Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	726254
MD5:	74cffc19a09979e23bfd9f5a5378508b
SHA1:	54e1969a3f4000a610aec127bf2d9028e0dc7588
SHA256:	203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d
Tags:	exe
Infos:

Detection

000Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected 000Stealer

Antivirus detection for dropped file

Snort IDS alert for network traffic

Tries to steal Crypto Currency Wallets

Tries to harvest and steal ftp login credentials

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Searches for user specific document files

Enables debug privileges

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

PE file contains more sections than normal

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6124 cmdline: C:\Users\user\Desktop\file.exe MD5: 74CFFC19A09979E23BFD9F5A5378508B)

conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

relaunch_app.exe (PID: 5140 cmdline: "C:\Users\Public\Documents\relaunch_app.exe" MD5: 161D5CCDF1F7563E92D36AD1D5492CCC)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.276605637.0000000014612000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_000Stealer	Yara detected 000Stealer	Joe Security
00000002.00000002.271212000.0000000013CC4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.276599114.000000001460E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_000Stealer	Yara detected 000Stealer	Joe Security
00000002.00000002.276623040.0000000014618000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_000Stealer	Yara detected 000Stealer	Joe Security
Process Memory Space: relaunch_app.exe PID: 5140	JoeSecurity_000Stealer	Yara detected 000Stealer	Joe Security
Process Memory Space: relaunch_app.exe PID: 5140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Snort Signatures

ET TROJAN Win32/Unknown Stealer Command (loader) (Outbound) - Source IP: 192.168.2.6 - Destination IP: 194.190.152.193

Timestamp:	192.168.2.6194.190.152.19349712515682037085 10/19/22-18:11:13.648788
SID:	2037085
Source Port:	49712
Destination Port:	51568
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Unknown Stealer Command (domaindetect) (Outbound) - Source IP: 192.168.2.6 - Destination IP: 194.190.152.193

Timestamp:	192.168.2.6194.190.152.19349705515682037086 10/19/22-18:11:11.925460
SID:	2037086
Source Port:	49705
Destination Port:	51568
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Unknown Stealer Command (filegrab) (Outbound) - Source IP: 192.168.2.6 - Destination IP: 194.190.152.193

Timestamp:	192.168.2.6194.190.152.19349706515682037084 10/19/22-18:11:12.053781
SID:	2037084
Source Port:	49706
Destination Port:	51568
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Unknown Stealer Command Response (filegrab) (Inbound) - Source IP: 194.190.152.193 - Destination IP: 192.168.2.6

Timestamp:	194.190.152.193192.168.2.651568497062037089 10/19/22-18:11:12.115808
SID:	2037089
Source Port:	51568
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Unknown Stealer Command (geoblock) (Outbound) - Source IP: 192.168.2.6 - Destination IP: 194.190.152.193

Timestamp:	192.168.2.6194.190.152.19349708515682037087 10/19/22-18:11:12.367036
SID:	2037087
Source Port:	49708
Destination Port:	51568
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected 000Stealer

Source: Yara match	File source: 00000002.00000002.276605637.0000000014612000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276599114.000000001460E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276623040.0000000014618000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: relaunch_app.exe PID: 5140, type: MEMORYSTR

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\relaunch_app.exe

Avira: detection malicious, Label: HEUR/AGEN.1216915

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\Public\Documents\relaunch_app.exe

Code function: 2_2_015C3220 FindFirstFileA,GetLastError,_errno,_errno,_errno,_errno,_errno,_errno,

2_2_015C3220

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2037086 ET TROJAN Win32/Unknown Stealer Command (domaindetect) (Outbound) 192.168.2.6:49705 -> 194.190.152.193:51568
Source: Traffic	Snort IDS: 2037084 ET TROJAN Win32/Unknown Stealer Command (filegrab) (Outbound) 192.168.2.6:49706 -> 194.190.152.193:51568
Source: Traffic	Snort IDS: 2037089 ET TROJAN Win32/Unknown Stealer Command Response (filegrab) (Inbound) 194.190.152.193:51568 -> 192.168.2.6:49706
Source: Traffic	Snort IDS: 2037087 ET TROJAN Win32/Unknown Stealer Command (geoblock) (Outbound) 192.168.2.6:49708 -> 194.190.152.193:51568
Source: Traffic	Snort IDS: 2037085 ET TROJAN Win32/Unknown Stealer Command (loader) (Outbound) 192.168.2.6:49712 -> 194.190.152.193:51568

Source: Joe Sandbox View

ASN Name: RSHB-ASRU RSHB-ASRU

Source: global traffic

TCP traffic: 192.168.2.6:49705 -> 194.190.152.193:51568

Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193
Source: unknown	TCP traffic detected without corresponding DNS query: 194.190.152.193

E-Banking Fraud

Yara detected 000Stealer

Source: Yara match	File source: 00000002.00000002.276605637.0000000014612000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276599114.000000001460E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276623040.0000000014618000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: relaunch_app.exe PID: 5140, type: MEMORYSTR

Source: C:\Users\Public\Documents\relaunch_app.exe

Code function: 2_2_015C1060

2_2_015C1060

Source: C:\Users\Public\Documents\relaunch_app.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Section loaded: mswsock.dll	Jump to behavior

Source: relaunch_app.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\Public\Documents\relaunch_app.exe "C:\Users\Public\Documents\relaunch_app.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\Public\Documents\relaunch_app.exe "C:\Users\Public\Documents\relaunch_app.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Documents\relaunch_app.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\Public\Documents\relaunch_app.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Documents\relaunch_app.exe

Jump to behavior

Source: C:\Users\Public\Documents\relaunch_app.exe

File created: C:\Users\user\AppData\Local\Temp\relaunch_app.exe.lock

Jump to behavior

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@4/2@0/1

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: relaunch_app.exe, 00000002.00000003.255839504.0000000034E04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.242857261.00007FF6EB3A7000.00000004.00000001.01000000.00000003.sdmp, relaunch_app.exe, relaunch_app.exe, 00000002.00000000.240537171.00000000015E4000.00000002.00000001.01000000.00000004.sdmp, relaunch_app.exe.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 5916672 > 1048576

Source: file.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x56c200

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: file.exe	Static PE information: section name: _RDATA
Source: relaunch_app.exe.0.dr	Static PE information: section name: .eh_fram

Source: relaunch_app.exe.0.dr	Static PE information: real checksum: 0x56e579 should be: 0x56f907
Source: file.exe	Static PE information: real checksum: 0x0 should be: 0x5aacaa

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\Public\Documents\relaunch_app.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\Public\Documents\relaunch_app.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\Public\Documents\relaunch_app.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_PhysicalMemory

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\Public\Documents\relaunch_app.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_VideoController

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\Public\Documents\relaunch_app.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\Public\Documents\relaunch_app.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Documents\relaunch_app.exe

Code function: 2_2_015C3220 FindFirstFileA,GetLastError,_errno,_errno,_errno,_errno,_errno,_errno,

2_2_015C3220

Source: relaunch_app.exe, 00000002.00000003.258460776.0000000001C75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: relaunch_app.exe, 00000002.00000003.258843594.0000000001C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBLMEM
Source: relaunch_app.exe, 00000002.00000003.258843594.0000000001C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB@@
Source: relaunch_app.exe, 00000002.00000003.258460776.0000000001C75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareNE4ZDT1TWin32_VideoController5V1LB1WTVideoController120060621000000.000000-00026999340display.infMSBDAE4HO1R2HPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsDYRE8W8Rme
Source: relaunch_app.exe, 00000002.00000003.258408230.0000000001C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareNE4ZDT1TWin32_VideoController5V1LB1WTVideoController120060621000000.000000-00026999340display.infMSBDAE4HO1R2HPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsDYRE8W8R
Source: relaunch_app.exe, 00000002.00000003.258843594.0000000001C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: relaunch_app.exe, 00000002.00000003.258843594.0000000001C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB
Source: relaunch_app.exe, 00000002.00000002.267416125.0000000001BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Documents\relaunch_app.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Documents\relaunch_app.exe

Code function: 2_2_012A11A0 SetUnhandledExceptionFilter,__p__fmode,__p__environ,_cexit,ExitProcess,_iob,_setmode,_setmode,_setmode,

2_2_012A11A0

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\Public\Documents\relaunch_app.exe "C:\Users\Public\Documents\relaunch_app.exe"

Jump to behavior

Source: C:\Users\Public\Documents\relaunch_app.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Queries volume information: C:\Users\user\Music VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	Queries volume information: C:\Users\user\Videos VolumeInformation	Jump to behavior

Source: C:\Users\Public\Documents\relaunch_app.exe

Code function: 2_2_015C14C0 cpuid

2_2_015C14C0

Source: C:\Users\Public\Documents\relaunch_app.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EB3776B4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6EB3776B4

Stealing of Sensitive Information

Yara detected 000Stealer

Source: Yara match	File source: 00000002.00000002.276605637.0000000014612000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276599114.000000001460E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276623040.0000000014618000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: relaunch_app.exe PID: 5140, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\Public\Documents\relaunch_app.exe

File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml\			Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: relaunch_app.exe, 00000002.00000002.271653321.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\Public\Documents\relaunch_app.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

Source: Yara match	File source: 00000002.00000002.271212000.0000000013CC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: relaunch_app.exe PID: 5140, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe

Directory queried: C:\Users\Public\Documents

Jump to behavior

Remote Access Functionality

Yara detected 000Stealer

Source: Yara match	File source: 00000002.00000002.276605637.0000000014612000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276599114.000000001460E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.276623040.0000000014618000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: relaunch_app.exe PID: 5140, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	311 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	311 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Documents\relaunch_app.exe	100%	Avira	HEUR/AGEN.1216915

Domains and IPs

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.190.152.193	unknown	Russian Federation		41615	RSHB-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	726254
Start date and time:	2022-10-19 18:10:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@4/2@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 96.4% (good quality ratio 40.9%) Quality average: 33.2% Quality standard deviation: 42.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target file.exe, PID 6124 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:11:05	API Interceptor	5x Sleep call for process: relaunch_app.exe modified

Created / dropped Files

C:\Users\Public\Documents\relaunch_app.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	5681152
Entropy (8bit):	6.357945782642932
Encrypted:	false
SSDEEP:	49152:6tSHkCyvh0uhRLTxd+K7EIrbgGCpLXadU/8IrOZHZVRcfM62d7Ep4W/61jn+E0tE:65veub/x6ebgGCpLXSRZ0xsx97Du
MD5:	161D5CCDF1F7563E92D36AD1D5492CCC
SHA1:	F7A40D9EAF5FB2278C4F7D317AF52ADCB3EBBDC9
SHA-256:	1A4C9E4B1DC160BCAA56F915F07CCCC84F61111B04219A075A7091CF3808BFC1
SHA-512:	A81F40173CF1DEC0C8CE28E91F878493E6494E8A88DE13637026A7EAE4948232708033C80F26240DC52B6988575717A93A0805740FCD7E5A4A7CCD3B8084FAA1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..b............... .82...V..............P2...@...........................Z.....y.V...@... .......................W.Y.....W.......X.......................X...............................W.......................W..............................text....72......82.................`.``.data........P2......<2.............@.`..rdata..xk ..@4..l ..&4.............@.`@.eh_fram......T.......T.............@.0@.bss..........T.......................`..edata..Y.....W.......T.............@.0@.idata........W.......T.............@.0..CRT..........W.......T.............@.0..tls.... .....W.......T.............@.0..rsrc.........X.......T.............@.0..reloc........X.......T.............@.0B........................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:B:B
MD5:	8277E0910D750195B448797616E091AD
SHA1:	3C363836CF4E16666669A25DA280A1865C2D2874
SHA-256:	18AC3E7343F016890C510E93F935261169D9E3F565436429830FAF0934F4F8E4
SHA-512:	48FB10B15F3D44A09DC82D02B06581E0C0C69478C9FD2CF8F9093659019A1687BAECDBB38C9E72B12169DC4148690F87467F9154F5931C5DF665C6496CBFD5F5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	d

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.755747600848576
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	5916672
MD5:	74cffc19a09979e23bfd9f5a5378508b
SHA1:	54e1969a3f4000a610aec127bf2d9028e0dc7588
SHA256:	203f591e084a2ece60b2be5c13fbafa673ecac10ef91055ad7bd73fddc656b5d
SHA512:	be1aa3e40639201f9f5eb6a476ac8a4ca8381eb92c116f4b472d661e435b2b4115337879b59caec4ee397df0adaba5011054cfb425eb9978e82bdb1dea9aaae5
SSDEEP:	98304:cdqxlydvAURQUc6QSiSbgOOzVbRRtYoa5JSY8ANYCfBeGO:cdkqAURQUc6QSgOOnA7lhBo
TLSH:	1556BE8DCB26656ADED00A340D797D95F8F0246FFC5662C923CEB1AF9C62022F55C6E0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t9...W...W...W..~T...W..~S...W..~R.{.W..oS...W..oT...W..oR...W..~V...W...V...W..o^...W..o....W..oU...W.Rich..W.........PE..d..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140007010
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x634FCE01 [Wed Oct 19 10:14:25 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0721ccf5c6e6216d478ef8b62a185a8b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0D4D2D3DE0h
dec eax
add esp, 28h
jmp 00007F0D4D2D35B7h
int3
int3
dec eax
sub esp, 28h
call 00007F0D4D2D4310h
test eax, eax
je 00007F0D4D2D3763h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0D4D2D3747h
dec eax
cmp ecx, eax
je 00007F0D4D2D3756h
xor eax, eax
dec eax
cmpxchg dword ptr [0059C658h], ecx
jne 00007F0D4D2D3730h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0D4D2D3739h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [0059C643h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [0059C633h], al
call 00007F0D4D2D410Fh
call 00007F0D4D2D604Eh
test al, al
jne 00007F0D4D2D3746h
xor al, al
jmp 00007F0D4D2D3756h
call 00007F0D4D2E15C5h
test al, al
jne 00007F0D4D2D374Bh
xor ecx, ecx
call 00007F0D4D2D605Eh
jmp 00007F0D4D2D372Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0059C5F8h], 00000000h
mov ebx, ecx
jne 00007F0D4D2D37A9h
cmp ecx, 01h
jnbe 00007F0D4D2D37ACh
call 00007F0D4D2D4276h
test eax, eax
je 00007F0D4D2D376Ah
test ebx, ebx
jne 00007F0D4D2D3766h
dec eax
lea ecx, dword ptr [0059C5E2h]
call 00007F0D4D2D37E2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35b54	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a9000	0x0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5a5000	0x22c8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5aa000	0x924	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x325f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x324b0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23a00	0x23a00	False	0.5471148574561403	data	6.451749786578579	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x114a2	0x11600	False	0.4529142311151079	data	5.0725987080444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x37000	0x56d970	0x56c200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5a5000	0x22c8	0x2400	False	0.4708116319444444	data	5.23134130430715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x5a8000	0x15c	0x200	False	0.388671875	data	2.789737013974924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a9000	0x1e0	0x200	False	0.533203125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5aa000	0x924	0xa00	False	0.507421875	data	5.265914724175377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x5a9060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, GetCurrentProcessId, WriteConsoleW, SetEndOfFile, HeapSize, CreateFileW, GetProcessHeap, SetStdHandle, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, CloseHandle, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, RtlUnwind
USER32.dll	GetForegroundWindow, PostMessageA
SHELL32.dll	ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6194.190.152.19349712515682037085 10/19/22-18:11:13.648788	TCP	2037085	ET TROJAN Win32/Unknown Stealer Command (loader) (Outbound)	49712	51568	192.168.2.6	194.190.152.193
192.168.2.6194.190.152.19349705515682037086 10/19/22-18:11:11.925460	TCP	2037086	ET TROJAN Win32/Unknown Stealer Command (domaindetect) (Outbound)	49705	51568	192.168.2.6	194.190.152.193
192.168.2.6194.190.152.19349706515682037084 10/19/22-18:11:12.053781	TCP	2037084	ET TROJAN Win32/Unknown Stealer Command (filegrab) (Outbound)	49706	51568	192.168.2.6	194.190.152.193
194.190.152.193192.168.2.651568497062037089 10/19/22-18:11:12.115808	TCP	2037089	ET TROJAN Win32/Unknown Stealer Command Response (filegrab) (Inbound)	51568	49706	194.190.152.193	192.168.2.6
192.168.2.6194.190.152.19349708515682037087 10/19/22-18:11:12.367036	TCP	2037087	ET TROJAN Win32/Unknown Stealer Command (geoblock) (Outbound)	49708	51568	192.168.2.6	194.190.152.193

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 19, 2022 18:11:11.864528894 CEST	49705	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:11.924096107 CEST	51568	49705	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:11.924210072 CEST	49705	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:11.925460100 CEST	49705	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:11.925522089 CEST	49705	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:11.984785080 CEST	51568	49705	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:11.985114098 CEST	51568	49705	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:11.985136032 CEST	51568	49705	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:11.985203028 CEST	49705	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:11.988929987 CEST	49706	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.050807953 CEST	51568	49706	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.050991058 CEST	49706	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.053781033 CEST	49706	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.053817987 CEST	49706	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.115638018 CEST	51568	49706	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.115808010 CEST	51568	49706	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.115824938 CEST	51568	49706	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.115907907 CEST	49706	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.172266960 CEST	49707	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.229562998 CEST	51568	49707	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.229676008 CEST	49707	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.232882977 CEST	49707	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.232933044 CEST	49707	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.289764881 CEST	51568	49707	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.293674946 CEST	51568	49707	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.293690920 CEST	51568	49707	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.293821096 CEST	49707	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.303889990 CEST	49708	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.366411924 CEST	51568	49708	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.366560936 CEST	49708	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.367036104 CEST	49708	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.367106915 CEST	49708	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:12.429174900 CEST	51568	49708	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.429796934 CEST	51568	49708	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.429862022 CEST	51568	49708	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:12.429956913 CEST	49708	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.508861065 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.568319082 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.568495989 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.569443941 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.570205927 CEST	49712	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.646967888 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.646994114 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.647006989 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.647013903 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.647026062 CEST	51568	49712	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.647320986 CEST	49712	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.647357941 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.648787975 CEST	49712	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.649127960 CEST	49712	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.710519075 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.710685968 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.710817099 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.710882902 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.710962057 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.711069107 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.711132050 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.711273909 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.711389065 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.711504936 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.711520910 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.711622953 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.711879015 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.711966038 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.713484049 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.713669062 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.715138912 CEST	51568	49712	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.715616941 CEST	51568	49712	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.715759993 CEST	49712	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.772422075 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772484064 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772512913 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772542953 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772572041 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772602081 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772634029 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772661924 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772758007 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.772842884 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.772849083 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.772881985 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.772954941 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.773081064 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.773176908 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.773392916 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.773521900 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.773708105 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.773818970 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.773997068 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.774027109 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.774096966 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.774135113 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.774311066 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.774405003 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.774621010 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.774719000 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.774904013 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.775018930 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.775181055 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.775264978 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.836395025 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.836450100 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.836483955 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.836646080 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.836646080 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.836875916 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.836950064 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.837194920 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.837225914 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.837260008 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.837295055 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.837512016 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.837583065 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.837913990 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.837944984 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.838044882 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.838044882 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.838342905 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.838372946 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.838514090 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.838514090 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.838641882 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.838671923 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.838761091 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.838761091 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.839052916 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.839133978 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.839445114 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.839519978 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.839701891 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.839730978 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.839761972 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.839797020 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.839797020 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.839843035 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.840158939 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.840190887 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.840225935 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.840305090 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.840507984 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.840591908 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.840766907 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.840797901 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.840874910 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.840874910 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.841203928 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.841283083 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.841581106 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.841610909 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.841677904 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.841677904 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.841876030 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.841903925 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.841973066 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.841973066 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.842298985 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.842370033 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.842694998 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.842722893 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.842796087 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.842796087 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.843003035 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.843034029 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.843067884 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:13.843431950 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.843461037 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.843810081 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.843839884 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.843869925 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.844084978 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.844151020 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.844537973 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899631023 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899708986 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899804115 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899836063 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899863005 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899892092 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899920940 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899949074 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.899976969 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900007010 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900034904 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900063038 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900090933 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900120020 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900149107 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900177002 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900206089 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900237083 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900418043 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900446892 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900634050 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.900847912 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.901071072 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.904083014 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.904115915 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.904711008 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.904741049 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.904939890 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905172110 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905201912 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905229092 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905260086 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905288935 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905318975 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905339003 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905359030 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905386925 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905654907 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.905884027 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.906140089 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.906440020 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.906662941 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.906939030 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.907176018 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.907207012 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.907444954 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.907890081 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.907923937 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.907994986 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.908541918 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.908576012 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.908754110 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.908783913 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.909048080 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.909312010 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.909548998 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.909866095 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.910140038 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:13.910172939 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:28.921581030 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:28.921710968 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:28.931274891 CEST	49711	51568	192.168.2.6	194.190.152.193
Oct 19, 2022 18:11:28.990482092 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:29.789763927 CEST	51568	49711	194.190.152.193	192.168.2.6
Oct 19, 2022 18:11:29.791908979 CEST	49711	51568	192.168.2.6	194.190.152.193

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: relaunch_app.exePID: 5140, Parent PID: 6124COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	294
Total number of Limit Nodes:	16

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 015C1088
strlen.MSVCRT ref: 015C1098
__p__pgmptr.MSVCRT ref: 015C11EB

Part of subcall function 012A1290: __getmainargs.MSVCRT ref: 012A12C6

Strings

Z, xrefs: 015C13F8
', xrefs: 015C147B
?, xrefs: 015C1108
@, xrefs: 015C1240
!, xrefs: 015C1111

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: CommandLine__getmainargs__p__pgmptrstrlen
String ID: !$'$?$@$Z
API String ID: 3494280972-2658495842
Opcode ID: 67e5f645aeadc346e2a51c22f9cb4f6444ff0e2d06ec26dee0f54a551f41fb45
Instruction ID: e40c65b68f571c264071f6859322d9504a32dc90799ccacaab35554a97246c2a
Opcode Fuzzy Hash: 67e5f645aeadc346e2a51c22f9cb4f6444ff0e2d06ec26dee0f54a551f41fb45
Instruction Fuzzy Hash: 7FC1F471909B15CFEB25CFA8C8C43ADBBF2BB95B04F08849DC9499F242D7759A84CB41

Uniqueness

Uniqueness Score: -1.00%

Function 015C3220 Relevance: 12.1, APIs: 8, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32 ref: 015C3235
GetLastError.KERNEL32 ref: 015C32B8
_errno.MSVCRT ref: 015C32BF
_errno.MSVCRT ref: 015C32CB
_errno.MSVCRT ref: 015C32D8
_errno.MSVCRT ref: 015C32E2

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: _errno$ErrorFileFindFirstLast
String ID:
API String ID: 2068755524-0
Opcode ID: 2b4d6b96931fe336321f1537b9da566222c3a9c81ec1364903381bc2186636e1
Instruction ID: 90a93951cc75e147e2098198f80a26dc914d8827aeea35664dadb3ee7217e7b2
Opcode Fuzzy Hash: 2b4d6b96931fe336321f1537b9da566222c3a9c81ec1364903381bc2186636e1
Instruction Fuzzy Hash: F121A4714182568EDF91AFF8A8802AABAF1BF52B04F08C9ADD8548F251D3748448C772

Uniqueness

Uniqueness Score: -1.00%

Function 012A11A0 Relevance: 12.1, APIs: 8, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 36%

			E012A11A0() {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr* _t11;
				intOrPtr _t14;
				int _t17;
				int _t19;
				int _t21;
				intOrPtr* _t23;
				int _t25;
				int _t26;
				intOrPtr _t28;
				void* _t30;
				int _t31;
				void* _t32;
				signed int _t34;

				_t33 =  &_v24;
				_t11 =  *0x17ea438; // 0x15c16e0
				if(_t11 != 0) {
					_v20 = 0;
					_v24 = 2;
					_v28 = 0;
					 *_t11();
					_t33 =  &_v24 - 0xc;
				}
				_v28 = 0x12a1000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t34 = _t33 - 4;
				E015C14C0(_t30);
				_t14 =  *0x15e39a8; // 0xfffffffd
				 *_t34 = _t14;
				E015C0D90(); // executed
				E015C1060(_t32);
				_t17 =  *0x181a354; // 0x0
				if(_t17 != 0) {
					L4:
					_t28 = __imp___iob;
					 *(_t34 + 4) = _t17;
					 *0x15e39ac = _t17;
					_v20 =  *((intOrPtr*)(_t28 + 0x10));
					L015C4550();
					_t19 =  *0x181a354; // 0x0
					 *(_t34 + 4) = _t19;
					_v20 =  *((intOrPtr*)(_t28 + 0x30));
					L015C4550();
					_t21 =  *0x181a354; // 0x0
					 *(_t34 + 4) = _t21;
					_t17 =  *(_t28 + 0x50);
					_v20 = _t17;
					L015C4550();
					goto L3;
				} else {
					L3:
					L015C45A0();
					_t31 =  *0x15e39ac; // 0x4000
					 *_t17 = _t31;
					E015C1B10();
					_t34 = _t34 & 0xfffffff0;
					_t23 = E015C1670();
					L015C45A8();
					 *((intOrPtr*)(_t34 + 8)) =  *_t23;
					_t25 =  *0x17ec000; // 0x1a02788
					 *(_t34 + 4) = _t25;
					_t26 =  *0x17ec004; // 0x1
					_v20 = _t26;
					_t17 = E012F5CD0(_t30, _t31);
					L015C4580();
					ExitProcess(_t17);
					goto L4;
				}
			}

0x012a11a1
0x012a11a4
0x012a11ab
0x012a11ad
0x012a11b5
0x012a11bd
0x012a11c4
0x012a11c6
0x012a11c6
0x012a11c9
0x012a11d0
0x012a11d5
0x012a11d8
0x012a11dd
0x012a11e2
0x012a11e5
0x012a11ea
0x012a11ef
0x012a11f6
0x012a1242
0x012a1242
0x012a1248
0x012a124c
0x012a1254
0x012a1257
0x012a125c
0x012a1261
0x012a1268
0x012a126b
0x012a1270
0x012a1275
0x012a1279
0x012a127c
0x012a127f
0x00000000
0x012a11f8
0x012a11f8
0x012a11f8
0x012a11fd
0x012a1203
0x012a1205
0x012a120a
0x012a120d
0x012a1212
0x012a1219
0x012a121d
0x012a1222
0x012a1226
0x012a122b
0x012a122e
0x012a1235
0x012a123d
0x00000000
0x012a123d

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,012A1305), ref: 012A11D0
__p__fmode.MSVCRT ref: 012A11F8
__p__environ.MSVCRT ref: 012A1212
_cexit.MSVCRT ref: 012A1235
ExitProcess.KERNEL32(?,?,?,?,?,?,012A1305), ref: 012A123D
_setmode.MSVCRT ref: 012A1257
_setmode.MSVCRT ref: 012A126B
_setmode.MSVCRT ref: 012A127F

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 3476844589-0
Opcode ID: 3e5dac09f5b50b0ac3f9866629e2fb1f3129703288269af091153168edcb1242
Instruction ID: 02e4d2517e458d02b301291259597a9baa8a8a5dbbc762526158324a6bf47e39
Opcode Fuzzy Hash: 3e5dac09f5b50b0ac3f9866629e2fb1f3129703288269af091153168edcb1242
Instruction Fuzzy Hash: 6921C3B4A157028FC754FFB8D584A2A7BF4BBA8A50F01892DD895CF309E738D8449F52

Uniqueness

Uniqueness Score: -1.00%

Function 015C2400 Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 637
stringCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E015C2400(signed int __eax, signed int __ecx, signed int __edx, signed int _a4) {
				void* _v16;
				void _v32;
				signed int _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int* _v72;
				signed char* _v76;
				int _v80;
				signed int _v84;
				signed int* _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed char _v101;
				signed int _v108;
				char _v112;
				intOrPtr _v116;
				int _v120;
				void* _t211;
				signed int _t212;
				signed int* _t213;
				signed int _t221;
				signed int _t223;
				signed int _t230;
				signed int _t232;
				int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t239;
				intOrPtr* _t242;
				signed int _t245;
				void* _t250;
				intOrPtr _t263;
				signed int _t266;
				void* _t273;
				char* _t274;
				signed int _t275;
				intOrPtr _t276;
				void* _t280;
				void* _t281;
				int _t284;
				void* _t285;
				signed int _t288;
				char* _t292;
				signed int _t294;
				signed int _t300;
				signed int* _t309;
				signed int _t310;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int* _t317;
				signed char* _t319;
				signed int* _t320;
				signed int _t321;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				signed char* _t326;
				intOrPtr _t327;
				signed int _t332;
				signed char* _t334;
				signed int _t335;
				signed char* _t336;
				signed int _t338;
				signed char* _t339;
				signed int* _t340;
				signed char* _t344;
				signed char* _t346;
				signed int _t348;
				signed int _t349;
				signed int _t352;
				char* _t354;
				signed int _t355;
				signed int _t356;
				intOrPtr _t360;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int* _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				char* _t375;
				signed int _t376;
				signed int _t377;
				int _t379;
				signed int _t380;
				intOrPtr* _t381;
				signed int _t384;
				signed char* _t385;
				signed char* _t386;
				signed char* _t387;
				signed char* _t388;
				signed char* _t389;
				void* _t390;
				int _t392;
				signed char* _t393;
				intOrPtr _t394;
				void _t395;
				char* _t396;
				signed char* _t397;
				signed int _t399;
				signed int* _t400;
				signed int _t401;
				signed int* _t402;
				intOrPtr* _t404;
				intOrPtr* _t406;
				intOrPtr* _t407;
				intOrPtr* _t408;
				intOrPtr* _t409;

				_v64 = __eax;
				_v52 = __edx;
				_v60 = __ecx;
				if((__edx & 0x00000004) != 0) {
					_v76 = _t400;
					_t387 = __eax;
					 *_t400 = __eax;
					_t211 = E015C3B08(strlen(??) + 0x10 >> 4 << 4);
					_t315 =  *_t387 & 0x000000ff;
					_t401 = _t400 - _t211;
					__eflags = _t401;
					_t371 =  &_v112;
					_v72 = _t371;
					while(1) {
						_t37 =  &(_t387[1]); // -1
						_t326 = _t37;
						__eflags = _t315 - 0x7f;
						if(_t315 == 0x7f) {
							goto L22;
						}
						L19:
						__eflags = _t316 - 0x7b;
						if(_t316 == 0x7b) {
							_t315 = _t387[1] & 0x000000ff;
							_t344 = _t387;
							_v68 = _t387;
							_v48 = _t326;
							_t47 =  &(_t344[1]); // -1
							_t397 = _t47;
							_t338 = 1;
							_t212 = _t315;
							_v56 = 0x2c;
							__eflags = _t212 - 0x7b;
							if(__eflags == 0) {
								L34:
								_t212 = _t344[2] & 0x000000ff;
								_t338 = _t338 + 1;
								_t344 = _t397;
								L33:
								_t50 =  &(_t344[1]); // 0x1
								_t397 = _t50;
								__eflags = _t212 - 0x7b;
								if(__eflags == 0) {
									goto L34;
								}
							} else {
							}
							if(__eflags > 0) {
								__eflags = _t212 - 0x7d;
								if(_t212 != 0x7d) {
									__eflags = _t212 - 0x7f;
									if(_t212 != 0x7f) {
										goto L31;
									} else {
										_t212 = _t344[2] & 0x000000ff;
										__eflags = _t212;
										if(_t212 == 0) {
											goto L32;
										} else {
											_t75 =  &(_t344[2]); // 0x1
											_t212 = _t344[3] & 0x000000ff;
											_t344 = _t75;
										}
									}
									goto L33;
								} else {
									_t338 = _t338 - 1;
									__eflags = _t338;
									if(_t338 != 0) {
										goto L31;
									} else {
										__eflags = _v56 - 0x7b;
										_t399 = _v68;
										_t339 = _v48;
										if(_v56 != 0x7b) {
											goto L59;
										} else {
											_v48 = _t371;
											_t372 = _v52;
											while(1) {
												L39:
												_t309 = _v48;
												_t366 = 1;
												__eflags = _t315 - 0x7f;
												if(_t315 == 0x7f) {
													goto L56;
												}
												L41:
												_t399 = _t399 + 1;
												__eflags = _t399;
												_t340 = _t309;
												L42:
												__eflags = _t315 - 0x7d;
												if(_t315 == 0x7d) {
													_t366 = _t366 - 1;
													__eflags = _t366;
													if(_t366 == 0) {
														_t310 = _t399;
														goto L74;
													} else {
														 *_t340 = 0x7d;
														_t309 =  &(_t340[0]);
														goto L55;
													}
													goto L159;
												} else {
													__eflags = _t315 - 0x2c;
													if(_t315 != 0x2c) {
														L60:
														_t309 =  &(_t340[0]);
														__eflags = _t315 - 0x7b;
														if(_t315 != 0x7b) {
															 *_t340 = _t315;
															__eflags = _t315;
															if(_t315 != 0) {
																goto L55;
															} else {
																goto L68;
															}
														} else {
															 *_t340 = 0x7b;
															_t366 = _t366 + 1;
															L55:
															_t315 =  *(_t399 + 1) & 0x000000ff;
															__eflags = _t315 - 0x7f;
															if(_t315 != 0x7f) {
																goto L41;
															} else {
																goto L56;
															}
														}
														goto L159;
													} else {
														__eflags = _t366 - 1;
														if(_t366 != 1) {
															goto L60;
														} else {
															_t369 = _t399;
															_t324 = 1;
															while(1) {
																_t310 = _t369 + 1;
																_t370 =  *(_t369 + 1) & 0x000000ff;
																__eflags = _t370 - 0x7f;
																if(_t370 == 0x7f) {
																	goto L49;
																}
																L47:
																L69:
																__eflags = _t370 - 0x7b;
																if(_t370 == 0x7b) {
																	_t324 = _t324 + 1;
																	_t369 = _t310;
																	_t310 = _t369 + 1;
																	_t370 =  *(_t369 + 1) & 0x000000ff;
																	__eflags = _t370 - 0x7f;
																	if(_t370 == 0x7f) {
																		goto L49;
																	}
																	goto L51;
																} else {
																	__eflags = _t370 - 0x7d;
																	if(_t370 == 0x7d) {
																		_t324 = _t324 - 1;
																		__eflags = _t324;
																		if(_t324 == 0) {
																			L74:
																			_t311 = _t310 + 1;
																			__eflags = _t311;
																			do {
																				_t367 =  *_t311 & 0x000000ff;
																				_t340 =  &(_t340[0]);
																				_t311 = _t311 + 1;
																				 *(_t340 - 1) = _t367;
																				__eflags = _t367;
																			} while (_t367 != 0);
																			_t368 = _t372;
																			_t372 = _t372 | 0x00000001;
																			 *_t401 = _a4;
																			_t314 = E015C2400(_v72, _v60, _t368);
																			__eflags = _t314 - 1;
																			if(_t314 == 1) {
																				L68:
																				_v48 = 1;
																				goto L51;
																			} else {
																				__eflags =  *_t399 - 0x2c;
																				if( *_t399 != 0x2c) {
																					_v48 = _t314;
																					goto L51;
																				} else {
																					_t315 =  *(_t399 + 1) & 0x000000ff;
																					goto L39;
																				}
																			}
																		} else {
																			_t369 = _t310;
																			while(1) {
																				_t310 = _t369 + 1;
																				_t370 =  *(_t369 + 1) & 0x000000ff;
																				__eflags = _t370 - 0x7f;
																				if(_t370 == 0x7f) {
																					goto L49;
																				}
																				goto L47;
																			}
																		}
																	} else {
																		__eflags = _t370;
																		if(_t370 == 0) {
																			L50:
																			 *_t340 = 0;
																			_v48 = 1;
																			goto L51;
																		} else {
																			_t369 = _t310;
																			while(1) {
																				_t310 = _t369 + 1;
																				_t370 =  *(_t369 + 1) & 0x000000ff;
																				__eflags = _t370 - 0x7f;
																				if(_t370 == 0x7f) {
																					goto L49;
																				}
																				goto L47;
																				while(1) {
																					L49:
																					__eflags =  *(_t310 + 1);
																					if( *(_t310 + 1) == 0) {
																						goto L50;
																					}
																					_t370 =  *(_t310 + 2) & 0x000000ff;
																					_t310 = _t310 + 2;
																					__eflags = _t370 - 0x7f;
																					if(_t370 != 0x7f) {
																						goto L69;
																					} else {
																						continue;
																					}
																					goto L51;
																				}
																				goto L50;
																			}
																		}
																	}
																}
																goto L159;
															}
														}
													}
												}
												L51:
												goto L52;
												L56:
												_t323 =  *(_t399 + 2) & 0x000000ff;
												 *_t309 = 0x7f;
												_t340 =  &(_t309[0]);
												_t309[0] = _t323;
												__eflags = _t323;
												if(_t323 == 0) {
													_t309[0] = 0;
													goto L68;
												} else {
													_t315 =  *(_t399 + 3) & 0x000000ff;
													_t399 = _t399 + 3;
													goto L42;
												}
												goto L159;
											}
										}
									}
								}
							} else {
								__eflags = _t212;
								if(_t212 == 0) {
									_t339 = _v48;
									L59:
									 *_t371 = 0x7b;
									_t387 = _t339;
									_t371 =  &(_t371[0]);
									while(1) {
										_t37 =  &(_t387[1]); // -1
										_t326 = _t37;
										__eflags = _t315 - 0x7f;
										if(_t315 == 0x7f) {
											goto L22;
										}
										goto L19;
									}
								} else {
									__eflags = _t212 - 0x2c;
									if(_t212 != 0x2c) {
										L31:
										_t212 = _t344[2] & 0x000000ff;
										L32:
										_t344 = _t397;
									} else {
										__eflags = _t338 - 1;
										if(_t338 == 1) {
											_t212 = _t344[2] & 0x000000ff;
											_v56 = 0x7b;
											_t344 = _t397;
										} else {
											goto L31;
										}
									}
									goto L33;
								}
							}
						} else {
							L20:
							 *_t371 = _t316;
							_t213 =  &(_t371[0]);
							__eflags = _t316;
							if(_t316 == 0) {
								_t400 = _v76;
								goto L1;
							} else {
								_t316 = _t387[1] & 0x000000ff;
								_t387 = _t326;
								_t371 = _t213;
								_t40 =  &(_t387[1]); // 0x2
								_t326 = _t40;
								__eflags = _t316 - 0x7f;
								if(_t316 != 0x7f) {
									goto L19;
								} else {
									goto L22;
								}
							}
						}
						goto L159;
						L22:
						_t316 = _t387[1] & 0x000000ff;
						 *_t371 = 0x7f;
						__eflags = _t316;
						if(_t316 != 0) {
							_t371[0] = _t316;
							_t387 =  &(_t387[2]);
							_t315 =  *_t387 & 0x000000ff;
							_t371 =  &(_t371[0]);
							continue;
						} else {
							_t42 =  &(_t387[2]); // 0x2
							_t371 =  &(_t371[0]);
							_t387 = _t326;
							_t326 = _t42;
							goto L20;
						}
						goto L159;
					}
				} else {
					L1:
					_t373 = _v64;
					_v72 = _t400;
					 *_t400 = _t373;
					_t6 = strlen(??) + 1; // 0x1
					_t402 = _t400 - E015C3B08(_t214 + 0x10 >> 4 << 4);
					_v116 = _t6;
					_v120 = _t373;
					 *_t402 =  &_v112;
					 *_t402 = memcpy(??, ??, ??); // executed
					_t221 = E015C2E00(_t220); // executed
					_v32 = 0;
					_v68 = _t221;
					_t374 = _t221;
					_t223 = E015C23B0( &_v44);
					_v48 = _t223;
					if(_t223 != 0) {
						L79:
						return _v48;
					} else {
						if(_t374 == 0 || E015C2260(_t374, _v52) == 0) {
							_t388 = _v68;
							_t317 = _t402;
							 *_t402 = _t388;
							_t404 = _t402 - E015C3B08(strlen(??) + 0x10 >> 4 << 4);
							_t346 = _t388;
							_t375 =  &_v112;
							_t327 = _t375;
							while(1) {
								L6:
								_t230 =  *_t346 & 0x000000ff;
								_t389 =  &(_t346[1]);
								if(_t230 == 0x7f) {
									break;
								}
								_t327 = _t327 + 1;
								_t346 = _t389;
								 *(_t327 - 1) = _t230;
								__eflags = _t230;
								if(_t230 != 0) {
									continue;
								}
								L8:
								 *_t404 = _t375;
								L015C4488();
								_v48 = 1;
								_t402 = _t317;
								if(_t230 == 0) {
									goto L79;
								} else {
									_v48 = E015C2300(_t230,  &_v44);
									goto L10;
								}
								goto L159;
							}
							_t230 = _t346[1] & 0x000000ff;
							_t327 = _t327 + 1;
							_t346 =  &(_t346[2]);
							 *(_t327 - 1) = _t230;
							if(_t230 != 0) {
								goto L6;
							}
							goto L8;
						} else {
							 *_t402 =  &_v44;
							_v48 = E015C2400(_v68, _v60, _v52 | 0x00000080);
							L10:
							if(_v48 != 0) {
								goto L79;
							} else {
								_t232 =  *(_v64 + 1) & 0x000000ff;
								if(_t232 == 0x2f || _t232 == 0x5c) {
									L85:
									 *_t402 = _v68;
									_t234 = strlen(??);
									_t376 = _v64;
									_t348 = _v64;
									_t319 = _t376 + _t234;
									_t235 =  *_t319 & 0x000000ff;
									__eflags = _t376 - _t319;
									if(_t376 >= _t319) {
										L90:
										__eflags = _t235 - 0x2f;
										if(_t235 == 0x2f) {
											goto L93;
										} else {
											__eflags = _t235 - 0x5c;
											if(_t235 == 0x5c) {
												goto L93;
											} else {
												_v101 = 0x5c;
											}
										}
									} else {
										while(1) {
											__eflags = _t235 - 0x2f;
											if(_t235 == 0x2f) {
												goto L93;
											}
											__eflags = _t235 - 0x5c;
											if(_t235 == 0x5c) {
												goto L90;
											} else {
												_t319 = _t319 - 1;
												_t235 =  *_t319 & 0x000000ff;
												__eflags = _t348 - _t319;
												if(_t348 != _t319) {
													continue;
												} else {
													goto L90;
												}
											}
											goto L96;
										}
										do {
											do {
												L93:
												_t319 =  &(_t319[1]);
												_t349 = _t235;
												_t235 =  *_t319 & 0x000000ff;
												__eflags = _t235 - 0x2f;
											} while (_t235 == 0x2f);
											__eflags = _t235 - 0x5c;
										} while (_t235 == 0x5c);
										_v101 = _t349;
									}
									goto L96;
								} else {
									_t292 = _v68;
									if( *_t292 != 0x2e ||  *((char*)(_t292 + 1)) != 0) {
										goto L85;
									} else {
										if((_v52 & 0x00000010) != 0) {
											_t385 = _v64;
											_t294 = E015C2260(_t385, _v52);
											_v48 = _t294;
											__eflags = _t294;
											if(_t294 == 0) {
												 *_t402 = _t385;
												_t322 = _t402;
												_t409 = _t402 - E015C3B08(strlen(??) + 0x10 >> 4 << 4);
												_t336 = _t385;
												_t396 =  &_v112;
												_t360 = _t396;
												do {
													_t300 =  *_t336 & 0x000000ff;
													_t199 =  &(_t336[1]); // 0x1
													_t386 = _t199;
													__eflags = _t300 - 0x7f;
													if(_t300 != 0x7f) {
														_t336 = _t386;
													} else {
														_t300 = _t336[1] & 0x000000ff;
														_t336 =  &(_t336[2]);
													}
													_t360 = _t360 + 1;
													 *(_t360 - 1) = _t300;
													__eflags = _t300;
												} while (_t300 != 0);
												 *_t409 = _t396;
												L015C4488();
												_t402 = _t322;
												__eflags = _t300;
												if(_t300 == 0) {
													goto L130;
												} else {
													__eflags = _a4;
													if(_a4 == 0) {
														goto L130;
													} else {
														E015C2300(_t300, _a4);
														_t377 = _v36;
													}
												}
											} else {
												_t319 = _v64;
												goto L16;
											}
										} else {
											L16:
											_v101 = 0x5c;
											_v68 = 0;
											L96:
											_t377 = _v36;
											_v48 = 2;
											_t236 =  *_t377;
											if(_t236 != 0) {
												_v76 = _t319;
												_t320 = _t377;
												_v64 = _v52 & 0x00008000;
												do {
													if(_v48 == 1) {
														L102:
														_v48 = 1;
													} else {
														 *_t402 = _t236;
														_t242 = E015C33D0();
														_v56 = _t242;
														if(_t242 == 0) {
															__eflags = _v52 & 0x00000004;
															if((_v52 & 0x00000004) != 0) {
																goto L102;
															} else {
																_t380 = _v60;
																__eflags = _t380;
																if(_t380 != 0) {
																	L015C4570();
																	_v120 =  *_t242;
																	 *_t402 =  *_t320;
																	_t245 =  *_t380();
																	__eflags = _t245;
																	if(_t245 != 0) {
																		goto L102;
																	}
																}
															}
														} else {
															_v80 = 0;
															if(_v68 != 0) {
																 *_t402 =  *_t320;
																_v80 = strlen(??);
															}
															_v84 = 0;
															_v100 = _v80 + 2;
															while(1) {
																L109:
																 *_t402 = _v56;
																_t250 = E015C35D0();
																_t390 = _t250;
																if(_t250 == 0) {
																	break;
																}
																if(_v64 == 0 ||  *((intOrPtr*)(_t390 + 8)) == 0x10) {
																	_t118 = _t390 + 0xc; // 0xc
																	_t379 = _t118;
																	if(E015C2030(_v76, _v52, _t379) != 0) {
																		continue;
																	} else {
																		_t332 =  *(_t390 + 6) & 0x0000ffff;
																		_v88 = _t402;
																		_t406 = _t402 - E015C3B08(_t332 + _v100 + 0xf >> 4 << 4);
																		_t352 =  &_v112;
																		_v92 = _t352;
																		_t263 = _t352;
																		if(_v80 != 0) {
																			_t392 = _v80;
																			_v108 = _t332;
																			 *_t406 = _t352;
																			_v116 = _t392;
																			_v120 =  *_t320;
																			_v96 = _t352;
																			memcpy(??, ??, ??);
																			_t266 =  *(_t406 + _t392 + 0xb) & 0x000000ff;
																			_t352 = _v96;
																			_t332 = _v108;
																			__eflags = _t266 - 0x2f;
																			if(_t266 == 0x2f) {
																				L147:
																				_t263 = _v80 + _t352;
																				goto L114;
																			} else {
																				__eflags = _t266 - 0x5c;
																				if(_t266 == 0x5c) {
																					goto L147;
																				} else {
																					_t395 = _v80;
																					 *((char*)(_t352 + _t395)) = _v101 & 0x000000ff;
																					_t263 = _t352 + _t395 + 1;
																					goto L114;
																				}
																			}
																			goto L129;
																		}
																		L114:
																		_v96 = _t352;
																		_v116 = _t332 + 1;
																		_v120 = _t379;
																		_t381 = _t406;
																		 *_t406 = _t263;
																		memcpy(??, ??, ??);
																		 *_t406 = _v96;
																		_t273 = E015C3B08(strlen(??) + 0x10 >> 4 << 4);
																		_t393 = _v92;
																		_t407 = _t406 - _t273;
																		_t274 =  &_v112;
																		_v96 = _t274;
																		_t354 = _t274;
																		while(1) {
																			L116:
																			_t275 =  *_t393 & 0x000000ff;
																			_t334 =  &(_t393[1]);
																			if(_t275 == 0x7f) {
																				break;
																			}
																			_t354 = _t354 + 1;
																			_t393 = _t334;
																			 *(_t354 - 1) = _t275;
																			__eflags = _t275;
																			if(_t275 != 0) {
																				continue;
																			}
																			L118:
																			_t276 = _v96;
																			 *_t407 = _t276;
																			L015C4488();
																			_t408 = _t381;
																			_t394 = _t276;
																			if(_t276 == 0) {
																				_v48 = 3;
																			} else {
																				_v48 = _v48 & (0 | _v48 == 0x00000002) - 0x00000001;
																				if((_v52 & 0x00000040) == 0) {
																					_t384 = _v84;
																					__eflags = _t384;
																					if(_t384 == 0) {
																						 *_t408 = 0xc;
																						_t280 = malloc(??);
																						_v84 = _t280;
																						__eflags = _t280;
																						if(_t280 != 0) {
																							_t281 = _v84;
																							 *((intOrPtr*)(_t281 + 8)) = _t394;
																							 *(_t281 + 4) = 0;
																							 *_t281 = 0;
																						}
																					} else {
																						_v92 = _t320;
																						_t321 = _v52 & 0x00004000;
																						while(1) {
																							_t284 =  *(_t384 + 8);
																							 *_t408 = _t394;
																							_v120 = _t284;
																							__eflags = _t321;
																							if(_t321 != 0) {
																								_t284 = strcoll();
																							} else {
																								L015C4480();
																							}
																							_t335 =  *_t384;
																							_t355 =  *(_t384 + 4);
																							__eflags = _t284;
																							if(_t284 <= 0) {
																								_t355 = _t335;
																							}
																							__eflags = _t355;
																							if(_t355 == 0) {
																								break;
																							}
																							_t384 = _t355;
																						}
																						_t320 = _v92;
																						_v92 = _t284;
																						 *_t408 = 0xc;
																						_t285 = malloc(??);
																						_t356 = _v92;
																						__eflags = _t285;
																						if(_t285 != 0) {
																							 *((intOrPtr*)(_t285 + 8)) = _t394;
																							 *(_t285 + 4) = 0;
																							 *_t285 = 0;
																							__eflags = _t356;
																							if(_t356 <= 0) {
																								 *_t384 = _t285;
																							} else {
																								 *(_t384 + 4) = _t285;
																							}
																						}
																					}
																				} else {
																					if(_a4 != 0) {
																						E015C2300(_t394, _a4);
																					}
																				}
																			}
																			_t402 = _v88;
																			goto L109;
																		}
																		_t288 = _t393[1] & 0x000000ff;
																		_t354 = _t354 + 1;
																		_t393 =  &(_t393[2]);
																		 *(_t354 - 1) = _t288;
																		if(_t288 != 0) {
																			goto L116;
																		}
																		goto L118;
																	}
																} else {
																	continue;
																}
																goto L129;
															}
															 *_t402 = _v56;
															E015C3620();
															__eflags = _v84;
															if(_v84 != 0) {
																E015C2360(_v84, _a4);
															}
														}
													}
													goto L103;
													L103:
													_t239 =  *_t320;
													_t320 =  &(_t320[1]);
													 *_t402 = _t239;
													E015C0E90();
													_t236 =  *_t320;
													__eflags = _t236;
												} while (_t236 != 0);
												L130:
												_t377 = _v36;
											}
										}
									}
								}
								L129:
								 *_t402 = _t377;
								E015C0E90();
								L52:
								return _v48;
							}
						}
					}
				}
				L159:
			}

0x015c2409
0x015c240c
0x015c240f
0x015c2415
0x015c2558
0x015c255b
0x015c255d
0x015c256e
0x015c2573
0x015c2576
0x015c2576
0x015c2578
0x015c257c
0x015c257f
0x015c257f
0x015c257f
0x015c2582
0x015c2585
0x00000000
0x00000000
0x015c2587
0x015c2587
0x015c258a
0x015c25d0
0x015c25d4
0x015c25d6
0x015c25d9
0x015c25dc
0x015c25dc
0x015c25df
0x015c25e4
0x015c25e6
0x015c25ed
0x015c25ef
0x015c261c
0x015c261c
0x015c2620
0x015c2623
0x015c2615
0x015c2615
0x015c2615
0x015c2618
0x015c261a
0x00000000
0x00000000
0x00000000
0x00000000
0x015c25f8
0x015c2630
0x015c2632
0x015c2750
0x015c2752
0x00000000
0x015c2758
0x015c2758
0x015c275c
0x015c275e
0x00000000
0x015c2764
0x015c2764
0x015c2767
0x015c276b
0x015c276b
0x015c275e
0x00000000
0x015c2638
0x015c2638
0x015c2638
0x015c263b
0x00000000
0x015c263d
0x015c263d
0x015c2641
0x015c2644
0x015c2647
0x00000000
0x015c264d
0x015c264d
0x015c2650
0x015c2653
0x015c2653
0x015c2653
0x015c2656
0x015c265b
0x015c265e
0x00000000
0x00000000
0x015c2668
0x015c2668
0x015c2668
0x015c266b
0x015c266d
0x015c266d
0x015c2670
0x015c26e0
0x015c26e0
0x015c26e3
0x015c27b0
0x00000000
0x015c26e9
0x015c26e9
0x015c26ec
0x00000000
0x015c26ec
0x00000000
0x015c2672
0x015c2672
0x015c2675
0x015c2730
0x015c2730
0x015c2733
0x015c2736
0x015c2740
0x015c2742
0x015c2744
0x00000000
0x015c2746
0x00000000
0x015c2746
0x015c2738
0x015c2738
0x015c273b
0x015c26ef
0x015c26ef
0x015c26f3
0x015c26f6
0x00000000
0x00000000
0x00000000
0x00000000
0x015c26f6
0x00000000
0x015c267b
0x015c267b
0x015c267e
0x00000000
0x015c2684
0x015c2684
0x015c2686
0x015c2690
0x015c2690
0x015c2693
0x015c2697
0x015c269a
0x00000000
0x00000000
0x015c269c
0x015c2790
0x015c2790
0x015c2793
0x015c2810
0x015c2813
0x015c2690
0x015c2693
0x015c2697
0x015c269a
0x00000000
0x00000000
0x00000000
0x015c2795
0x015c2795
0x015c2798
0x015c2840
0x015c2840
0x015c2843
0x015c27b2
0x015c27b2
0x015c27b2
0x015c27b8
0x015c27b8
0x015c27bb
0x015c27be
0x015c27c1
0x015c27c4
0x015c27c4
0x015c27cb
0x015c27cd
0x015c27d0
0x015c27d9
0x015c27de
0x015c27e1
0x015c277c
0x015c277c
0x00000000
0x015c27e3
0x015c27e3
0x015c27e6
0x015c2a7e
0x00000000
0x015c27ec
0x015c27ec
0x00000000
0x015c27ec
0x015c27e6
0x015c2849
0x015c2849
0x015c2690
0x015c2690
0x015c2693
0x015c2697
0x015c269a
0x00000000
0x00000000
0x00000000
0x015c269a
0x015c2690
0x015c279e
0x015c279e
0x015c27a0
0x015c26be
0x015c26be
0x015c26c1
0x00000000
0x015c27a6
0x015c27a6
0x015c2690
0x015c2690
0x015c2693
0x015c2697
0x015c269a
0x00000000
0x00000000
0x00000000
0x015c26b8
0x015c26b8
0x015c26b8
0x015c26bc
0x00000000
0x00000000
0x015c26a8
0x015c26ac
0x015c26af
0x015c26b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x015c26b2
0x00000000
0x015c26b8
0x015c2690
0x015c27a0
0x015c2798
0x00000000
0x015c2793
0x015c2690
0x015c267e
0x015c2675
0x015c26c8
0x00000000
0x015c26fc
0x015c26fc
0x015c2700
0x015c2703
0x015c2706
0x015c2709
0x015c270b
0x015c2778
0x00000000
0x015c270d
0x015c270d
0x015c2711
0x00000000
0x015c2711
0x00000000
0x015c270b
0x015c2653
0x015c2647
0x015c263b
0x015c25fa
0x015c25fa
0x015c25fc
0x015c2720
0x015c2723
0x015c2723
0x015c2726
0x015c2728
0x015c257f
0x015c257f
0x015c257f
0x015c2582
0x015c2585
0x00000000
0x00000000
0x00000000
0x015c2585
0x015c2602
0x015c2602
0x015c2604
0x015c260f
0x015c260f
0x015c2613
0x015c2613
0x015c2606
0x015c2606
0x015c2609
0x015c2820
0x015c2824
0x015c282b
0x00000000
0x00000000
0x00000000
0x015c2609
0x00000000
0x015c2604
0x015c25fc
0x015c258c
0x015c258c
0x015c258c
0x015c258e
0x015c2591
0x015c2593
0x015c2832
0x00000000
0x015c2599
0x015c2599
0x015c259d
0x015c259f
0x015c25a1
0x015c25a1
0x015c25a4
0x015c25a7
0x00000000
0x00000000
0x00000000
0x00000000
0x015c25a7
0x015c2593
0x00000000
0x015c25a9
0x015c25a9
0x015c25ad
0x015c25b0
0x015c25b2
0x015c25c0
0x015c25c3
0x015c25c6
0x015c25c9
0x00000000
0x015c25b4
0x015c25b4
0x015c25b7
0x015c25ba
0x015c25bc
0x00000000
0x015c25bc
0x00000000
0x015c25b2
0x015c241b
0x015c241b
0x015c241b
0x015c241e
0x015c2421
0x015c2429
0x015c243a
0x015c2440
0x015c2444
0x015c2448
0x015c2450
0x015c2453
0x015c2458
0x015c245f
0x015c2462
0x015c2467
0x015c246c
0x015c2471
0x015c27f8
0x015c2805
0x015c2477
0x015c2479
0x015c248d
0x015c2490
0x015c2492
0x015c24a8
0x015c24aa
0x015c24ac
0x015c24b0
0x015c24c4
0x015c24c4
0x015c24c4
0x015c24c7
0x015c24cc
0x00000000
0x00000000
0x015c24b8
0x015c24bb
0x015c24bd
0x015c24c0
0x015c24c2
0x00000000
0x00000000
0x015c24df
0x015c24df
0x015c24e2
0x015c24e7
0x015c24ee
0x015c24f2
0x00000000
0x015c24f8
0x015c2500
0x00000000
0x015c2500
0x00000000
0x015c24f2
0x015c24ce
0x015c24d2
0x015c24d5
0x015c24d8
0x015c24dd
0x00000000
0x00000000
0x00000000
0x015c2a86
0x015c2a8c
0x015c2a9d
0x015c2503
0x015c2508
0x00000000
0x015c250e
0x015c2511
0x015c2517
0x015c2850
0x015c2853
0x015c2856
0x015c285b
0x015c285e
0x015c2861
0x015c2864
0x015c2867
0x015c2869
0x015c2882
0x015c2882
0x015c2884
0x00000000
0x015c2886
0x015c2886
0x015c2888
0x00000000
0x015c288a
0x015c288a
0x015c288a
0x015c2888
0x015c2870
0x015c2870
0x015c2870
0x015c2872
0x00000000
0x00000000
0x015c2874
0x015c2876
0x00000000
0x015c2878
0x015c2878
0x015c287b
0x015c287e
0x015c2880
0x00000000
0x00000000
0x00000000
0x00000000
0x015c2880
0x00000000
0x015c2876
0x015c2890
0x015c2890
0x015c2890
0x015c2890
0x015c2893
0x015c2895
0x015c2898
0x015c2898
0x015c289c
0x015c289c
0x015c28a0
0x015c28a0
0x00000000
0x015c2525
0x015c2525
0x015c252b
0x00000000
0x015c253b
0x015c253f
0x015c2bf4
0x015c2bfc
0x015c2c01
0x015c2c04
0x015c2c06
0x015c2c10
0x015c2c13
0x015c2c28
0x015c2c2a
0x015c2c2c
0x015c2c30
0x015c2c44
0x015c2c44
0x015c2c47
0x015c2c47
0x015c2c4a
0x015c2c4c
0x015c2c34
0x015c2c4e
0x015c2c4e
0x015c2c52
0x015c2c52
0x015c2c36
0x015c2c39
0x015c2c3c
0x015c2c3c
0x015c2acb
0x015c2ace
0x015c2ad3
0x015c2ad5
0x015c2ad7
0x00000000
0x015c2ad9
0x015c2adc
0x015c2ade
0x00000000
0x015c2ae0
0x015c2ae3
0x015c2aeb
0x015c2aeb
0x015c2ade
0x015c2c08
0x015c2c08
0x00000000
0x015c2c08
0x015c2545
0x015c2545
0x015c2545
0x015c2549
0x015c28a3
0x015c28a3
0x015c28a6
0x015c28ad
0x015c28b1
0x015c28ba
0x015c28bd
0x015c28c5
0x015c2916
0x015c291a
0x015c28f8
0x015c28f8
0x015c291c
0x015c291c
0x015c291f
0x015c2924
0x015c2929
0x015c28d0
0x015c28d4
0x00000000
0x015c28d6
0x015c28d6
0x015c28d9
0x015c28db
0x015c28dd
0x015c28e4
0x015c28ea
0x015c28ed
0x015c28ef
0x015c28f1
0x00000000
0x00000000
0x015c28f1
0x015c28db
0x015c292b
0x015c292e
0x015c2937
0x015c293b
0x015c2943
0x015c2943
0x015c2949
0x015c2953
0x015c2960
0x015c2960
0x015c2963
0x015c2966
0x015c296b
0x015c296f
0x00000000
0x00000000
0x015c297a
0x015c2982
0x015c2982
0x015c2994
0x00000000
0x015c2996
0x015c2996
0x015c299d
0x015c29b2
0x015c29b4
0x015c29b8
0x015c29bb
0x015c29bf
0x015c2b04
0x015c2b09
0x015c2b0c
0x015c2b0f
0x015c2b13
0x015c2b17
0x015c2b1a
0x015c2b1f
0x015c2b24
0x015c2b27
0x015c2b2a
0x015c2b2c
0x015c2be3
0x015c2be6
0x00000000
0x015c2b32
0x015c2b32
0x015c2b34
0x00000000
0x015c2b3a
0x015c2b3a
0x015c2b41
0x015c2b44
0x00000000
0x015c2b44
0x015c2b34
0x00000000
0x015c2b2c
0x015c29c5
0x015c29c8
0x015c29cb
0x015c29cf
0x015c29d3
0x015c29d5
0x015c29d8
0x015c29e0
0x015c29f1
0x015c29f6
0x015c29f9
0x015c29fb
0x015c29ff
0x015c2a02
0x015c2a1c
0x015c2a1c
0x015c2a1c
0x015c2a1f
0x015c2a24
0x00000000
0x00000000
0x015c2a10
0x015c2a13
0x015c2a15
0x015c2a18
0x015c2a1a
0x00000000
0x00000000
0x015c2a37
0x015c2a37
0x015c2a3a
0x015c2a3d
0x015c2a42
0x015c2a44
0x015c2a48
0x015c2c86
0x015c2a4e
0x015c2a5e
0x015c2a65
0x015c2b4d
0x015c2b50
0x015c2b52
0x015c2c57
0x015c2c5e
0x015c2c63
0x015c2c66
0x015c2c68
0x015c2c6e
0x015c2c71
0x015c2c74
0x015c2c7b
0x015c2c7b
0x015c2b58
0x015c2b5b
0x015c2b63
0x015c2b86
0x015c2b86
0x015c2b89
0x015c2b8c
0x015c2b90
0x015c2b92
0x015c2b70
0x015c2b94
0x015c2b94
0x015c2b94
0x015c2b75
0x015c2b77
0x015c2b7a
0x015c2b7c
0x015c2b7e
0x015c2b7e
0x015c2b80
0x015c2b82
0x00000000
0x00000000
0x015c2b84
0x015c2b84
0x015c2b9b
0x015c2b9e
0x015c2ba1
0x015c2ba8
0x015c2bad
0x015c2bb0
0x015c2bb2
0x015c2bb8
0x015c2bbb
0x015c2bc2
0x015c2bc8
0x015c2bca
0x015c2bed
0x015c2bcc
0x015c2bcc
0x015c2bcc
0x015c2bca
0x015c2bb2
0x015c2a6b
0x015c2a70
0x015c2bd9
0x015c2bd9
0x015c2a70
0x015c2a65
0x015c2a76
0x00000000
0x015c2a76
0x015c2a26
0x015c2a2a
0x015c2a2d
0x015c2a30
0x015c2a35
0x00000000
0x00000000
0x00000000
0x015c2a35
0x00000000
0x00000000
0x00000000
0x00000000
0x015c297a
0x015c2aa8
0x015c2aab
0x015c2ab3
0x015c2ab5
0x015c2ac1
0x015c2ac1
0x015c2ab5
0x015c2929
0x00000000
0x015c28ff
0x015c28ff
0x015c2901
0x015c2904
0x015c2907
0x015c290c
0x015c290e
0x015c290e
0x015c2afd
0x015c2b00
0x015c2b00
0x015c28b1
0x015c253f
0x015c252b
0x015c2aed
0x015c2aed
0x015c2af0
0x015c26cb
0x015c26d5
0x015c26d5
0x015c2508
0x015c2479
0x015c2471
0x00000000

APIs

strlen.MSVCRT ref: 015C2424
memcpy.MSVCRT ref: 015C244B

Part of subcall function 015C2E00: setlocale.MSVCRT ref: 015C2E18
Part of subcall function 015C2E00: _strdup.MSVCRT ref: 015C2E26
Part of subcall function 015C2E00: setlocale.MSVCRT ref: 015C2E3C
Part of subcall function 015C2E00: wcstombs.MSVCRT ref: 015C2E67
Part of subcall function 015C2E00: wcstombs.MSVCRT ref: 015C2E94
Part of subcall function 015C2E00: setlocale.MSVCRT ref: 015C2EA4

Part of subcall function 015C23B0: malloc.MSVCRT ref: 015C23C7

strlen.MSVCRT ref: 015C2495
_strdup.MSVCRT ref: 015C24E2
strlen.MSVCRT ref: 015C2560
strlen.MSVCRT ref: 015C293E

Strings

{, xrefs: 015C2824
@, xrefs: 015C2A61
\, xrefs: 015C288A

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: strlen$setlocale$_strdupwcstombs$mallocmemcpy
String ID: @$\${
API String ID: 3109254050-3793226235
Opcode ID: d51c2c5b3cd0578262d98dfa8f37cd55a0399e2909b2872257c9b3cc00fe9548
Instruction ID: e2e48d9cb08b67cad76a1e7b3602beba3961b88886df9967b1886411f1878a14
Opcode Fuzzy Hash: d51c2c5b3cd0578262d98dfa8f37cd55a0399e2909b2872257c9b3cc00fe9548
Instruction Fuzzy Hash: 5C329B70D0835A8FDB219FECC4802AEBBF2BF55A04F08855DD895AF305DB75A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015C2E00 Relevance: 19.8, APIs: 13, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 015C2E18
_strdup.MSVCRT ref: 015C2E26
setlocale.MSVCRT ref: 015C2E3C
wcstombs.MSVCRT ref: 015C2E67
wcstombs.MSVCRT ref: 015C2E94
setlocale.MSVCRT ref: 015C2EA4

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: setlocale$wcstombs$_strdup
String ID:
API String ID: 3699089627-0
Opcode ID: 9f9a9d0b1fbc410e12a63aeacee5c929512c64c8e26cfb24a535873c617a5707
Instruction ID: 8cc1b408c3cf7dcd32c1040a95b39714c681db09cf489d80739bff9aa44049c2
Opcode Fuzzy Hash: 9f9a9d0b1fbc410e12a63aeacee5c929512c64c8e26cfb24a535873c617a5707
Instruction Fuzzy Hash: 37A1937590421B8EDB24AFA9C0456BEFBF1FF84B44F44C42DE5989F254E7358981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 015C2CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E015C2CA0(signed char* _a4, signed int _a8, signed int _a12, char** _a16) {
				void* _v16;
				signed char** _v32;
				intOrPtr _v36;
				signed char** _v40;
				char _v56;
				signed char** _t25;
				void* _t31;
				char* _t32;
				signed int _t33;
				intOrPtr _t34;
				signed int _t36;
				signed char* _t39;
				signed char** _t41;
				signed char** _t42;
				char* _t44;
				signed int _t46;
				signed char* _t48;
				char** _t49;
				signed char** _t50;
				intOrPtr* _t51;

				_t49 = _a16;
				_t39 = _a4;
				_t46 = _a8;
				if(_t49 != 0 && (_t46 & 0x00000002) == 0) {
					_t49[3] = 0;
				}
				if( *_t49 != "glob-1.0-mingw32") {
					E015C23B0(_t49);
					 *_t49 = "glob-1.0-mingw32";
				}
				 *_t50 = _t49;
				_t25 = E015C2400(_t39, _a12, _t46); // executed
				_t41 = _t25;
				if(_t25 == 2) {
					if((_t46 & 0x00000010) == 0) {
						goto L5;
					}
					_v40 = _t25;
					_v32 = _t50;
					 *_t50 = _t39;
					_t31 = E015C3B08(strlen(??) + 0x10 >> 4 << 4);
					_t42 = _v40;
					_t51 = _t50 - _t31;
					_t32 =  &_v56;
					_v36 = _t32;
					_t44 = _t32;
					while(1) {
						L10:
						_t33 =  *_t39 & 0x000000ff;
						_t15 =  &(_t39[1]); // 0x2
						_t48 = _t15;
						if(_t33 == 0x7f) {
							break;
						}
						_t44 = _t44 + 1;
						_t39 = _t48;
						 *(_t44 - 1) = _t33;
						if(_t33 == 0) {
							L12:
							_t34 = _v36;
							_v40 = _t42;
							 *_t51 = _t34;
							L015C4488();
							_t41 = _v40;
							if(_t34 != 0) {
								_v32 = _t41;
								E015C2300(_t34, _t49);
								_t41 = _v32;
							}
							goto L5;
						}
					}
					_t36 = _t39[1] & 0x000000ff;
					_t44 = _t44 + 1;
					_t39 =  &(_t39[2]);
					 *(_t44 - 1) = _t36;
					if(_t36 != 0) {
						goto L10;
					}
					goto L12;
				} else {
					L5:
					return _t41;
				}
			}

0x015c2ca9
0x015c2cac
0x015c2caf
0x015c2cb4
0x015c2cf8
0x015c2cf8
0x015c2cc4
0x015c2cc8
0x015c2ccd
0x015c2ccd
0x015c2cd3
0x015c2cdd
0x015c2ce2
0x015c2ce7
0x015c2d0b
0x00000000
0x00000000
0x015c2d0d
0x015c2d10
0x015c2d13
0x015c2d24
0x015c2d29
0x015c2d2c
0x015c2d2e
0x015c2d32
0x015c2d35
0x015c2d4c
0x015c2d4c
0x015c2d4c
0x015c2d4f
0x015c2d4f
0x015c2d54
0x00000000
0x00000000
0x015c2d40
0x015c2d43
0x015c2d45
0x015c2d4a
0x015c2d67
0x015c2d67
0x015c2d6a
0x015c2d6d
0x015c2d70
0x015c2d78
0x015c2d7d
0x015c2d85
0x015c2d88
0x015c2d8d
0x015c2d8d
0x00000000
0x015c2d7d
0x015c2d4a
0x015c2d56
0x015c2d5a
0x015c2d5d
0x015c2d60
0x015c2d65
0x00000000
0x00000000
0x00000000
0x015c2ce9
0x015c2ce9
0x015c2cf2
0x015c2cf2

Strings

glob-1.0-mingw32, xrefs: 015C2CBE, 015C2CCD

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID:
String ID: glob-1.0-mingw32
API String ID: 0-3253302226
Opcode ID: a682a2783aeaf364a005ad04594ef2ca60e46db2ee51a3791ac45c2f0373bc59
Instruction ID: 8696f2386f4b27c610158d34b6c209b3dd7a7a2ea04591d29578d4c0820146f6
Opcode Fuzzy Hash: a682a2783aeaf364a005ad04594ef2ca60e46db2ee51a3791ac45c2f0373bc59
Instruction Fuzzy Hash: 26219C71A0430A9FDB14DFE9D4846AEFBF1FF99A00F04446ED841AF301DA35A902CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C3310 Relevance: 4.6, APIs: 3, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNEL32 ref: 015C3325
GetLastError.KERNEL32 ref: 015C33A8
_errno.MSVCRT ref: 015C33B2

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: ErrorFileFindLastNext_errno
String ID:
API String ID: 2804278807-0
Opcode ID: 4cd31363d1541cb8eed625711bfb5ab2a100034e0dea179537f40a6dc5d4f255
Instruction ID: feb6cf778e5ef836112c3db507802702504ef784924b263d9ef9af131ea1b3c9
Opcode Fuzzy Hash: 4cd31363d1541cb8eed625711bfb5ab2a100034e0dea179537f40a6dc5d4f255
Instruction Fuzzy Hash: C111CA711043918FDF919FA8ACC02A9FBA0BF41A15F08C85ADC94CF346E639C449C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 015C3620 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(?,?,?,?,?,015C2AB0), ref: 015C3635

Part of subcall function 015C0E90: free.MSVCRT ref: 015C0EAA

_errno.MSVCRT ref: 015C3650

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: CloseFind_errnofree
String ID:
API String ID: 1660445202-0
Opcode ID: 4cf8735a8588300b2aad698e18ec094a1506b4c976f351047600e6d2358682cc
Instruction ID: 9dfe9ec80c285a995d8073838b6a4b5290364fa86209e5132d2aa05a6887fd14
Opcode Fuzzy Hash: 4cf8735a8588300b2aad698e18ec094a1506b4c976f351047600e6d2358682cc
Instruction Fuzzy Hash: 38E04F709003068FDB407EF889C165A36E47B50A10F404A7DD9954F281E778C4908792

Uniqueness

Uniqueness Score: -1.00%

Function 015C0E90 Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 015C0EAA

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b49d4ff45742032c70f306c275094e6a7f308b33d63afa001026e366fbb24da2
Instruction ID: f77c0508bc1b06860866e5436e6f3e7b5543404e130a2dd80888befa9507724e
Opcode Fuzzy Hash: b49d4ff45742032c70f306c275094e6a7f308b33d63afa001026e366fbb24da2
Instruction Fuzzy Hash: 32D0EAB8849741DFC744EF79D18955ABBE5BE88600F814C2DF88487204E77596988F83

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015C14C0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedda247470bab3915184e88ff1992c4db144fa5595070cd830cc78b976b595f
Instruction ID: e8d63de2530f5cc4ed8e60028001bc2a686802b13e515ef114f5866193b2ac43
Opcode Fuzzy Hash: aedda247470bab3915184e88ff1992c4db144fa5595070cd830cc78b976b595f
Instruction Fuzzy Hash: 7C210A38918B428EF376899D44D47DB6D96B754714F2C8E2CCE4AC62D7E6B5C484CA10

Uniqueness

Uniqueness Score: -1.00%

Function 015C19D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E015C19D0(signed int __ecx, signed int __edx) {
				intOrPtr _t112;
				int _t115;
				long _t117;
				signed int _t119;
				signed int _t121;
				void* _t123;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				intOrPtr _t130;
				signed int _t135;
				void* _t136;
				void* _t143;
				void* _t144;
				char* _t145;
				signed int* _t146;
				signed int _t149;
				signed int _t151;
				signed int _t153;
				signed int _t155;
				void* _t157;
				signed int _t159;
				void* _t162;
				signed int _t164;
				signed int _t168;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t202;
				long _t203;
				signed int _t204;
				signed int _t209;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				int _t219;
				struct _MEMORY_BASIC_INFORMATION* _t220;
				signed int _t221;
				signed int _t226;
				signed int _t227;
				signed int _t230;
				signed int _t231;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t237;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t246;
				char* _t248;
				void* _t250;
				void** _t251;
				char** _t252;
				char** _t253;
				char** _t254;
				signed int* _t257;

				_t184 = __edx;
				_t168 = __ecx;
				_t251 = _t250 - 0x14;
				_t112 = __imp___iob;
				_t251[2] = 0x17;
				_t220 =  &(_t251[9]);
				_t3 = _t112 + 0x40; // 0x777d4640
				_t144 = _t3;
				_t251[1] = 1;
				_t251[3] = _t144;
				 *_t251 = "Mingw runtime failure:\n";
				fwrite(_t143, _t219, ??, ??);
				_t251[2] = _t220;
				 *_t251 = _t144;
				_t251[1] = _t251[8];
				_t115 = vfprintf(??, ??, ??);
				abort();
				_t204 = _t184;
				_t221 = _t168;
				_t145 = _t115;
				_t252 = _t251 - 0x3c;
				_t252[2] = 0x1c;
				_t252[1] =  &(_t252[5]);
				 *_t252 = _t145;
				_t117 = VirtualQuery(_t144, _t220, _t203);
				_t253 = _t252 - 0xc;
				if(_t117 == 0) {
					_t253[2] = _t145;
					_t253[1] = 0x1c;
					 *_t253 = "  VirtualQuery failed for %d bytes at address %p";
					E015C19D0(_t168, _t184);
					_t119 =  *0x181a390; // 0x1
					if(_t119 == 0) {
						 *0x181a390 = 1;
						_t119 = 0;
						if(0x17eab78 <= 7) {
							goto L16;
						} else {
							_push(_t204);
							_push(_t221);
							_push(_t145);
							_t254 = _t253 - 0x20;
							_t185 =  *0x17eab78; // 0x0
							if(0x17eab78 > 0xb) {
								if(_t185 != 0) {
									_t146 = 0x17eab78;
									goto L42;
								} else {
									_t119 =  *0x17eab7c; // 0x0
									_t204 = _t119 |  *0x17eab80;
									if(_t204 != 0) {
										_t146 = 0x17eab78;
										goto L22;
									} else {
										_t185 =  *0x17eab84; // 0x0
										_t146 = 0x17eab84;
										goto L20;
									}
								}
							} else {
								_t146 = 0x17eab78;
								L20:
								if(_t185 != 0) {
									L42:
									if(_t146 >= 0x17eab78) {
										goto L29;
									} else {
										do {
											_t48 =  &(_t146[1]); // 0x0
											_t186 =  *_t48;
											_t121 =  *_t146;
											_t146 =  &(_t146[2]);
											_t49 = _t186 + 0x12a0000; // 0x905a4d
											_t50 = _t186 + 0x12a0000; // 0x12a0000
											_t254[7] = _t121 +  *_t49;
											_t123 = _t50;
											L1();
										} while (_t146 < 0x17eab78);
										return _t123;
									}
								} else {
									_t32 =  &(_t146[1]); // 0x0
									_t119 =  *_t32;
									L22:
									if(_t119 != 0) {
										goto L42;
									} else {
										_t33 =  &(_t146[2]); // 0x0
										_t119 =  *_t33;
										if(_t119 != 1) {
											_t254[1] = _t119;
											 *_t254 = "  Unknown pseudo relocation protocol version %d.\n";
											_t124 = E015C19D0(_t168, _t185);
											_push(_t240);
											_push(_t204);
											_push(_t221);
											_push(_t146);
											_t257 = _t254 - 0x3c;
											_t241 =  *_t124;
											_t257[7] = _t185;
											_t257[0xa] = _t168;
											_t149 = _t241;
											if(_t241 == 0x2d) {
												L68:
												_t170 =  *(_t124 + 1) & 0x000000ff;
												_t188 = _t124 + 1;
												if(_t241 == _t257[7]) {
													_t151 = _t257[0xa] & 0x00000020;
													while(1) {
														_t125 = _t188 + 1;
														if(_t170 == 0x5d) {
															goto L73;
														}
														if(_t170 == 0x7f) {
															L108:
															_t170 =  *(_t188 + 1) & 0x000000ff;
															if(_t151 != 0) {
																_t188 = _t125;
																continue;
															} else {
																_t226 = _t188 + 2;
																_t188 = _t125;
																_t125 = _t226;
																goto L105;
															}
														} else {
															L105:
															while(_t170 != 0) {
																_t170 =  *(_t188 + 1) & 0x000000ff;
																_t188 = _t125;
																_t125 = _t188 + 1;
																if(_t170 != 0x5d) {
																	if(_t170 != 0x7f) {
																		continue;
																	} else {
																		goto L108;
																	}
																}
																goto L73;
															}
															goto L72;
														}
														goto L73;
													}
												} else {
													_t241 = _t170;
													goto L50;
												}
											} else {
												_t188 = _t124;
												if(_t241 == 0x5d) {
													goto L68;
												} else {
													L50:
													_t257[8] = _t257[0xa] & 0x00004000;
													_t128 = _t241;
													_t243 = _t188;
													_t189 = _t149;
													_t153 = _t128;
													while(1) {
														_t209 = _t243 + 1;
														_t227 = _t153;
														if(_t153 == 0x5d) {
															break;
														}
														if(_t153 == 0x2d) {
															_t153 =  *(_t243 + 1);
															if(_t153 == 0x5d) {
																_t243 = _t209;
																_t189 = 0x2d;
																goto L58;
															} else {
																_t233 = _t153;
																if(_t233 != 0) {
																	_t257[9] = _t243;
																	_t244 = _t189;
																	_t257[0xb] = _t243 + 2;
																	_t211 = _t233;
																	_t234 = _t257[8];
																	while(_t244 < _t211) {
																		if(_t234 != 0) {
																			_t162 = _t244 - _t257[7];
																			_t244 = _t244 + 1;
																			if(_t162 == 0) {
																				goto L80;
																			} else {
																				continue;
																			}
																		} else {
																			 *_t257 = _t244;
																			_t244 = _t244 + 1;
																			L015C44A0();
																			_t164 = _t128;
																			_t128 = _t257[7];
																			 *_t257 = _t128;
																			L015C44A0();
																			if(_t164 != _t128) {
																				continue;
																			} else {
																				L80:
																				_t215 = _t257[0xb];
																				_t195 =  *(_t257[9] + 2) & 0x000000ff;
																				_t175 = _t257[0xa] & 0x00000020;
																				while(1) {
																					_t84 = _t215 + 1; // 0x22
																					_t125 = _t84;
																					if(_t195 == 0x5d) {
																						goto L73;
																					}
																					if(_t195 == 0x7f) {
																						L86:
																						_t195 =  *(_t215 + 1) & 0x000000ff;
																						if(_t175 != 0) {
																							_t215 = _t125;
																							continue;
																						} else {
																							_t88 = _t215 + 2; // 0x24
																							_t215 = _t125;
																							_t125 = _t88;
																							goto L83;
																						}
																					} else {
																						L83:
																						while(_t195 != 0) {
																							_t195 =  *(_t215 + 1) & 0x000000ff;
																							_t215 = _t125;
																							_t86 = _t215 + 1; // 0x25
																							_t125 = _t86;
																							if(_t195 != 0x5d) {
																								if(_t195 != 0x7f) {
																									continue;
																								} else {
																									goto L86;
																								}
																							}
																							goto L73;
																						}
																						goto L72;
																					}
																					goto L73;
																				}
																			}
																		}
																		goto L73;
																	}
																	_t257[9] = _t257[0xb];
																	_t213 = _t211;
																	_t236 = _t244;
																	_t257[0xb] = _t257[9];
																	_t246 = _t257[8];
																	while(_t236 > _t213) {
																		if(_t246 != 0) {
																			_t157 = _t236 - _t257[7];
																			_t236 = _t236 - 1;
																			if(_t157 == 0) {
																				goto L93;
																			} else {
																				continue;
																			}
																		} else {
																			 *_t257 = _t236;
																			_t236 = _t236 - 1;
																			L015C44A0();
																			_t159 = _t128;
																			_t128 = _t257[7];
																			 *_t257 = _t128;
																			L015C44A0();
																			if(_t159 != _t128) {
																				continue;
																			} else {
																				L93:
																				_t214 = _t257[9];
																				_t193 =  *(_t257[0xb] + 2) & 0x000000ff;
																				_t173 = _t257[0xa] & 0x00000020;
																				while(1) {
																					_t100 = _t214 + 1; // 0x22
																					_t125 = _t100;
																					if(_t193 == 0x5d) {
																						goto L73;
																					}
																					if(_t193 == 0x7f) {
																						L99:
																						_t193 =  *(_t214 + 1) & 0x000000ff;
																						if(_t173 != 0) {
																							_t214 = _t125;
																							continue;
																						} else {
																							_t104 = _t214 + 2; // 0x24
																							_t214 = _t125;
																							_t125 = _t104;
																							goto L96;
																						}
																					} else {
																						L96:
																						while(_t193 != 0) {
																							_t193 =  *(_t214 + 1) & 0x000000ff;
																							_t214 = _t125;
																							_t102 = _t214 + 1; // 0x25
																							_t125 = _t102;
																							if(_t193 != 0x5d) {
																								if(_t193 != 0x7f) {
																									continue;
																								} else {
																									goto L99;
																								}
																							}
																							goto L73;
																						}
																						goto L72;
																					}
																					goto L73;
																				}
																			}
																		}
																		goto L73;
																	}
																	_t227 = _t213;
																	_t209 = _t257[9];
																	goto L55;
																} else {
																	break;
																}
															}
														} else {
															if(_t153 == 0) {
																break;
															} else {
																L55:
																if(_t227 == 0x2f || _t227 == 0x5c) {
																	break;
																} else {
																	_t153 =  *_t209;
																	_t243 = _t209;
																	_t189 = _t227;
																	L58:
																	_t128 = _t257[8];
																	if(_t128 != 0) {
																		if(_t189 == _t257[7]) {
																			goto L60;
																		} else {
																			continue;
																		}
																	} else {
																		 *_t257 = _t189;
																		_t257[9] = _t189;
																		L015C44A0();
																		_t231 = _t128;
																		_t128 = _t257[7];
																		 *_t257 = _t128;
																		L015C44A0();
																		_t189 = _t257[9];
																		if(_t231 != _t128) {
																			continue;
																		} else {
																			L60:
																			_t171 = _t153;
																			_t190 = _t243;
																			_t155 = _t257[0xa] & 0x00000020;
																			while(1) {
																				_t125 = _t190 + 1;
																				if(_t171 == 0x5d) {
																					goto L73;
																				}
																				if(_t171 == 0x7f) {
																					L66:
																					_t171 =  *(_t190 + 1) & 0x000000ff;
																					if(_t155 != 0) {
																						_t190 = _t125;
																						continue;
																					} else {
																						_t230 = _t190 + 2;
																						_t190 = _t125;
																						_t125 = _t230;
																						goto L63;
																					}
																				} else {
																					L63:
																					while(_t171 != 0) {
																						_t171 =  *(_t190 + 1) & 0x000000ff;
																						_t190 = _t125;
																						_t125 = _t190 + 1;
																						if(_t171 != 0x5d) {
																							if(_t171 != 0x7f) {
																								continue;
																							} else {
																								goto L66;
																							}
																						}
																						goto L73;
																					}
																					goto L72;
																				}
																				goto L73;
																			}
																		}
																	}
																}
															}
														}
														goto L73;
													}
													L72:
													_t125 = 0;
												}
											}
											L73:
											return _t125;
										} else {
											while(1) {
												L25:
												_t146 =  &(_t146[3]);
												if(_t146 >= 0x17eab78) {
													break;
												} else {
													goto L26;
												}
												while(1) {
													L26:
													_t129 =  *_t146;
													_t34 =  &(_t146[1]); // 0x2e303120
													_t176 =  *_t34;
													_t35 =  &(_t146[2]); // 0x302e33
													_t196 =  *_t35 & 0x000000ff;
													_t36 = _t129 + 0x12a0000; // 0x12a0000
													_t216 = _t36;
													_t37 = _t176 + 0x12a0000; // 0x2f5a3120
													_t237 = _t37;
													_t38 = _t129 + 0x12a0000; // 0x905a4d
													_t130 =  *_t38;
													if(_t196 == 0x10) {
														break;
													}
													if(_t196 != 0x20) {
														if(_t196 == 8) {
															_t178 =  *_t237 & 0x000000ff;
															if(_t178 < 0) {
																_t178 = _t178 | 0xffffff00;
															}
															_t254[7] = _t130 + _t178 - _t216;
															_t119 = _t237;
															L1();
															goto L25;
														} else {
															_t254[1] = _t196;
															 *_t254 = "  Unknown pseudo relocation bit size %d.\n";
															_t254[7] = 0;
															_t130 = E015C19D0(_t176, _t196);
															break;
														}
														goto L114;
													} else {
														_t146 =  &(_t146[3]);
														_t254[7] = _t130 - _t216 +  *_t237;
														_t119 = _t237;
														L1();
														if(_t146 < 0x17eab78) {
															continue;
														}
													}
													goto L29;
												}
												_t43 = _t176 + 0x12a0000; // 0x905a4d
												_t197 =  *_t43 & 0x0000ffff;
												if(_t197 < 0) {
													_t197 = _t197 | 0xffff0000;
												}
												_t254[7] = _t130 + _t197 - _t216;
												_t119 = _t237;
												L1();
											}
											L29:
											return _t119;
										}
									}
								}
							}
						}
					} else {
						L16:
						return _t119;
					}
				} else {
					_t135 = _t253[0xa];
					if(_t135 == 0x40 || _t135 == 4) {
						if(_t221 != 0) {
							_t136 = 0;
							do {
								_t145[_t136] =  *(_t204 + _t136) & 0x000000ff;
								_t136 = _t136 + 1;
							} while (_t136 < _t221);
						}
						goto L7;
					} else {
						_t248 =  &(_t253[4]);
						_t253[2] = 0x40;
						_t253[3] = _t248;
						_t253[1] = _t253[8];
						 *_t253 = _t253[5];
						_t135 = VirtualProtect(??, ??, ??, ??);
						_t253 = _t253 - 0x10;
						_t183 = _t253[0xa];
						if(_t221 != 0) {
							_t202 = 0;
							do {
								_t135 =  *(_t204 + _t202) & 0x000000ff;
								_t145[_t202] = _t135;
								_t202 = _t202 + 1;
							} while (_t202 < _t221);
						}
						if(_t183 == 0x40 || _t183 == 4) {
							L7:
							return _t135;
						} else {
							_t253[3] = _t248;
							_t253[2] = _t253[4];
							_t253[1] = _t253[8];
							 *_t253 = _t253[5];
							return VirtualProtect(??, ??, ??, ??);
						}
					}
				}
				L114:
			}

0x015c19d0
0x015c19d0
0x015c19d2
0x015c19d5
0x015c19da
0x015c19e2
0x015c19e6
0x015c19e6
0x015c19e9
0x015c19f1
0x015c19f5
0x015c19fc
0x015c1a05
0x015c1a09
0x015c1a0c
0x015c1a10
0x015c1a15
0x015c1a22
0x015c1a25
0x015c1a28
0x015c1a2a
0x015c1a31
0x015c1a39
0x015c1a3d
0x015c1a40
0x015c1a45
0x015c1a4a
0x015c1af4
0x015c1af8
0x015c1b00
0x015c1b07
0x015c1b10
0x015c1b17
0x015c1b20
0x015c1b2f
0x015c1b37
0x00000000
0x015c1b39
0x015c1b39
0x015c1b3a
0x015c1b3b
0x015c1b3c
0x015c1b3f
0x015c1b48
0x015c1be2
0x015c1c90
0x00000000
0x015c1be8
0x015c1be8
0x015c1bef
0x015c1bf5
0x015c1ce0
0x00000000
0x015c1bfb
0x015c1bfb
0x015c1c01
0x00000000
0x015c1c01
0x015c1bf5
0x015c1b4e
0x015c1b4e
0x015c1b53
0x015c1b55
0x015c1c95
0x015c1c9b
0x00000000
0x015c1ca8
0x015c1ca8
0x015c1ca8
0x015c1ca8
0x015c1cab
0x015c1cb2
0x015c1cb5
0x015c1cbb
0x015c1cc5
0x015c1cc9
0x015c1ccb
0x015c1cd0
0x015c1cde
0x015c1cde
0x015c1b5b
0x015c1b5b
0x015c1b5b
0x015c1b5e
0x015c1b60
0x00000000
0x015c1b66
0x015c1b66
0x015c1b66
0x015c1b6c
0x015c1cea
0x015c1cee
0x015c1cf5
0x015c1d00
0x015c1d01
0x015c1d02
0x015c1d03
0x015c1d04
0x015c1d07
0x015c1d0a
0x015c1d0e
0x015c1d12
0x015c1d17
0x015c1df8
0x015c1df8
0x015c1dfc
0x015c1e03
0x015c1fb4
0x015c1fb7
0x015c1fb7
0x015c1fbd
0x00000000
0x00000000
0x015c1fc6
0x015c1fe7
0x015c1fe7
0x015c1fed
0x015c2000
0x00000000
0x015c1fef
0x015c1fef
0x015c1ff2
0x015c1ff4
0x00000000
0x015c1ff4
0x015c1fc8
0x00000000
0x015c1fc8
0x015c1fd0
0x015c1fd4
0x015c1fd6
0x015c1fdc
0x015c1fe5
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1fe5
0x00000000
0x015c1fdc
0x00000000
0x015c1fc8
0x00000000
0x015c1fc6
0x015c1e09
0x015c1e09
0x00000000
0x015c1e09
0x015c1d1d
0x015c1d1d
0x015c1d22
0x00000000
0x015c1d28
0x015c1d28
0x015c1d31
0x015c1d35
0x015c1d37
0x015c1d39
0x015c1d3b
0x015c1d4a
0x015c1d4a
0x015c1d4d
0x015c1d52
0x00000000
0x00000000
0x015c1d5b
0x015c1e18
0x015c1e1f
0x015c1e38
0x015c1e3a
0x00000000
0x015c1e21
0x015c1e21
0x015c1e26
0x015c1e4b
0x015c1e4f
0x015c1e51
0x015c1e55
0x015c1e57
0x015c1e6d
0x015c1e73
0x015c1e62
0x015c1e66
0x015c1e6b
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1e75
0x015c1e75
0x015c1e78
0x015c1e7b
0x015c1e80
0x015c1e82
0x015c1e86
0x015c1e89
0x015c1e92
0x00000000
0x015c1e94
0x015c1e94
0x015c1e9c
0x015c1ea0
0x015c1ea4
0x015c1ea7
0x015c1ea7
0x015c1ea7
0x015c1ead
0x00000000
0x00000000
0x015c1eb6
0x015c1ed7
0x015c1ed7
0x015c1edd
0x015c1fa0
0x00000000
0x015c1ee3
0x015c1ee3
0x015c1ee6
0x015c1ee8
0x00000000
0x015c1ee8
0x015c1eb8
0x00000000
0x015c1eb8
0x015c1ec0
0x015c1ec4
0x015c1ec6
0x015c1ec6
0x015c1ecc
0x015c1ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1ed5
0x00000000
0x015c1ecc
0x00000000
0x015c1eb8
0x00000000
0x015c1eb6
0x015c1ea7
0x015c1e92
0x00000000
0x015c1e73
0x015c1efc
0x015c1f00
0x015c1f02
0x015c1f04
0x015c1f08
0x015c1f1d
0x015c1f27
0x015c1f12
0x015c1f16
0x015c1f1b
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1f29
0x015c1f29
0x015c1f2c
0x015c1f2f
0x015c1f34
0x015c1f36
0x015c1f3a
0x015c1f3d
0x015c1f46
0x00000000
0x015c1f48
0x015c1f48
0x015c1f50
0x015c1f54
0x015c1f58
0x015c1f5b
0x015c1f5b
0x015c1f5b
0x015c1f61
0x00000000
0x00000000
0x015c1f6a
0x015c1f8b
0x015c1f8b
0x015c1f91
0x015c2020
0x00000000
0x015c1f97
0x015c1f97
0x015c1f9a
0x015c1f9c
0x00000000
0x015c1f9c
0x015c1f6c
0x00000000
0x015c1f6c
0x015c1f74
0x015c1f78
0x015c1f7a
0x015c1f7a
0x015c1f80
0x015c1f89
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1f89
0x00000000
0x015c1f80
0x00000000
0x015c1f6c
0x00000000
0x015c1f6a
0x015c1f5b
0x015c1f46
0x00000000
0x015c1f27
0x015c2010
0x015c2012
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1e26
0x015c1d61
0x015c1d63
0x00000000
0x015c1d69
0x015c1d69
0x015c1d6c
0x00000000
0x015c1d7b
0x015c1d7b
0x015c1d7e
0x015c1d80
0x015c1d82
0x015c1d82
0x015c1d88
0x015c1d48
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1d8a
0x015c1d8a
0x015c1d8d
0x015c1d91
0x015c1d96
0x015c1d98
0x015c1d9c
0x015c1d9f
0x015c1da4
0x015c1dac
0x00000000
0x015c1dae
0x015c1dae
0x015c1dae
0x015c1db4
0x015c1db6
0x015c1db9
0x015c1db9
0x015c1dbf
0x00000000
0x00000000
0x015c1dc4
0x015c1ddd
0x015c1ddd
0x015c1de3
0x015c2008
0x00000000
0x015c1de9
0x015c1de9
0x015c1dec
0x015c1dee
0x00000000
0x015c1dee
0x015c1dc6
0x00000000
0x015c1dc6
0x015c1dca
0x015c1dce
0x015c1dd0
0x015c1dd6
0x015c1ddb
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1ddb
0x00000000
0x015c1dd6
0x00000000
0x015c1dc6
0x00000000
0x015c1dc4
0x015c1db9
0x015c1dac
0x015c1d88
0x015c1d6c
0x015c1d63
0x00000000
0x015c1d5b
0x015c1e28
0x015c1e28
0x015c1e28
0x015c1d22
0x015c1e2a
0x015c1e31
0x015c1b78
0x015c1b78
0x015c1b78
0x015c1b78
0x015c1b81
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1b83
0x015c1b83
0x015c1b83
0x015c1b85
0x015c1b85
0x015c1b88
0x015c1b88
0x015c1b8c
0x015c1b8c
0x015c1b92
0x015c1b92
0x015c1b98
0x015c1b98
0x015c1ba1
0x00000000
0x00000000
0x015c1baa
0x015c1c13
0x015c1c60
0x015c1c65
0x015c1c67
0x015c1c67
0x015c1c7a
0x015c1c7e
0x015c1c80
0x00000000
0x015c1c15
0x015c1c15
0x015c1c19
0x015c1c20
0x015c1c28
0x00000000
0x015c1c28
0x00000000
0x015c1bac
0x015c1bb5
0x015c1bb8
0x015c1bc0
0x015c1bc2
0x015c1bcd
0x00000000
0x00000000
0x015c1bcd
0x00000000
0x015c1baa
0x015c1c30
0x015c1c30
0x015c1c3a
0x015c1c3c
0x015c1c3c
0x015c1c4f
0x015c1c53
0x015c1c55
0x015c1c55
0x015c1bcf
0x015c1bd5
0x015c1bd5
0x015c1b6c
0x015c1b60
0x015c1b55
0x015c1b48
0x015c1b19
0x015c1b19
0x015c1b19
0x015c1b19
0x015c1a50
0x015c1a50
0x015c1a57
0x015c1a60
0x015c1a62
0x015c1a64
0x015c1a68
0x015c1a6b
0x015c1a6e
0x015c1a64
0x00000000
0x015c1a80
0x015c1a84
0x015c1a88
0x015c1a90
0x015c1a94
0x015c1a9c
0x015c1a9f
0x015c1aa4
0x015c1aa7
0x015c1aad
0x015c1aaf
0x015c1ab1
0x015c1ab1
0x015c1ab5
0x015c1ab8
0x015c1abb
0x015c1ab1
0x015c1ac2
0x015c1a72
0x015c1a79
0x015c1ac9
0x015c1acd
0x015c1ad1
0x015c1ad9
0x015c1ae1
0x015c1af3
0x015c1af3
0x015c1ac2
0x015c1a57
0x00000000

APIs

fwrite.MSVCRT ref: 015C19FC
vfprintf.MSVCRT ref: 015C1A10
abort.MSVCRT(?,?,?,012A0000,00000004,015C1B0C), ref: 015C1A15
VirtualQuery.KERNEL32 ref: 015C1A40
VirtualProtect.KERNEL32 ref: 015C1A9F
VirtualProtect.KERNEL32 ref: 015C1AE4

Strings

@, xrefs: 015C1A88
Mingw runtime failure:, xrefs: 015C19F5

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: Virtual$Protect$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 3498335539-2549925133
Opcode ID: 1172c707aaa32d41e47f57d29110a09f5e2520963778a0084ce1e04aaa73cda2
Instruction ID: 6307c59cf5cd507034d11f92e2a7f17e8c899da698d55187e96b633786bdc37a
Opcode Fuzzy Hash: 1172c707aaa32d41e47f57d29110a09f5e2520963778a0084ce1e04aaa73cda2
Instruction Fuzzy Hash: 70317AB19087429FD710EF6CC4C052EBFE0BB89A44F04891EE9888B311D374D948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015C0950 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32 ref: 015C0972
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,015C0A55), ref: 015C098A
fwrite.MSVCRT ref: 015C09B9
abort.MSVCRT ref: 015C09BE
InterlockedExchangeAdd.KERNEL32 ref: 015C09E2

Strings

runtime: failed to create runtime initialization wait event., xrefs: 015C09AE
=, xrefs: 015C099B

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: CreateCriticalEventExchangeInitializeInterlockedSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 1036100134-3519180978
Opcode ID: 98e06a431e89bef6ceeb842dfc8c21462632183413f61dfb8edde3f68b7e03d1
Instruction ID: cf712393898a23337f6cdd3d1468f7e1717386113afc6c5841fbafe56956fd2e
Opcode Fuzzy Hash: 98e06a431e89bef6ceeb842dfc8c21462632183413f61dfb8edde3f68b7e03d1
Instruction Fuzzy Hash: CB014BF28083029EE704BFB8C50535BBBE4BB90704F85881DD8884B245E37992588B93

Uniqueness

Uniqueness Score: -1.00%

Function 015C1D00 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015C1D00(signed int __eax, signed int __ecx, signed int __edx) {
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				void* _t72;
				signed int _t74;
				void* _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t119;
				signed int* _t120;

				_t59 = __eax;
				_t115 =  *((char*)(__eax));
				_t120[7] = __edx;
				_t120[0xa] = __ecx;
				_t65 = _t115;
				if(_t115 == 0x2d) {
					L20:
					_t82 =  *(_t59 + 1) & 0x000000ff;
					_t89 = _t59 + 1;
					if(_t115 == _t120[7]) {
						_t67 = _t120[0xa] & 0x00000020;
						while(1) {
							_t60 = _t89 + 1;
							if(_t82 == 0x5d) {
								goto L25;
							}
							if(_t82 == 0x7f) {
								L60:
								_t82 =  *(_t89 + 1) & 0x000000ff;
								if(_t67 != 0) {
									_t89 = _t60;
									continue;
								} else {
									_t104 = _t89 + 2;
									_t89 = _t60;
									_t60 = _t104;
									goto L57;
								}
							} else {
								L57:
								while(_t82 != 0) {
									_t82 =  *(_t89 + 1) & 0x000000ff;
									_t89 = _t60;
									_t60 = _t89 + 1;
									if(_t82 != 0x5d) {
										if(_t82 != 0x7f) {
											continue;
										} else {
											goto L60;
										}
									}
									goto L25;
								}
								goto L24;
							}
							goto L25;
						}
					} else {
						_t115 = _t82;
						goto L2;
					}
				} else {
					_t89 = __eax;
					if(_t115 == 0x5d) {
						goto L20;
					} else {
						L2:
						_t120[8] = _t120[0xa] & 0x00004000;
						_t64 = _t115;
						_t116 = _t89;
						_t90 = _t65;
						_t68 = _t64;
						while(1) {
							_t97 = _t116 + 1;
							_t105 = _t68;
							if(_t68 == 0x5d) {
								break;
							}
							if(_t68 == 0x2d) {
								_t68 =  *(_t116 + 1);
								if(_t68 == 0x5d) {
									_t116 = _t97;
									_t90 = 0x2d;
									goto L10;
								} else {
									_t111 = _t68;
									if(_t111 == 0) {
										break;
									}
									_t120[9] = _t116;
									_t117 = _t90;
									_t120[0xb] = _t116 + 2;
									_t99 = _t111;
									_t112 = _t120[8];
									while(_t117 < _t99) {
										if(_t112 != 0) {
											_t77 = _t117 - _t120[7];
											_t117 = _t117 + 1;
											if(_t77 == 0) {
												goto L32;
											} else {
												continue;
											}
										} else {
											 *_t120 = _t117;
											_t117 = _t117 + 1;
											L015C44A0();
											_t79 = _t64;
											_t64 = _t120[7];
											 *_t120 = _t64;
											L015C44A0();
											if(_t79 != _t64) {
												continue;
											} else {
												L32:
												_t103 = _t120[0xb];
												_t96 =  *(_t120[9] + 2) & 0x000000ff;
												_t87 = _t120[0xa] & 0x00000020;
												while(1) {
													_t31 = _t103 + 1; // 0x22
													_t60 = _t31;
													if(_t96 == 0x5d) {
														goto L25;
													}
													if(_t96 == 0x7f) {
														L38:
														_t96 =  *(_t103 + 1) & 0x000000ff;
														if(_t87 != 0) {
															_t103 = _t60;
															continue;
														} else {
															_t35 = _t103 + 2; // 0x24
															_t103 = _t60;
															_t60 = _t35;
															goto L35;
														}
													} else {
														L35:
														while(_t96 != 0) {
															_t96 =  *(_t103 + 1) & 0x000000ff;
															_t103 = _t60;
															_t33 = _t103 + 1; // 0x25
															_t60 = _t33;
															if(_t96 != 0x5d) {
																if(_t96 != 0x7f) {
																	continue;
																} else {
																	goto L38;
																}
															}
															goto L25;
														}
														goto L24;
													}
													goto L25;
												}
											}
										}
										goto L25;
									}
									_t120[9] = _t120[0xb];
									_t101 = _t99;
									_t114 = _t117;
									_t120[0xb] = _t120[9];
									_t119 = _t120[8];
									while(_t114 > _t101) {
										if(_t119 != 0) {
											_t72 = _t114 - _t120[7];
											_t114 = _t114 - 1;
											if(_t72 == 0) {
												goto L45;
											} else {
												continue;
											}
										} else {
											 *_t120 = _t114;
											_t114 = _t114 - 1;
											L015C44A0();
											_t74 = _t64;
											_t64 = _t120[7];
											 *_t120 = _t64;
											L015C44A0();
											if(_t74 != _t64) {
												continue;
											} else {
												L45:
												_t102 = _t120[9];
												_t94 =  *(_t120[0xb] + 2) & 0x000000ff;
												_t85 = _t120[0xa] & 0x00000020;
												while(1) {
													_t47 = _t102 + 1; // 0x22
													_t60 = _t47;
													if(_t94 == 0x5d) {
														goto L25;
													}
													if(_t94 == 0x7f) {
														L51:
														_t94 =  *(_t102 + 1) & 0x000000ff;
														if(_t85 != 0) {
															_t102 = _t60;
															continue;
														} else {
															_t51 = _t102 + 2; // 0x24
															_t102 = _t60;
															_t60 = _t51;
															goto L48;
														}
													} else {
														L48:
														while(_t94 != 0) {
															_t94 =  *(_t102 + 1) & 0x000000ff;
															_t102 = _t60;
															_t49 = _t102 + 1; // 0x25
															_t60 = _t49;
															if(_t94 != 0x5d) {
																if(_t94 != 0x7f) {
																	continue;
																} else {
																	goto L51;
																}
															}
															goto L25;
														}
														goto L24;
													}
													goto L25;
												}
											}
										}
										goto L25;
									}
									_t105 = _t101;
									_t97 = _t120[9];
									goto L7;
								}
							} else {
								if(_t68 == 0) {
									break;
								}
								L7:
								if(_t105 == 0x2f || _t105 == 0x5c) {
									break;
								}
								_t68 =  *_t97;
								_t116 = _t97;
								_t90 = _t105;
								L10:
								_t64 = _t120[8];
								if(_t64 != 0) {
									if(_t90 == _t120[7]) {
										goto L12;
									} else {
										continue;
									}
								} else {
									 *_t120 = _t90;
									_t120[9] = _t90;
									L015C44A0();
									_t109 = _t64;
									_t64 = _t120[7];
									 *_t120 = _t64;
									L015C44A0();
									_t90 = _t120[9];
									if(_t109 != _t64) {
										continue;
									} else {
										L12:
										_t83 = _t68;
										_t91 = _t116;
										_t70 = _t120[0xa] & 0x00000020;
										while(1) {
											_t60 = _t91 + 1;
											if(_t83 == 0x5d) {
												goto L25;
											}
											if(_t83 == 0x7f) {
												L18:
												_t83 =  *(_t91 + 1) & 0x000000ff;
												if(_t70 != 0) {
													_t91 = _t60;
													continue;
												} else {
													_t108 = _t91 + 2;
													_t91 = _t60;
													_t60 = _t108;
													goto L15;
												}
											} else {
												L15:
												while(_t83 != 0) {
													_t83 =  *(_t91 + 1) & 0x000000ff;
													_t91 = _t60;
													_t60 = _t91 + 1;
													if(_t83 != 0x5d) {
														if(_t83 != 0x7f) {
															continue;
														} else {
															goto L18;
														}
													}
													goto L25;
												}
												goto L24;
											}
											goto L25;
										}
									}
								}
							}
							goto L25;
						}
						L24:
						return 0;
					}
				}
				L25:
				return _t60;
			}

0x015c1d00
0x015c1d07
0x015c1d0a
0x015c1d0e
0x015c1d12
0x015c1d17
0x015c1df8
0x015c1df8
0x015c1dfc
0x015c1e03
0x015c1fb4
0x015c1fb7
0x015c1fb7
0x015c1fbd
0x00000000
0x00000000
0x015c1fc6
0x015c1fe7
0x015c1fe7
0x015c1fed
0x015c2000
0x00000000
0x015c1fef
0x015c1fef
0x015c1ff2
0x015c1ff4
0x00000000
0x015c1ff4
0x015c1fc8
0x00000000
0x015c1fc8
0x015c1fd0
0x015c1fd4
0x015c1fd6
0x015c1fdc
0x015c1fe5
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1fe5
0x00000000
0x015c1fdc
0x00000000
0x015c1fc8
0x00000000
0x015c1fc6
0x015c1e09
0x015c1e09
0x00000000
0x015c1e09
0x015c1d1d
0x015c1d1d
0x015c1d22
0x00000000
0x015c1d28
0x015c1d28
0x015c1d31
0x015c1d35
0x015c1d37
0x015c1d39
0x015c1d3b
0x015c1d4a
0x015c1d4a
0x015c1d4d
0x015c1d52
0x00000000
0x00000000
0x015c1d5b
0x015c1e18
0x015c1e1f
0x015c1e38
0x015c1e3a
0x00000000
0x015c1e21
0x015c1e21
0x015c1e26
0x00000000
0x00000000
0x015c1e4b
0x015c1e4f
0x015c1e51
0x015c1e55
0x015c1e57
0x015c1e6d
0x015c1e73
0x015c1e62
0x015c1e66
0x015c1e6b
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1e75
0x015c1e75
0x015c1e78
0x015c1e7b
0x015c1e80
0x015c1e82
0x015c1e86
0x015c1e89
0x015c1e92
0x00000000
0x015c1e94
0x015c1e94
0x015c1e9c
0x015c1ea0
0x015c1ea4
0x015c1ea7
0x015c1ea7
0x015c1ea7
0x015c1ead
0x00000000
0x00000000
0x015c1eb6
0x015c1ed7
0x015c1ed7
0x015c1edd
0x015c1fa0
0x00000000
0x015c1ee3
0x015c1ee3
0x015c1ee6
0x015c1ee8
0x00000000
0x015c1ee8
0x015c1eb8
0x00000000
0x015c1eb8
0x015c1ec0
0x015c1ec4
0x015c1ec6
0x015c1ec6
0x015c1ecc
0x015c1ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1ed5
0x00000000
0x015c1ecc
0x00000000
0x015c1eb8
0x00000000
0x015c1eb6
0x015c1ea7
0x015c1e92
0x00000000
0x015c1e73
0x015c1efc
0x015c1f00
0x015c1f02
0x015c1f04
0x015c1f08
0x015c1f1d
0x015c1f27
0x015c1f12
0x015c1f16
0x015c1f1b
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1f29
0x015c1f29
0x015c1f2c
0x015c1f2f
0x015c1f34
0x015c1f36
0x015c1f3a
0x015c1f3d
0x015c1f46
0x00000000
0x015c1f48
0x015c1f48
0x015c1f50
0x015c1f54
0x015c1f58
0x015c1f5b
0x015c1f5b
0x015c1f5b
0x015c1f61
0x00000000
0x00000000
0x015c1f6a
0x015c1f8b
0x015c1f8b
0x015c1f91
0x015c2020
0x00000000
0x015c1f97
0x015c1f97
0x015c1f9a
0x015c1f9c
0x00000000
0x015c1f9c
0x015c1f6c
0x00000000
0x015c1f6c
0x015c1f74
0x015c1f78
0x015c1f7a
0x015c1f7a
0x015c1f80
0x015c1f89
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1f89
0x00000000
0x015c1f80
0x00000000
0x015c1f6c
0x00000000
0x015c1f6a
0x015c1f5b
0x015c1f46
0x00000000
0x015c1f27
0x015c2010
0x015c2012
0x00000000
0x015c2012
0x015c1d61
0x015c1d63
0x00000000
0x00000000
0x015c1d69
0x015c1d6c
0x00000000
0x00000000
0x015c1d7b
0x015c1d7e
0x015c1d80
0x015c1d82
0x015c1d82
0x015c1d88
0x015c1d48
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1d8a
0x015c1d8a
0x015c1d8d
0x015c1d91
0x015c1d96
0x015c1d98
0x015c1d9c
0x015c1d9f
0x015c1da4
0x015c1dac
0x00000000
0x015c1dae
0x015c1dae
0x015c1dae
0x015c1db4
0x015c1db6
0x015c1db9
0x015c1db9
0x015c1dbf
0x00000000
0x00000000
0x015c1dc4
0x015c1ddd
0x015c1ddd
0x015c1de3
0x015c2008
0x00000000
0x015c1de9
0x015c1de9
0x015c1dec
0x015c1dee
0x00000000
0x015c1dee
0x015c1dc6
0x00000000
0x015c1dc6
0x015c1dca
0x015c1dce
0x015c1dd0
0x015c1dd6
0x015c1ddb
0x00000000
0x00000000
0x00000000
0x00000000
0x015c1ddb
0x00000000
0x015c1dd6
0x00000000
0x015c1dc6
0x00000000
0x015c1dc4
0x015c1db9
0x015c1dac
0x015c1d88
0x00000000
0x015c1d5b
0x015c1e28
0x00000000
0x015c1e28
0x015c1d22
0x015c1e31
0x015c1e31

APIs

tolower.MSVCRT ref: 015C1D91
tolower.MSVCRT ref: 015C1D9F

Strings

], xrefs: 015C1D1F
-, xrefs: 015C1D14

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: tolower
String ID: -$]
API String ID: 3025214199-736542798
Opcode ID: 11257d580f5d66371c6b0b59c540b39e7e763573dc263d1f96af6cab6cde9458
Instruction ID: 8fb9c9ef4c5fb4c2c14b36fa2053f4151f8d94174586320bb92d5cb7e3e392d7
Opcode Fuzzy Hash: 11257d580f5d66371c6b0b59c540b39e7e763573dc263d1f96af6cab6cde9458
Instruction Fuzzy Hash: 7A81D631608B27CFD7209E9980D026EFBD67B89900F494B2ED998DF303E734E9558B91

Uniqueness

Uniqueness Score: -1.00%

Function 015C09D0 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32 ref: 015C09E2
InterlockedIncrement.KERNEL32 ref: 015C09FF
InterlockedDecrement.KERNEL32 ref: 015C0A13
InterlockedExchangeAdd.KERNEL32 ref: 015C0A3E

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: Interlocked$Exchange$DecrementIncrement
String ID:
API String ID: 3802921688-0
Opcode ID: 7c59f408802eb27cdfa87d96bd25de6b90da8b425b8e6f04a934fa104aba280c
Instruction ID: 50be7d2317fc3d13d3a105c85a73aab56dc58f54460eb3212f5618e1dfaacff3
Opcode Fuzzy Hash: 7c59f408802eb27cdfa87d96bd25de6b90da8b425b8e6f04a934fa104aba280c
Instruction Fuzzy Hash: 9FF04FF6806203CEE6483FBC950632F7DE47B90A00F84492CD9C54E145E67D825C87A3

Uniqueness

Uniqueness Score: -1.00%

Function 015C33D0 Relevance: 7.6, APIs: 5, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E015C33D0() {
				void* _t37;
				unsigned int _t42;
				void* _t43;
				unsigned int _t46;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				unsigned int _t55;
				void* _t58;
				unsigned int _t59;
				signed int _t63;
				signed char _t67;
				signed int _t70;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				void** _t90;

				_t90 = _t89 - 0x12c;
				_t37 = _t90[0x50];
				if(_t37 == 0) {
					L015C4570();
					_t87 = 0;
					 *_t37 = 0x16;
					goto L20;
				} else {
					if( *_t37 == 0) {
						L015C4570();
						 *_t37 = 2;
						return 0;
					} else {
						_t86 =  &(_t90[7]);
						_t90[2] = 0x104;
						_t90[1] = _t37;
						 *_t90 = _t86;
						L015C4568();
						_t74 = _t86;
						if(_t90[7] == 0) {
							goto L8;
							L8:
							_t63 =  *_t74;
							_t74 = _t74 + 4;
							_t42 = _t63 - 0x01010101 &  !_t63 & 0x80808080;
							if(_t42 == 0) {
								goto L8;
							} else {
								if((_t42 & 0x00008080) == 0) {
									_t42 = _t42 >> 0x10;
									_t74 = _t74 + 2;
								}
								_t43 = _t74;
								asm("sbb eax, 0x3");
							}
						} else {
							do {
								_t70 =  *_t74;
								_t74 = _t74 + 4;
								_t55 = _t70 - 0x01010101 &  !_t70 & 0x80808080;
							} while (_t55 == 0);
							if((_t55 & 0x00008080) == 0) {
								_t55 = _t55 >> 0x10;
								_t74 = _t74 + 2;
							}
							asm("sbb edx, 0x3");
							_t82 = _t74 - _t86;
							_t72 =  *(_t90 + _t82 + 0x1b) & 0x000000ff;
							_t43 = _t86 + _t82;
							if(_t72 != 0x2f && _t72 != 0x5c) {
								 *_t43 = 0x5c;
								_t43 = _t86 + _t82 + 1;
							}
						}
						_t58 = _t86;
						 *_t43 = 0x2a;
						goto L12;
						L15:
						asm("sbb ebx, 0x3");
						_t59 = _t58 - _t86;
						 *_t90 = _t59 + 0x11c;
						_t48 = malloc(??);
						_t87 = _t48;
						if(_t48 == 0) {
							L015C4570();
							 *_t48 = 0xc;
						} else {
							_t67 = _t59 + 1;
							_t49 = _t48 + 0x118;
							if(_t67 < 4) {
								if(_t67 != 0) {
									 *_t49 =  *_t86 & 0x000000ff;
									if((_t67 & 0x00000002) != 0) {
										 *((short*)(_t49 + _t67 - 2)) =  *(_t86 + _t67 - 2) & 0x0000ffff;
									}
								}
							} else {
								 *((intOrPtr*)(_t49 + _t67 - 4)) =  *((intOrPtr*)(_t90 + _t67 + 0x18));
								_t49 = memcpy(_t49, _t86, _t59 >> 2 << 2);
								_t90 =  &(_t90[3]);
							}
							_t50 = E015C3220(_t49, _t87);
							 *((intOrPtr*)(_t87 + 0x110)) = _t50;
							if(_t50 == 0xffffffff) {
								 *_t90 = _t87;
								_t87 = 0;
								E015C0E90();
							} else {
								 *_t87 = 0;
								 *(_t87 + 0x114) = 0;
								 *((short*)(_t87 + 4)) = 0x110;
							}
						}
						L20:
						return _t87;
						goto L30;
						L12:
						_t76 =  *_t58;
						_t58 = _t58 + 4;
						_t17 = _t76 - 0x1010101; // -16842967
						_t46 = _t17 &  !_t76 & 0x80808080;
						if(_t46 == 0) {
							goto L12;
						} else {
							if((_t46 & 0x00008080) == 0) {
								_t46 = _t46 >> 0x10;
								_t58 = _t58 + 2;
							}
						}
						goto L15;
					}
				}
				L30:
			}

0x015c33d4
0x015c33da
0x015c33e3
0x015c3598
0x015c359d
0x015c359f
0x00000000
0x015c33e9
0x015c33ec
0x015c3578
0x015c357f
0x015c3591
0x015c33f2
0x015c33f2
0x015c33f6
0x015c33fe
0x015c3402
0x015c3405
0x015c340f
0x015c3411
0x00000000
0x015c3460
0x015c3460
0x015c3462
0x015c346f
0x015c3474
0x00000000
0x015c3476
0x015c347b
0x015c3558
0x015c355b
0x015c355b
0x015c3485
0x015c3487
0x015c3487
0x015c3413
0x015c3413
0x015c3413
0x015c3415
0x015c3422
0x015c3422
0x015c342e
0x015c3568
0x015c356b
0x015c356b
0x015c3438
0x015c343b
0x015c343d
0x015c3442
0x015c3448
0x015c3454
0x015c3457
0x015c3457
0x015c3448
0x015c348f
0x015c3491
0x015c3491
0x015c34b7
0x015c34bb
0x015c34be
0x015c34c6
0x015c34c9
0x015c34ce
0x015c34d2
0x015c35bf
0x015c35c4
0x015c34d8
0x015c34d8
0x015c34db
0x015c34e4
0x015c353a
0x015c353f
0x015c3544
0x015c354b
0x015c354b
0x015c3544
0x015c34e6
0x015c34ef
0x015c34f5
0x015c34f5
0x015c34f5
0x015c34f9
0x015c34fe
0x015c3507
0x015c35b0
0x015c35b3
0x015c35b5
0x015c350d
0x015c3512
0x015c3519
0x015c3523
0x015c3523
0x015c3507
0x015c3527
0x015c3533
0x00000000
0x015c3494
0x015c3494
0x015c3496
0x015c3499
0x015c34a3
0x015c34a8
0x00000000
0x015c34aa
0x015c34af
0x015c34b1
0x015c34b4
0x015c34b4
0x015c34af
0x00000000
0x015c34a8
0x015c33ec
0x00000000

APIs

_fullpath.MSVCRT ref: 015C3405
malloc.MSVCRT ref: 015C34C9
_errno.MSVCRT ref: 015C3578
_errno.MSVCRT ref: 015C3598

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: _errno$_fullpathmalloc
String ID:
API String ID: 1031002091-0
Opcode ID: 41715c4c4b8619a14151683b9e184baed33c2cd0d107cd384551d8b7fb0dcab2
Instruction ID: 8fc27facdae41d51006afb066b2049c30e046c828e042c859cd4cf4707ee44fa
Opcode Fuzzy Hash: 41715c4c4b8619a14151683b9e184baed33c2cd0d107cd384551d8b7fb0dcab2
Instruction Fuzzy Hash: A341157520460D8FE7559F98C8857AABBE1FF92B04F08846DC6848F291EB7DD449C781

Uniqueness

Uniqueness Score: -1.00%

Function 015C0AF0 Relevance: 7.5, APIs: 5, Instructions: 36
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 015C09D0: InterlockedExchangeAdd.KERNEL32 ref: 015C09E2

WaitForSingleObject.KERNEL32 ref: 015C0B10
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,014EBC69), ref: 015C0B1F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,014EBC69), ref: 015C0B34
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,014EBC69), ref: 015C0B47
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,014EBC69), ref: 015C0B5C

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ExchangeInterlockedObjectSingleWait
String ID:
API String ID: 3135182226-0
Opcode ID: c09d5e467cd451aa9a4c79bf5e1bcde2299975cb2e7f3f3d6cfbd6fba4ddf419
Instruction ID: 94ca7c6b7ccefa93fc3dc3daf25e6fb17850c8a330b737285b0d4f9f5c3f77d4
Opcode Fuzzy Hash: c09d5e467cd451aa9a4c79bf5e1bcde2299975cb2e7f3f3d6cfbd6fba4ddf419
Instruction Fuzzy Hash: 45F04BB29053468ED608BFFCD58522E7AF8BB54644F80492DE9848B284D674925C8B53

Uniqueness

Uniqueness Score: -1.00%

Function 015C17A0 Relevance: 5.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,015C198E), ref: 015C17AC
TlsGetValue.KERNEL32(?,?,?,?,?,015C198E), ref: 015C17C5
GetLastError.KERNEL32(?,?,?,?,?,?,015C198E), ref: 015C17CF
LeaveCriticalSection.KERNEL32(?,?,?,?,?,015C198E), ref: 015C17F2

Memory Dump Source

Source File: 00000002.00000002.262515871.00000000012A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012A0000, based on PE: true

Associated: 00000002.00000002.262506325.00000000012A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263355919.00000000015C5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263369083.00000000015CA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263375613.00000000015CB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263381191.00000000015CC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263393627.00000000015DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263401329.00000000015DF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263413539.00000000015E1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.263425509.00000000015E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265367287.00000000017EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265400165.00000000017F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265425137.0000000001814000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265434699.0000000001817000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265563022.000000000181A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265590792.000000000181B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265607760.000000000181C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265626334.000000000181D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265641281.0000000001820000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.265796853.0000000001821000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12a0000_relaunch_app.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 9dd0c0523e275a6e602a6e79000de0b4f7efbf71fb35fe5afec374ae28b89e53
Instruction ID: bd7fd4390941808538e365871a368a71288abe17473cc0a5a4782777d0a3bd75
Opcode Fuzzy Hash: 9dd0c0523e275a6e602a6e79000de0b4f7efbf71fb35fe5afec374ae28b89e53
Instruction Fuzzy Hash: 31F0BEB29016428EDB14BFFCD1C461E7AE8BE50A44F05402CCD808F20AE620D558C793

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RSHB-ASRU	EgNIXduB6T.exe	Get hash	malicious	Browse	194.190.152.194
	2MNB4UhUqR.exe	Get hash	malicious	Browse	194.190.152.20
	w9d568i4Ia.exe	Get hash	malicious	Browse	194.190.152.128
	3pqdFTqin9.exe	Get hash	malicious	Browse	194.190.152.128
	nJX6vEzSO5.exe	Get hash	malicious	Browse	194.190.153.31
	X3JoqrBG6b.dll	Get hash	malicious	Browse	194.190.152.209
	Hlf35fELn8.exe	Get hash	malicious	Browse	194.190.152.209
	U6EbIncPHD.exe	Get hash	malicious	Browse	194.190.153.41

Target ID:	0
Start time:	18:11:01
Start date:	19/10/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x7ff6eb370000
File size:	5916672 bytes
MD5 hash:	74CFFC19A09979E23BFD9F5A5378508B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	1
Start time:	18:11:01
Start date:	19/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	18:11:03
Start date:	19/10/2022
Path:	C:\Users\Public\Documents\relaunch_app.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\relaunch_app.exe"
Imagebase:	0x12a0000
File size:	5681152 bytes
MD5 hash:	161D5CCDF1F7563E92D36AD1D5492CCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_000Stealer, Description: Yara detected 000Stealer, Source: 00000002.00000002.276605637.0000000014612000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.271212000.0000000013CC4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_000Stealer, Description: Yara detected 000Stealer, Source: 00000002.00000002.276599114.000000001460E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_000Stealer, Description: Yara detected 000Stealer, Source: 00000002.00000002.276623040.0000000014618000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\relaunch_app.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe

Function 015C1060 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 307
stringCOMMON

Function 015C3220 Relevance: 12.1, APIs: 8, Instructions: 68
fileCOMMON

Function 012A11A0 Relevance: 12.1, APIs: 8, Instructions: 56
COMMON

Function 015C2400 Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 637
stringCOMMON

Function 015C2E00 Relevance: 19.8, APIs: 13, Instructions: 270
COMMON

Function 015C2CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
COMMON

Function 015C3310 Relevance: 4.6, APIs: 3, Instructions: 57
fileCOMMON

Function 015C3620 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Function 015C0E90 Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Function 015C19D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
memoryfileCOMMON

Function 015C0950 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34
fileCOMMON

Function 015C1D00 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 243
COMMON

Function 015C09D0 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 015C33D0 Relevance: 7.6, APIs: 5, Instructions: 140
COMMON

Function 015C0AF0 Relevance: 7.5, APIs: 5, Instructions: 36
synchronizationCOMMON

Function 015C17A0 Relevance: 5.0, APIs: 4, Instructions: 33
COMMON