  *(_t184 - 0x44);
							}
							E00DCC6CE(_t179, _t120);
						} else {
							_t183 = _t140;
						}
						 *(_t184 - 4) =  *(_t184 - 4) | 0xffffffff;
						__eflags =  *(_t184 - 0x40);
						if( *(_t184 - 0x40) != 0) {
							LocalFree( *(_t184 - 0x44));
							 *(_t184 - 0x40) = _t140;
						}
						goto L46;
					} else {
						_t168 = _t179[3];
						if( *((short*)(_t168 + _t128 * 2 - 2)) == 0x20) {
							 *((short*)(_t168 + _t128 * 2 - 2)) = 0;
							_t128 = _t128 - 1;
						}
						E00DCD115(_t128, _t179, _t179, _t183, _t128, 4, _t183);
						L46:
						return E00DCFAE4(_t140, _t179, _t183);
					}
				}
			}

0x00dccdfe
0x00dcce05
0x00dcce0a
0x00dcce0f
0x00dcce12
0x00dcce15
0x00dcce1b
0x00dcce21
0x00dcce27
0x00dcce2d
0x00dcce33
0x00dcce39
0x00dcce3f
0x00dcce44
0x00dcce4c
0x00dcce51
0x00dcce51
0x00dcce46
0x00dcce46
0x00dcce46
0x00dcce54
0x00dcce59
0x00dcce61
0x00dcce66
0x00dcce5b
0x00dcce5b
0x00dcce5b
0x00dcce69
0x00dcce6c
0x00dcce71
0x00dcce79
0x00dcce7e
0x00dcce73
0x00dcce73
0x00dcce73
0x00dcce81
0x00dcce84
0x00dcce89
0x00dcce91
0x00dcce96
0x00dcce8b
0x00dcce8b
0x00dcce8b
0x00dcce99
0x00dcce9c
0x00dccea1
0x00dccea9
0x00dcceae
0x00dccea3
0x00dccea3
0x00dccea3
0x00dcceb1
0x00dcceb4
0x00dcceb9
0x00dccec1
0x00dccec6
0x00dccebb
0x00dccebb
0x00dccebb
0x00dccec9
0x00dccecc
0x00dcced1
0x00dcced9
0x00dccede
0x00dcced3
0x00dcced3
0x00dcced3
0x00dccee1
0x00dccee4
0x00dccee9
0x00dccef1
0x00dccef6
0x00dcceeb
0x00dcceeb
0x00dcceeb
0x00dccef9
0x00dccefc
0x00dccf01
0x00dccf09
0x00dccf0e
0x00dccf03
0x00dccf03
0x00dccf03
0x00dccf11
0x00dccf14
0x00dccf19
0x00dccf21
0x00dccf26
0x00dccf1b
0x00dccf1b
0x00dccf1b
0x00dccf29
0x00dccf2c
0x00dccf33
0x00dccf36
0x00dccf3c
0x00dccf3e
0x00dccfae
0x00dccfae
0x00000000
0x00dccf40
0x00dccf40
0x00dccf4b
0x00dccf71
0x00dccf79
0x00dccfb0
0x00dccfb0
0x00dccfb3
0x00dccfb6
0x00dccfc0
0x00dccfc4
0x00dccfc9
0x00dccfe8
0x00dccfea
0x00dccfee
0x00dccff1
0x00dccff3
0x00dccff5
0x00dccff5
0x00dccff8
0x00dccffa
0x00dcd000
0x00dcd003
0x00dcd009
0x00dcd00b
0x00dcd00d
0x00dcd012
0x00dcd012
0x00dcd018
0x00dccffc
0x00dccffc
0x00dccffc
0x00dcd01d
0x00dcd021
0x00dcd025
0x00dcd02a
0x00dcd030
0x00dcd030
0x00000000
0x00dccf8b
0x00dccf8b
0x00dccf94
0x00dccf98
0x00dccf9d
0x00dccf9d
0x00dccfa4
0x00dcd033
0x00dcd03a
0x00dcd03a
0x00dccf79

APIs

__EH_prolog3_GS.LIBCMT ref: 00DCCE05
FormatMessageW.KERNEL32(000030FF,00000000,00000000,00000400,?,00000000,00000000,?,00000004,00000000,00000054,00DCC43A), ref: 00DCCF71

Part of subcall function 00DCC86D: __EH_prolog3_GS.LIBCMT ref: 00DCC877

Part of subcall function 00DCD1E6: __EH_prolog3.LIBCMT ref: 00DCD1ED
Part of subcall function 00DCD1E6: LocalFree.KERNEL32(?,00000004,00DCCFC9,00000000,00000054,00DCC43A,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DCD205

FormatMessageW.KERNEL32(000031FF,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000054,00DCC43A,?,?,?,?,00000000,00000000), ref: 00DCCFE2
LocalFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DCD02A

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: FormatFreeH_prolog3_LocalMessage$H_prolog3
String ID:
API String ID: 3485839094-0
Opcode ID: dc5526063cf3ee0c86f946c260ae7ce925b7d3006492e327fa97e1fc5b914c1c
Instruction ID: 32ee73520a8e77a6d3165e031193cb15a28073d976740f6601d75c9b8a0d45ab
Opcode Fuzzy Hash: dc5526063cf3ee0c86f946c260ae7ce925b7d3006492e327fa97e1fc5b914c1c
Instruction Fuzzy Hash: 62811870A1120A9FCB54DFA9C881FAEB7B5EF48710F14946DEA1AEB341DB309D058B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC92E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00DC92E4(void* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed short _t6;
				void* _t11;
				void* _t18;
				intOrPtr* _t21;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = __ecx;
				_t18 = __edx;
				_t6 = E00DC9229(__ecx,  &_v8, __edx, __esi, __eflags);
				if(_t6 >= 0) {
					_push(__esi);
					_t21 = GetProcAddress(_v8, "CLRCreateInstance");
					if(_t21 != 0) {
						 *0xdd41d0(_t11, _t18, _a4);
						_t6 =  *_t21();
					} else {
						_t6 = GetLastError();
						if(_t6 > 0) {
							_t6 = _t6 & 0x0000ffff | 0x80070000;
						}
					}
				}
				return _t6;
			}

0x00dc92e7
0x00dc92e8
0x00dc92ed
0x00dc92f3
0x00dc92f5
0x00dc92fc
0x00dc92fe
0x00dc930d
0x00dc9311
0x00dc932e
0x00dc9334
0x00dc9313
0x00dc9313
0x00dc931b
0x00dc9320
0x00dc9320
0x00dc931b
0x00dc9336
0x00dc933c

APIs

Part of subcall function 00DC9229: __EH_prolog3.LIBCMT ref: 00DC9230
Part of subcall function 00DC9229: LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,00000008,00DC92FA,?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C), ref: 00DC9249
Part of subcall function 00DC9229: GetLastError.KERNEL32(?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C,?,00000000), ref: 00DC9255

GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 00DC9307
GetLastError.KERNEL32(?,?,00DC12C8,?,00DC936E,00DC985C,0000000C,00DC9425,?,?,00DC985C,?,00000000), ref: 00DC9313

Strings

CLRCreateInstance, xrefs: 00DC92FF

Memory Dump Source

Source File: 00000007.00000002.268199872.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000007.00000002.268196046.0000000000DC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268209984.0000000000DD2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.268212842.0000000000DD4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dc0000_orxds.jbxd

Similarity

API ID: ErrorLast$AddressH_prolog3LibraryLoadProc
String ID: CLRCreateInstance
API String ID: 647193861-2576948145
Opcode ID: 8975afed1a0261b450a3d8c19eed977022aa52a67d53afc2667108cc0b3a45dc
Instruction ID: eb14ed130be8eeadb5223c12acece014e2d59e1670b6474ecb859873777b464e
Opcode Fuzzy Hash: 8975afed1a0261b450a3d8c19eed977022aa52a67d53afc2667108cc0b3a45dc
Instruction Fuzzy Hash: 03F0B436640316A7C7215666AC1DFBAFB68FB547B2F50402AB945D3260CB34C90196B0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hBB2KnTndI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_1b4c45b6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER325D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36B3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A6D.tmp.xml

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
hBB2KnTndI.exe

Function 00411C06 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 353
memoryCOMMON

Function 004EEC21 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 467
threadinjectionmemoryCOMMON

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Function 00424F00 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Function 004011A5 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Function 00424120 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 645
stringCOMMON

Function 00424B00 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Function 0041B6A0 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Function 0040C2A4 Relevance: 7.5, APIs: 3, Instructions: 3712
memoryCOMMON

Function 004249B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Function 004AB5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 54
COMMON

Function 00424FD0 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Function 00425290 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 00426FE0 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Function 0041AFC0 Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 328
stringCOMMONCrypto