Play interactive tour

Edit tour

Analysis Report ciscovideoguard.exe

Overview

General Information

Sample Name:	ciscovideoguard.exe
Analysis ID:	372989
MD5:	01eb1a2e5fc8d464431a34ab5e28255c
SHA1:	e5b76b9344ebe7f90aaa38aa1ec9962fdce3cafb
SHA256:	40c71df5baff986e7ce4e668e3d6bd8f5e149c7c479f97ebc47d7f1bc4a3c33c
Infos:
Most interesting Screenshot:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Program does not show much activity (idle)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

ciscovideoguard.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\ciscovideoguard.exe' MD5: 01EB1A2E5FC8D464431A34AB5E28255C)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ciscovideoguard.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ciscovideoguard.exe

Static PE information: certificate valid

Source: ciscovideoguard.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: ciscovideoguard.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ciscovideoguard.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ciscovideoguard.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ciscovideoguard.exe	String found in binary or memory: http://s2.symcb.com0
Source: ciscovideoguard.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ciscovideoguard.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ciscovideoguard.exe	String found in binary or memory: http://sv.symcd.com0&
Source: ciscovideoguard.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ciscovideoguard.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ciscovideoguard.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ciscovideoguard.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: ciscovideoguard.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: ciscovideoguard.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: ciscovideoguard.exe	String found in binary or memory: https://d.symcb.com/rpa0

Source: ciscovideoguard.exe, 00000001.00000002.645433477.0000000000BEA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: 1_2_0096380A	1_2_0096380A
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: 1_2_0095848E	1_2_0095848E
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: 1_2_00952C60	1_2_00952C60
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: 1_2_0095E538	1_2_0095E538

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Section loaded: pcshowserver.dll

Jump to behavior

Source: ciscovideoguard.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: clean5.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01

Source: ciscovideoguard.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ciscovideoguard.exe 'C:\Users\user\Desktop\ciscovideoguard.exe'
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: ciscovideoguard.exe

Static PE information: certificate valid

Source: ciscovideoguard.exe

Static file information: File size 1074416 > 1048576

Source: ciscovideoguard.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: 1_2_009541BB push ecx; ret		1_2_009541CE
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: 1_2_0095BF15 push ecx; ret		1_2_0095BF28

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_008F2880 GetSystemInfo,

1_2_008F2880

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_0095C0BF _memset,IsDebuggerPresent,

1_2_0095C0BF

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_009660CC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_009660CC

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_0090D1D0 GetProcessHeap,HeapAlloc,std::exception::exception,

1_2_0090D1D0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_009566AE SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_009566AE

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_008F28A0 TlsAlloc,GetLastError,TlsAlloc,GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

1_2_008F28A0

Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: GetLocaleInfoW,	1_2_0095B898
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_009710CB
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: EnumSystemLocalesW,	1_2_0095B812
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	1_2_0097085B
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: EnumSystemLocalesW,	1_2_00970ACF
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00970BA8
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00970B2B
Source: C:\Users\user\Desktop\ciscovideoguard.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00970F4A

Source: C:\Users\user\Desktop\ciscovideoguard.exe

Code function: 1_2_00902500 GetSystemTimeAsFileTime,__aulldiv,__aulldiv,

1_2_00902500

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection1	Process Injection1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	DLL Side-Loading1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
ciscovideoguard.exe	0%	Virustotal	Browse
ciscovideoguard.exe	0%	Metadefender	Browse
ciscovideoguard.exe	2%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	ciscovideoguard.exe	false		high
http://www.symauth.com/cps0(	ciscovideoguard.exe	false		high
http://www.symauth.com/rpa00	ciscovideoguard.exe	false		high
http://ocsp.thawte.com0	ciscovideoguard.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	372989
Start date:	22.03.2021
Start time:	16:35:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ciscovideoguard.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@2/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.7%) Quality average: 78% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 54
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, svchost.exe Execution Graph export aborted for target ciscovideoguard.exe, PID 7164 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.81979014038173
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ciscovideoguard.exe
File size:	1074416
MD5:	01eb1a2e5fc8d464431a34ab5e28255c
SHA1:	e5b76b9344ebe7f90aaa38aa1ec9962fdce3cafb
SHA256:	40c71df5baff986e7ce4e668e3d6bd8f5e149c7c479f97ebc47d7f1bc4a3c33c
SHA512:	9ddf849c3617896836aa94c5c7b39c74f95cb288a27d07b382a7c45bc0c3b290e7499e7445511551c881ccf11f377b79dcdbf15adfe5121d0355f00a3441fefb
SSDEEP:	12288:hAWwvNhXOX+mYESA4i/W/nSyIyFuPxH3tYLQhvB4f9gJAhPxMg4/PNjED/UoVex1:jwvNhXOXPpmPFuRtY4Z4fPxMvnNjgcx1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q0...c...c...c.!.c...c...c...c...c...c...cY..c8..c...cP~.c...c...cE..c8..c...c8..c...c...c...c8..c...cRich...c........PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4611a5
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B53B952 [Sat Jul 21 22:53:06 2018 UTC]
TLS Callbacks:	0x459800
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1b55c4f365c89fe7c8c9a2fdf8146547

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/2/2018 2:00:00 AM 6/3/2021 1:59:59 AM
Subject Chain	CN=Cisco Video Technologies Israel Ltd., O=Cisco Video Technologies Israel Ltd., L=Jerusalem, S=Israel, C=IL
Version:	3
Thumbprint MD5:	D8DE15DBDA95401A15B581DC4DB60D44
Thumbprint SHA-1:	C08DAD2700F46A025A9750F3D40CEB84E76B1ECC
Thumbprint SHA-256:	EB025069CC593AC490356CDD1A3A9DDDEBC4C35B25A37F1FED4F7C0176CD662D
Serial:	14DF0863FB064CA7FC83894D5ED4DD29

Entrypoint Preview

Instruction
call 00007F1F749BF992h
jmp 00007F1F749B0AFAh
push ebp
mov ebp, esp
push esi
call 00007F1F749BFAADh
mov esi, eax
test esi, esi
je 00007F1F749B0CD5h
push dword ptr [ebp+08h]
push esi
call 00007F1F749B0CD2h
neg eax
pop ecx
sbb eax, eax
not eax
pop ecx
and eax, esi
pop esi
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 18h
and dword ptr [ebp-04h], 00000000h
mov eax, dword ptr [ebp+08h]
push esi
test eax, eax
jne 00007F1F749B0CD8h
call 00007F1F749B46C9h
push 00000016h
pop esi
mov dword ptr [eax], esi
call 00007F1F749BBCF9h
mov eax, esi
jmp 00007F1F749B0EC3h
push 00000024h
push 000000FFh
push eax
call 00007F1F749B054Ch
mov eax, dword ptr [ebp+0Ch]
add esp, 0Ch
test eax, eax
je 00007F1F749B0C95h
push ebx
mov ebx, dword ptr [eax]
mov eax, dword ptr [eax+04h]
mov dword ptr [ebp-14h], eax
cmp eax, FFFFFFFFh
jnle 00007F1F749B0CCCh
jl 00007F1F749B0CDBh
cmp ebx, FFFF5740h
jc 00007F1F749B0CD3h
push 00000007h
pop ecx
cmp eax, ecx
jl 00007F1F749B0CDDh
jnle 00007F1F749B0CCAh
cmp ebx, 934126CFh
jbe 00007F1F749B0CD3h
call 00007F1F749B4673h
push 00000016h
pop esi
mov dword ptr [eax], esi
mov eax, esi
jmp 00007F1F749B0E71h
push edi
push 00000000h
push 01E13380h
push eax
push ebx
call 00007F1F749B0E69h
add eax, 46h
mov ecx, 00000190h
mov dword ptr [ebp-08h], eax
push 00000064h
pop edi
lea esi, dword ptr [eax-01h]

Rich Headers

Programming Language:

[C++] VS2013 UPD5 build 40629
[ C ] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629
[EXP] VS2013 UPD5 build 40629
[IMP] VS2013 UPD5 build 40629
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xf5350	0x2c5	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfd4bc	0x8c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x101000	0x4b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x104800	0x1cf0	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0x7fd8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe41a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xe0450	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xfd000	0x4bc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xca79f	0xca800	False	0.343883825231	data	5.69751401426	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xcc000	0x29615	0x29800	False	0.35505106363	data	4.3374442412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf6000	0x6d50	0x4400	False	0.189165900735	data	3.97572058422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xfd000	0x209c	0x2200	False	0.305606617647	data	4.93464353767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x100000	0x202	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x101000	0x4b8	0x600	False	0.380208333333	data	4.60852746093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0x926c	0x9400	False	0.600506756757	data	6.21661739735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1010a0	0x2d0	data	English	United States
RT_MANIFEST	0x101370	0x145	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathW, SetFileTime, SetFileAttributesW, SetEndOfFile, RemoveDirectoryW, GetFullPathNameW, GetFileTime, GetFileInformationByHandle, GetFileAttributesExW, GetFileAttributesW, GetDiskFreeSpaceExW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, OutputDebugStringA, DeviceIoControl, CreateDirectoryExW, CopyFileW, MoveFileExW, FileTimeToLocalFileTime, PeekNamedPipe, FileTimeToSystemTime, CreateEventA, SetEvent, CloseHandle, GetStartupInfoA, GetCurrentThreadId, VerSetConditionMask, GetLastError, WaitForSingleObject, CreateEventW, GetSystemTimeAsFileTime, VerifyVersionInfoW, GetProcAddress, GetModuleHandleA, GetTickCount, HeapAlloc, HeapFree, GetProcessHeap, OpenProcess, WaitForMultipleObjects, DuplicateHandle, ReleaseSemaphore, WaitForSingleObjectEx, GetCurrentProcess, CreateSemaphoreA, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, TlsAlloc, TlsFree, GetSystemInfo, CreateFileA, WriteFile, GetModuleHandleW, LocalFree, FormatMessageW, SetConsoleCtrlHandler, SetLastError, CreateIoCompletionPort, GetQueuedCompletionStatus, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SleepEx, SetWaitableTimer, QueueUserAPC, TerminateThread, TlsGetValue, TlsSetValue, GetModuleFileNameW, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, EncodePointer, DecodePointer, GetStringTypeW, CreateEventExW, OpenEventW, WaitForMultipleObjectsEx, Sleep, GetCurrentProcessId, ResetEvent, ResumeThread, GetLogicalProcessorInformation, CreateWaitableTimerA, SystemTimeToFileTime, AreFileApisANSI, ExitProcess, RaiseException, RtlUnwind, GetCommandLineA, CreateThread, ExitThread, LoadLibraryExW, FatalAppExitA, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, CreateSemaphoreW, IsProcessorFeaturePresent, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapSize, IsDebuggerPresent, GetStdHandle, FreeLibrary, IsValidCodePage, GetACP, GetOEMCP, GetCurrentThread, GetFileType, GetModuleFileNameA, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, GetTimeZoneInformation, OutputDebugStringW, SetStdHandle, WriteConsoleW, ReadConsoleW, CreateFileW, SetEnvironmentVariableA, LoadLibraryW, SetProcessShutdownParameters
USER32.dll	ReleaseDC, TranslateMessage, DispatchMessageA, PostThreadMessageA, SetWindowRgn, GetWindowThreadProcessId, MonitorFromWindow, GetDC, GetMessageA
PCShowServer.dll	?setActiveBrand@VgkConfig@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ??0PCShowServer@@QAE@XZ, ??1PCShowServer@@UAE@XZ, ?init@PCShowServer@@UAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z, ?init@PCShowServer@@UAEXHHAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z, ?sendMessage@PCShowServer@@UAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ?setMessageCallback@PCShowServer@@UAEXP6AXPBD@Z@Z, ?setVideoWindowHandle@PCShowServer@@UAEXPAX@Z, ?terminate@PCShowServer@@UAEXXZ, ?getConnClosedSync@@YAPAVSynchronizer@util@nds@@XZ, ?getFD@LogStore@util@nds@@SA?AV?$shared_ptr@U?$pair@HV?$shared_ptr@Vrecursive_mutex@boost@@@boost@@@std@@@boost@@PBD@Z, ?writeStr@LogStore@util@nds@@SAJV?$shared_ptr@U?$pair@HV?$shared_ptr@Vrecursive_mutex@boost@@@boost@@@std@@@boost@@PBD@Z, ?isOpen@LogStore@util@nds@@SA_NV?$shared_ptr@U?$pair@HV?$shared_ptr@Vrecursive_mutex@boost@@@boost@@@std@@@boost@@@Z, ??0PropertiesFile@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N1@Z, ??0PropertiesFile@@QAE@AAV?$basic_istream@DU?$char_traits@D@std@@@std@@@Z, ??1PropertiesFile@@QAE@XZ, ?optionalString@VgkConfig@@SA?AV?$shared_ptr@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@boost@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z, ?optionalInt@VgkConfig@@SAHABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@HHH_N@Z, ?optionalBool@VgkConfig@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z, ?getProjectString@VgkConfig@@SAABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
WS2_32.dll	WSASendTo, WSASocketW, WSASend, freeaddrinfo, WSARecvFrom, WSAGetLastError, WSASetLastError, setsockopt, select, ioctlsocket, closesocket, WSACleanup, getaddrinfo, WSAStartup
GDI32.dll	GetDeviceCaps, ExtCreateRegion, EqualRgn, DeleteObject, CreateRectRgn, CombineRgn, GetRegionData
ADVAPI32.dll	RegQueryValueExA, ConvertStringSecurityDescriptorToSecurityDescriptorW, SetSecurityInfo, GetSecurityDescriptorSacl, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExA

Exports

Name	Ordinal	Address
??0AppConfig@@AAE@AAV?$basic_istream@DU?$char_traits@D@std@@@std@@@Z	1	0x4358e0
??0AppConfig@@AAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N1@Z	2	0x435910
??0LogStore@util@nds@@QAE@XZ	3	0x435b40
??1AppConfig@@QAE@XZ	4	0x435f40
??1VgkConfig@@QAE@XZ	5	0x436090
?MAX_LINE@PropertiesFile@@2IB	6	0x4ce3a8

Version Infos

Description	Data
LegalCopyright	Copyright<A9> 2009-2018, Cisco
InternalName	CiscoVideoGuard
FileVersion	11,5,0x11dce5da,1107
ProductName	VideoGuard
ProductVersion	11, 5
FileDescription	Cisco VideoGuard
OriginalFilename	CiscoVideoGuard.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: ciscovideoguard.exe PID: 7164 Parent PID: 5996

General

Start time:	16:36:30
Start date:	22/03/2021
Path:	C:\Users\user\Desktop\ciscovideoguard.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ciscovideoguard.exe'
Imagebase:	0x8f0000
File size:	1074416 bytes
MD5 hash:	01EB1A2E5FC8D464431A34AB5E28255C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4824 Parent PID: 7164

General

Start time:	16:36:30
Start date:	22/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ciscovideoguard.exe PID: 7164 Parent PID: 5996 ciscovideoguard.exeCOMMON

Executed Functions

Non-executed Functions

Function 008F28A0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E008F28A0(void* __edi) {
				intOrPtr _v8;
				char _v12;
				int _v16;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				int _t19;
				long _t21;
				long _t23;
				void* _t25;
				void* _t26;
				void* _t27;
				int _t28;
				void* _t29;
				void* _t31;
				void* _t35;

				_t31 = _t35;
				_t21 = TlsAlloc();
				if(_t21 != 0xffffffff) {
					L2:
					 *0x9ea478 = _t21;
					return E0094F034(_t43, 0x9b9750);
				} else {
					_t26 = GetLastError();
					_t10 = E0094A830();
					_v12 = _t26;
					_t43 = _t26;
					_v8 = _t10;
					_t27 = _t25;
					if(_t26 != 0) {
						E00913940(_t21, _t27, __eflags,  &_v12, "tss");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t31);
						_push(_t21);
						_t23 = TlsAlloc();
						__eflags = _t23 - 0xffffffff;
						if(__eflags != 0) {
							L6:
							 *0x9ea468 = _t23;
							return E0094F034(__eflags, 0x9b9760);
						} else {
							_t28 = GetLastError();
							_t16 = E0094A830();
							_v16 = _t28;
							__eflags = _t28;
							_v12 = _t16;
							_t29 = _t27;
							if(__eflags != 0) {
								E00913940(_t23, _t29, __eflags,  &_v16, "tss");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t19 = InitializeSecurityDescriptor(0x9ea48c, 1);
								__eflags = _t19;
								if(_t19 != 0) {
									_t19 = SetSecurityDescriptorDacl(0x9ea48c, 1, 0, 0);
									__eflags = _t19;
									if(_t19 != 0) {
										 *0x9ea484 = 0x9ea48c;
										 *0x9ea480 = 0xc;
										 *0x9ea488 = 0;
										 *0x9ea4a0 = 0;
										return _t19;
									}
								}
								return _t19;
							} else {
								goto L6;
							}
						}
					} else {
						goto L2;
					}
				}
			}

0x008f28a1
0x008f28ad
0x008f28b2
0x008f28cd
0x008f28d2
0x008f28e4
0x008f28b4
0x008f28bb
0x008f28bd
0x008f28c2
0x008f28c5
0x008f28c7
0x008f28ca
0x008f28cb
0x008f28ee
0x008f28f3
0x008f28f4
0x008f28f5
0x008f28f6
0x008f28f7
0x008f28f8
0x008f28f9
0x008f28fa
0x008f28fb
0x008f28fc
0x008f28fd
0x008f28fe
0x008f28ff
0x008f2900
0x008f2906
0x008f290d
0x008f290f
0x008f2912
0x008f292d
0x008f2932
0x008f2944
0x008f2914
0x008f291b
0x008f291d
0x008f2922
0x008f2925
0x008f2927
0x008f292a
0x008f292b
0x008f294e
0x008f2953
0x008f2954
0x008f2955
0x008f2956
0x008f2957
0x008f2958
0x008f2959
0x008f295a
0x008f295b
0x008f295c
0x008f295d
0x008f295e
0x008f295f
0x008f2967
0x008f296d
0x008f296f
0x008f297c
0x008f2982
0x008f2984
0x008f2986
0x008f2990
0x008f299a
0x008f29a4
0x00000000
0x008f29a4
0x008f2984
0x008f29ab
0x00000000
0x00000000
0x00000000
0x008f292b
0x00000000
0x00000000
0x00000000
0x008f28cb

APIs

TlsAlloc.KERNEL32 ref: 008F28A7
GetLastError.KERNEL32 ref: 008F28B5
TlsAlloc.KERNEL32(00000000,tss), ref: 008F2907
GetLastError.KERNEL32 ref: 008F2915

Part of subcall function 00913940: std::exception::exception.LIBCMT ref: 0091397F

InitializeSecurityDescriptor.ADVAPI32(009EA48C,00000001,?,tss), ref: 008F2967
SetSecurityDescriptorDacl.ADVAPI32(009EA48C,00000001,00000000,00000000), ref: 008F297C

Strings

tss, xrefs: 008F28E5, 008F2945

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AllocDescriptorErrorLastSecurity$DaclInitializestd::exception::exception
String ID: tss
API String ID: 1606189987-1638339373
Opcode ID: e71ef22fa33a1ea9530561a40debbc1d70bcee005fb7196f2f12b5f2828d0e3a
Instruction ID: ece4a1c6d10cfd57bd96629edd59da060c6f08996202de40a66a4c05c2c8c19c
Opcode Fuzzy Hash: e71ef22fa33a1ea9530561a40debbc1d70bcee005fb7196f2f12b5f2828d0e3a
Instruction Fuzzy Hash: D521DA71A69348ABD7116BB4AC8DF9D7B68E781B70F000155FD009B2F0E7F45D02A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00970F4A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00970F4A(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00970198(_t28, ?str?) != 0) {
					if(E00970198(_t28, ?str?) != 0) {
						return E00976CFC(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x00970f4e
0x00970f53
0x00970f7b
0x00000000
0x00970fa4
0x00970f96
0x00970fc2
0x00000000
0x00970fc2
0x00000000
0x00970f98
0x00970fc0
0x00000000
0x00000000
0x00970fc6
0x00970fcb
0x00970fcf
0x00970fcf
0x00970f9d

APIs

_wcscmp.LIBCMT ref: 00970F61
_wcscmp.LIBCMT ref: 00970F72
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00971210,?,00000000), ref: 00970F8E
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00971210,?,00000000), ref: 00970FB8

Strings

ACP, xrefs: 00970F5B
OCP, xrefs: 00970F6C

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 59ea5bdaab285885ac37dd303279b835270c0be14360f859dc46e9cb0fa9d92b
Instruction ID: e2368b1644d0766df67324109e45794a3ae6b5509a16b659de646fc34e19dcf5
Opcode Fuzzy Hash: 59ea5bdaab285885ac37dd303279b835270c0be14360f859dc46e9cb0fa9d92b
Instruction Fuzzy Hash: 74019A33219209EEEB309E18DC46FDA779CAF80764F00C425FA4CDA0A0E720DD81D791

Uniqueness

Uniqueness Score: -1.00%

Function 00902500, Relevance: 4.6, APIs: 3, Instructions: 89
timeCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00902500(intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v44;
				char _v48;
				intOrPtr _v52;
				signed int _v56;
				short _v60;
				char _v64;
				struct _FILETIME _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				signed int _t29;
				intOrPtr _t62;
				void* _t64;
				signed int _t68;
				void* _t69;
				short* _t70;
				void* _t72;

				_t72 = __eflags;
				_t62 = __edx;
				_t24 =  *0x9e6310; // 0x57443789
				_v8 = _t24 ^ _t68;
				_t51 = _a4;
				GetSystemTimeAsFileTime( &_v72);
				asm("adc eax, 0xfe624e21");
				_t64 = E009514F0(_v72.dwLowDateTime + 0x2ac18000, _v72.dwHighDateTime, 0xa, 0);
				_t29 = E009514F0(_t64, _t62, 0xf4240, 0);
				_v56 = _t29;
				_v52 = _t62;
				_t65 = _t64 - _t29 * 0xf4240;
				_t67 =  *_a8();
				_t70 = _t69 + 4;
				E009007B0(_a4, _t70, _t64 - _t29 * 0xf4240,  *(_t33 + 0xc) & 0x0000ffff);
				E00900830(_a4, _t70, _t64 - _t29 * 0xf4240,  *((intOrPtr*)(_t33 + 0x10)) + 0x00000001 & 0x0000ffff);
				 *_t70 = 0x578;
				E00902190(_a4, _t64 - _t29 * 0xf4240, 0x0000076c +  *((intOrPtr*)(_t33 + 0x14)) & 0x0000ffff);
				E00901110(_t51,  &_v48, 0x578, _t72, _t70, _t70,  &_v56);
				_v64 = E00903870(0x578,  *((intOrPtr*)(_t67 + 8)),  *((intOrPtr*)(_t67 + 4)),  *_t67, _t65, 0);
				_v60 = 0x578;
				E009008D0(_t51,  &_v48,  &_v64);
				return E0094FF4A(_t51, _v8 ^ _t68, 0x578, _t65, _t67,  &_v44);
			}

0x00902500
0x00902500
0x00902506
0x0090250d
0x00902511
0x0090251d
0x00902533
0x00902546
0x0090254a
0x0090254f
0x00902558
0x0090255b
0x00902567
0x00902569
0x00902573
0x00902585
0x0090259f
0x009025a2
0x009025aa
0x009025c5
0x009025d0
0x009025d8
0x009025ef

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0090251D
__aulldiv.LIBCMT ref: 0090253A
__aulldiv.LIBCMT ref: 0090254A

Part of subcall function 00901110: std::exception::exception.LIBCMT ref: 009011AF

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Time__aulldiv$FileSystemstd::exception::exception
String ID:
API String ID: 3071610577-0
Opcode ID: a50508a4b5204921fef05a2694d9d31f7c5a295b3d20714e4d9ec63804c564dc
Instruction ID: 38cf9ea73ba5ffb9afd18caa0a452e86b5fc0cb7b59f97abad4f7d26b1e37901
Opcode Fuzzy Hash: a50508a4b5204921fef05a2694d9d31f7c5a295b3d20714e4d9ec63804c564dc
Instruction Fuzzy Hash: 63214475E00208ABCB14DFA5DC81FBFB7B9EB88700F104529F905A7291DA35A9049B64

Uniqueness

Uniqueness Score: -1.00%

Function 0090D1D0, Relevance: 4.6, APIs: 3, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0090D1D0(intOrPtr* _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char* _v24;
				intOrPtr* _v28;
				intOrPtr* _v32;
				char _v44;
				void* __ebx;
				void* __ebp;
				signed int _t20;
				void* _t33;
				intOrPtr* _t36;
				void* _t40;
				intOrPtr* _t44;
				signed int _t46;
				void* _t47;

				_push(0xffffffff);
				_push(0x9ae719);
				_push( *[fs:0x0]);
				_push(_t33);
				_t20 =  *0x9e6310; // 0x57443789
				_push(_t20 ^ _t46);
				 *[fs:0x0] =  &_v16;
				_v20 = _t47 - 0x1c;
				_t44 = HeapAlloc(GetProcessHeap(), 0, 0x44);
				_v24 = _t44;
				_t49 = _t44;
				if(_t44 == 0) {
					_v24 = "bad allocation";
					E0094FD76( &_v44,  &_v24);
					_v44 = 0x9c77b4;
					_v8 = _t44;
					E0090D3D0( &_v44, _t49,  &_v44, 1);
				}
				_v28 = _t44;
				_v8 = 1;
				_v32 = _t44;
				_v8 = 2;
				E0090DF90(_t33, _t40);
				_t36 = _a4;
				 *_t44 = 0x9bdda0;
				 *((intOrPtr*)(_t44 + 0x3c)) =  *_t36;
				_t16 = _t36 + 4; // 0x8b5608ec
				 *((intOrPtr*)(_t44 + 0x40)) =  *_t16;
				 *[fs:0x0] = _v16;
				return _t44;
			}

0x0090d1d3
0x0090d1d5
0x0090d1e0
0x0090d1e4
0x0090d1e7
0x0090d1ee
0x0090d1f2
0x0090d1f8
0x0090d20c
0x0090d20e
0x0090d211
0x0090d213
0x0090d21a
0x0090d225
0x0090d22a
0x0090d234
0x0090d238
0x0090d238
0x0090d23d
0x0090d240
0x0090d247
0x0090d24c
0x0090d250
0x0090d255
0x0090d258
0x0090d260
0x0090d263
0x0090d266
0x0090d26e
0x0090d27c

APIs

GetProcessHeap.KERNEL32(00000000,00000044,57443789,00000000,?), ref: 0090D1FF
HeapAlloc.KERNEL32(00000000), ref: 0090D206
std::exception::exception.LIBCMT ref: 0090D225

Part of subcall function 0090D3D0: __CxxThrowException@8.LIBCMT ref: 0090D41E
Part of subcall function 0090D3D0: __CxxThrowException@8.LIBCMT ref: 0090D47E

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8HeapThrow$AllocProcessstd::exception::exception
String ID:
API String ID: 3430434711-0
Opcode ID: 3f302c71aa319c3c9ac7895a37037420c2aefabd14fc742f5204f503c9a9e8dc
Instruction ID: 40d9b22722e3ad4aed39b6c4371648e51d8c458687d239179294b661c5f832a6
Opcode Fuzzy Hash: 3f302c71aa319c3c9ac7895a37037420c2aefabd14fc742f5204f503c9a9e8dc
Instruction Fuzzy Hash: D41149B1D05218EFCB10DF98C945B9EBBF8EB49B64F10456AE905A7380D7B16A008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009566AE, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009566AE(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x009566b3
0x009566c3

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0095C1BD,?,?,?,00000001), ref: 009566B3
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009566BC

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ab4d77c271c101b51d98a9eb74d712397dad5206050cba0b3450ca0d6321342e
Instruction ID: 79c2520328202b9c39454fd64c0a6afa322a61451e5c3c37233b8d720e9d49ae
Opcode Fuzzy Hash: ab4d77c271c101b51d98a9eb74d712397dad5206050cba0b3450ca0d6321342e
Instruction Fuzzy Hash: C4B0923106A248ABCB002FA1FD49B587F28EB09762F004010F71D4C2628B72D810AAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0095B812, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0095B812(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t6;
				int _t8;

				_t6 =  *0x9eb978 ^  *0x9e6310;
				if(_t6 == 0) {
					 *0x9eab5c = _a4;
					_t8 = EnumSystemLocalesW(0x95b7fe, 1);
					 *0x9eab5c =  *0x9eab5c & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x0095b81a
0x0095b820
0x0095b83b
0x0095b840
0x0095b846
0x0095b84e
0x0095b822
0x0095b830
0x0095b830

APIs

EnumSystemLocalesW.KERNEL32(0095B7FE,00000001,?,00970364,00970402,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0095B840

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: e84d05bfb0ccb1359c9a8a3fa7e16166a88d094210c026c9488eaaf716f36d17
Instruction ID: d44570d459d737ac5acc124cea620674f078c004971579cc1e7a7364fe39ea7d
Opcode Fuzzy Hash: e84d05bfb0ccb1359c9a8a3fa7e16166a88d094210c026c9488eaaf716f36d17
Instruction Fuzzy Hash: 2CE0B632168388EBDF12DFA6EC86B593BAABB48715F044410FA184F5B0C771E960AF44

Uniqueness

Uniqueness Score: -1.00%

Function 0095B898, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,00961B9A,?,00961B9A,?,20001004,?,00000002,?,00000004,?,00000000), ref: 0095B8BF

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 960a09f21321be920522f3aec08d7e5e03d5f362c8cba1908debdd2bff033b3c
Instruction ID: e5e35079a5835f9697c30ee837280a83a65d558f327bc9552ea056c4b87cca06
Opcode Fuzzy Hash: 960a09f21321be920522f3aec08d7e5e03d5f362c8cba1908debdd2bff033b3c
Instruction Fuzzy Hash: 15D06732018149FF9F01DFE5EC85CAA7B69FB88355B044405FA1849521DB36E924AB61

Uniqueness

Uniqueness Score: -1.00%

Function 008F2880, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008F2880() {
				struct _SYSTEM_INFO _v40;
				intOrPtr _t4;

				GetSystemInfo( &_v40);
				_t4 = _v40.dwNumberOfProcessors;
				 *0x9ea47c = _t4;
				return _t4;
			}

0x008f288a
0x008f2890
0x008f2893
0x008f289b

APIs

GetSystemInfo.KERNEL32(?), ref: 008F288A

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5cd11e836bcdb620fbdf585c93ec696e125827747b5f3060449200dd923177c8
Instruction ID: b5050fbdbda201014390d0cf5d2a35b04eb836736abceea088fc51e6f7ff6d04
Opcode Fuzzy Hash: 5cd11e836bcdb620fbdf585c93ec696e125827747b5f3060449200dd923177c8
Instruction Fuzzy Hash: 66C012B480824C8B8700DBB5988985977FCA60C100B400151EC1897220E631AC548B91

Uniqueness

Uniqueness Score: -1.00%

Function 00952C60, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00952C60(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00952c60
0x00952c67
0x00952cbc
0x00952cbc
0x00952c69
0x00952c69
0x00952c6f
0x00952c79
0x00952c91
0x00952c91
0x00952c94
0x00952ca8
0x00952ca8
0x00952cab
0x00000000
0x00952cad
0x00952cad
0x00952cad
0x00952caf
0x00952cb4
0x00000000
0x00000000
0x00952cb6
0x00952cb9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00952cb9
0x00000000
0x00952cad
0x00952c96
0x00952ca3
0x00952cc2
0x00952cc4
0x00952cd2
0x00952cdb
0x00000000
0x00952cdd
0x00952ce0
0x00952ce2
0x00952d0c
0x00952ce4
0x00952ce4
0x00952ce6
0x00952d06
0x00952ce8
0x00952ceb
0x00952ced
0x00952d00
0x00952cef
0x00952cf1
0x00000000
0x00952cf3
0x00000000
0x00952cf3
0x00952cf1
0x00952ced
0x00952ce6
0x00952ce2
0x00000000
0x00952cbd
0x00952cbd
0x00952cbd
0x00000000
0x00952ca7
0x00952c7b
0x00952c7b
0x00952c7b
0x00952c7d
0x00952c82
0x00000000
0x00000000
0x00952c84
0x00952c87
0x00000000
0x00952c89
0x00952c8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00952c8f
0x00000000
0x00952c87
0x00952cf6
0x00952cfa
0x00952cfa
0x00952c79
0x00000000

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 90399bbc7beb6b732a911ebbfa74ade23f15493c5dc79946e7d41cae7a5bae2a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1211B67720008243D614CB2FD5B45BFA79DEAC732376D82EADDD24B756D322A94DA700

Uniqueness

Uniqueness Score: -1.00%

Function 008F50F0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E008F50F0(intOrPtr _a4) {
				char* _v12;
				char _v24;
				char _v56;
				char _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v92;
				char _v100;
				char _v120;
				intOrPtr _v128;
				char _v152;
				char _v160;
				char _v180;
				intOrPtr _t43;
				void* _t82;
				void* _t83;
				void* _t92;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_t94 = _t104;
				_t43 = _a4;
				_t83 = 0;
				if(_t43 == 0) {
					L4:
					return _t83;
				} else {
					_t114 = _t43 - 0xffffffff;
					if(_t43 > 0xffffffff) {
						L3:
						_push(_t94);
						_t105 = _t104 - 0x10;
						_push(1);
						_v12 = "bad allocation";
						E0094FD76( &_v24,  &_v12);
						_v24 = 0x9c77b4;
						E0094FF59( &_v24, 0x9dd784);
						asm("int3");
						_push(_t104);
						_t106 = _t105 - 0xc;
						E0094FDB4( &_v56);
						_v56 = 0x9c7808;
						E0094FF59( &_v56, 0x9dd874);
						asm("int3");
						_push(_t105);
						_t98 = _t106;
						_t107 = _t106 - 0xc;
						E0094FD51( &_v80,  &_v60);
						_v80 = 0x9c77cc;
						E0094FF59( &_v80, 0x9dd7a0);
						asm("int3");
						_push(_t98);
						_t99 = _t107;
						_t108 = _t107 - 0xc;
						E0094FD51( &_v76,  &_v56);
						_v76 = 0x9c77d8;
						E0094FF59( &_v76, 0x9dd7dc);
						asm("int3");
						_push(_t99);
						_t109 = _t108 - 0xc;
						E0094FD51( &_v92,  &_v72);
						_v92 = 0x9c77e4;
						E0094FF59( &_v92, 0x9dd818);
						asm("int3");
						_push(_t108);
						E0094FD51( &_v120,  &_v100);
						_v120 = 0x9c77fc;
						E0094FF59( &_v120, 0x9dd838);
						asm("int3");
						_push(_t109);
						E00929370( &_v152, _v128);
						E0094FF59( &_v152, 0x9dd8ac);
						asm("int3");
						_push(_t109 - 0xc);
						E0094FD51( &_v180,  &_v160);
						_v180 = 0x9c77f0;
						E0094FF59( &_v180, 0x9d86a8);
						asm("int3");
						return "bad function call";
					} else {
						_push(_t43);
						_t83 = E0094EEB3(_t82, _t92, _t114);
						_t104 = _t104 + 4;
						if(_t83 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
			}

0x008f50f1
0x008f50f3
0x008f50f6
0x008f50fa
0x008f5115
0x008f5118
0x008f50fc
0x008f50fc
0x008f50ff
0x008f5110
0x00929514
0x00929517
0x0092951a
0x0092951f
0x0092952a
0x00929537
0x0092953f
0x00929544
0x00929545
0x00929548
0x0092954e
0x0092955b
0x00929563
0x00929568
0x00929569
0x0092956a
0x0092956c
0x0092957c
0x00929589
0x00929591
0x00929596
0x00929597
0x00929598
0x0092959a
0x009295aa
0x009295b7
0x009295bf
0x009295c4
0x009295c5
0x009295c8
0x009295d8
0x009295e5
0x009295ed
0x009295f2
0x009295f3
0x00929606
0x00929613
0x0092961b
0x00929620
0x00929621
0x0092962d
0x0092963b
0x00929640
0x00929641
0x00929654
0x00929661
0x00929669
0x0092966e
0x00929674
0x008f5101
0x008f5101
0x008f5107
0x008f5109
0x008f510e
0x00000000
0x00000000
0x00000000
0x00000000
0x008f510e
0x008f50ff

APIs

std::exception::exception.LIBCMT ref: 0092952A
__CxxThrowException@8.LIBCMT ref: 0092953F
__CxxThrowException@8.LIBCMT ref: 00929563
std::exception::exception.LIBCMT ref: 0092957C
__CxxThrowException@8.LIBCMT ref: 00929591
std::exception::exception.LIBCMT ref: 009295AA
__CxxThrowException@8.LIBCMT ref: 009295BF
std::exception::exception.LIBCMT ref: 009295D8
__CxxThrowException@8.LIBCMT ref: 009295ED
std::exception::exception.LIBCMT ref: 00929606
__CxxThrowException@8.LIBCMT ref: 0092961B
std::regex_error::regex_error.LIBCPMT ref: 0092962D
__CxxThrowException@8.LIBCMT ref: 0092963B

Strings

bad function call, xrefs: 0092966F

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$std::regex_error::regex_error
String ID: bad function call
API String ID: 1764774708-3612616537
Opcode ID: 6c9787b9bb02602eaa8ad7616cff2c5bc870b111fd6e1b689d49ec3b204f7d84
Instruction ID: 7bee2caee4473b3ecc43a92e7fe59b07d68789e53e2b3cffd49443033796cfb6
Opcode Fuzzy Hash: 6c9787b9bb02602eaa8ad7616cff2c5bc870b111fd6e1b689d49ec3b204f7d84
Instruction Fuzzy Hash: 1A41EC74D4020DBBCF14EFE4C896EDEB7BCEA44344F408566BD14A7682EB74E6488A91

Uniqueness

Uniqueness Score: -1.00%

Function 00961E22, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00961E22(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00954A5D(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00954A5D(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00954A5D(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E00961937( *_t42, 0x9e6f18);
								_t15 = E00962222(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E0094FC75();
									E0095D262( *_t42);
									E0095D108( *_t42);
									E0094FC75(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E0095CD39(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E0094FC75( *_t42);
							E0094FC75(_t42);
							L8:
							goto L3;
						}
						E0094FC75(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00954BEF(_t48))) = 0xc;
					goto L4;
				}
			}

0x00961e2b
0x00961e51
0x00000000
0x00961e33
0x00961e3e
0x00961e42
0x00961e44
0x00961e5d
0x00961e62
0x00961e66
0x00961e68
0x00961e79
0x00961e7e
0x00961e83
0x00961e85
0x00961e9e
0x00961eab
0x00961eb3
0x00961eb6
0x00961eb8
0x00961ecd
0x00961ecd
0x00961ed4
0x00961edb
0x00961ee1
0x00961ee9
0x00961ef2
0x00000000
0x00961ef2
0x00961ebc
0x00961ebf
0x00961ec6
0x00961ec8
0x00961ef0
0x00000000
0x00961ef0
0x00961eca
0x00000000
0x00961eca
0x00961e89
0x00961e8f
0x00961e70
0x00000000
0x00961e70
0x00961e6b
0x00000000
0x00961e6b
0x00961e46
0x00961e4b
0x00000000
0x00961e4b

APIs

__calloc_crt.LIBCMT ref: 00961E39

Part of subcall function 00954A5D: __calloc_impl.LIBCMT ref: 00954A6C

__calloc_crt.LIBCMT ref: 00961E5D
_free.LIBCMT ref: 00961E6B
__calloc_crt.LIBCMT ref: 00961E79
_free.LIBCMT ref: 00961E89
_free.LIBCMT ref: 00961E8F
__copytlocinfo_nolock.LIBCMT ref: 00961E9E
__wsetlocale_nolock.LIBCMT ref: 00961EAB
__setmbcp_nolock.LIBCMT ref: 00961EBF
_free.LIBCMT ref: 00961ECD
___removelocaleref.LIBCMT ref: 00961ED4
___freetlocinfo.LIBCMT ref: 00961EDB
_free.LIBCMT ref: 00961EE1

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: aa971dc9b071cb3d06dde53b2c559f614d703158873ac3821fc24c4179cf511a
Instruction ID: 4b116e419570da01ce2e01fcec56df9f7c173f7fd42fc7fe3a061a71805234e3
Opcode Fuzzy Hash: aa971dc9b071cb3d06dde53b2c559f614d703158873ac3821fc24c4179cf511a
Instruction Fuzzy Hash: 1021D535108602FEEB23BF65DC06F5A7BE8DFC2B61B148829FC98550A1EB23C850D750

Uniqueness

Uniqueness Score: -1.00%

Function 00947B80, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 185
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00947B80(void* __ebx, void* __edx, void* __edi, void* __ebp, intOrPtr* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short _v24;
				short _v26;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				signed short _v42;
				signed int _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				short _v70;
				intOrPtr _v92;
				char _v96;
				struct _SYSTEMTIME _v112;
				struct _FILETIME _v120;
				void* __esi;
				signed int _t58;
				void* _t95;
				void* _t103;
				intOrPtr _t105;
				intOrPtr* _t120;
				void* _t122;
				void* _t126;
				void* _t132;
				intOrPtr* _t133;
				signed int _t139;
				void* _t148;

				_t138 = __ebp;
				_t129 = __edi;
				_t126 = __edx;
				_t110 = __ebx;
				_t139 =  &_v36;
				_t58 =  *0x9e6310; // 0x57443789
				_v4 = _t58 ^ _t139;
				_t133 = _a4;
				_v28 = 0;
				_v24 = 0;
				if( *((char*)(_t133 + 0x10)) == 0) {
					_t133 = _t133 + 0x18;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					E00947460(__ebx, _t133, __edi, _t133, __ebp,  &_v36);
					E009479F0(__ebx, __edi, _t133, __ebp,  &_v40, _v40);
					_v24 = _v40 & 0x0000ffff;
					E00947460(__ebx, _t133, __edi, _t133, __ebp,  &_v40);
					E009479F0(__ebx, __edi, _t133, __ebp,  &_v44, _v44);
					_v26 = _v42 & 0x0000ffff;
					E00947460(__ebx, _t133, __edi, _t133, __ebp,  &_v44);
					E009479F0(_t110, __edi, _t133, _t138,  &_v48, _v48);
					_v26 = _v44 & 0x0000ffff;
					E0090A870( &_v48, _t133);
					_v40 = E00951400(_v48, _v44, 0xd693a400, 0);
					E0090A870( &_v64, _t133);
					_v70 = E00951820(E00951400(_v64, _v60, 0x3938700, 0), _t126, 0x3c, 0);
					E0090A870( &_v96, _t133);
					_t139 = _t139 + 0x30;
					_v112.wSecond = E00951820(E00951400(_v96, _v92, 0xf4240, 0), _t126, 0x3c, 0);
					if(SystemTimeToFileTime( &_v112,  &_v120) != 0) {
						_push(__edi);
						E0090A870( &_v36, _t133);
						E0090A870( &_v36, _t133);
						_t134 = _v36;
						_t95 = E009514B0(E00951400(_v36, _v32, 0xf4240, 0), _t126, 0xf4240, 0);
						asm("sbb edi, edx");
						asm("adc edi, ecx");
						asm("adc edx, edi");
						_pop(_t132);
						return E0094FF4A(_t110, _v36 ^ _t139 + 0x00000010, _v56, _t132, _t134 - _t95 + (_t134 - _t95 << 2) + _t134 - _t95 + (_t134 - _t95 << 2));
					} else {
						asm("xorps xmm0, xmm0");
						asm("movlpd [esp+0xc], xmm0");
						goto L9;
					}
				} else {
					_t120 =  *0x9ea3ec;
					if(_t120 == 0) {
						_t120 =  !=  ? GetProcAddress(GetModuleHandleW(L"KERNEL32.DLL"), "GetTickCount64") : 0x901db0;
						 *0x9ea3ec = 0x901db0;
					}
					_t103 =  *_t120();
					asm("sbb edx, [esi+0x4]");
					_t122 =  *((intOrPtr*)(_t133 + 8)) - _t103 -  *_t133;
					_t148 = _t122;
					_t105 =  *((intOrPtr*)(_t133 + 0xc));
					asm("sbb eax, edx");
					if(_t148 < 0 || _t148 <= 0 && _t122 == 0) {
						L9:
						return E0094FF4A(_t110, _v4 ^ _t139, _v24, _t129, _t133);
					} else {
						E009514B0(_t122, _t105, 0xffffd8f0, 0xffffffff);
						return E0094FF4A(_t110, _v20 ^ _t139, _t126, _t129, _t133);
					}
				}
			}

0x00947b80
0x00947b80
0x00947b80
0x00947b80
0x00947b80
0x00947b83
0x00947b8a
0x00947b8f
0x00947b93
0x00947b9b
0x00947ba7
0x00947c1b
0x00947c1e
0x00947c24
0x00947c28
0x00947c2c
0x00947c35
0x00947c43
0x00947c50
0x00947c5c
0x00947c6a
0x00947c77
0x00947c83
0x00947c91
0x00947c9b
0x00947ca6
0x00947cc2
0x00947ccd
0x00947cf4
0x00947cff
0x00947d04
0x00947d26
0x00947d3d
0x00947d60
0x00947d67
0x00947d72
0x00947d7e
0x00947d99
0x00947da2
0x00947db7
0x00947dc5
0x00947dc7
0x00947dd3
0x00947d3f
0x00947d3f
0x00947d42
0x00000000
0x00947d42
0x00947ba9
0x00947ba9
0x00947bb1
0x00947bd1
0x00947bd4
0x00947bd4
0x00947bda
0x00947be1
0x00947be4
0x00947be4
0x00947be6
0x00947be9
0x00947beb
0x00947d48
0x00947d5f
0x00947bfb
0x00947c04
0x00947c18
0x00947c18
0x00947beb

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,GetTickCount64), ref: 00947BBD
GetProcAddress.KERNEL32(00000000), ref: 00947BC4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00947CBD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00947CE4
__allrem.LIBCMT ref: 00947CEF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00947D16
__allrem.LIBCMT ref: 00947D21
SystemTimeToFileTime.KERNEL32(0000003C,?,00000000,?,0000003C,00000000,?,?,000F4240,00000000,03938700,00000000,D693A400,00000000), ref: 00947D35
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00947D8B

Strings

KERNEL32.DLL, xrefs: 00947BB8
GetTickCount64, xrefs: 00947BB3

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Time__allrem$AddressFileHandleModuleProcSystem
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 2537731104-3320051239
Opcode ID: 2a648aaac6f7d55e32949e13e1ab94e4428136d39e9fecdf409c0b30d8bedca6
Instruction ID: 61c7d6fbbfc5649e12ca3be8aeb3bb7fa2793dcae1a232a36fdadff7490376a9
Opcode Fuzzy Hash: 2a648aaac6f7d55e32949e13e1ab94e4428136d39e9fecdf409c0b30d8bedca6
Instruction Fuzzy Hash: 2451BF71A08341ABC714EF65CC45F6FB7E9AFC8704F008D1DB98997291E734E9488B96

Uniqueness

Uniqueness Score: -1.00%

Function 009480B0, Relevance: 18.2, APIs: 12, Instructions: 212
timesleepCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E009480B0(signed int __edx, void* __ebp, void* _a4, char _a8, signed int _a16, signed int _a20, char _a24) {
				struct _SECURITY_ATTRIBUTES* _v4;
				char _v12;
				signed int _v16;
				void* _v28;
				char _v60;
				char _v68;
				struct _SECURITY_ATTRIBUTES* _v72;
				struct _SECURITY_ATTRIBUTES* _v76;
				long _v80;
				long _v84;
				long _v88;
				union _LARGE_INTEGER _v92;
				char _v93;
				signed int _v94;
				char _v96;
				char _v97;
				signed int _v98;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				signed int _t65;
				void* _t68;
				long _t69;
				intOrPtr* _t76;
				long _t81;
				long _t84;
				void* _t85;
				struct %anon52 _t95;
				long _t100;
				void* _t102;
				signed int _t104;
				long _t105;
				intOrPtr _t106;
				void* _t107;
				signed int _t108;
				signed int _t109;
				char _t115;
				signed int _t116;
				long _t118;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t127;
				signed int _t128;

				_t116 = __edx;
				_push(0xffffffff);
				_push(0x9b3a98);
				_push( *[fs:0x0]);
				_t128 = _t127 - 0x54;
				_t63 =  *0x9e6310; // 0x57443789
				_v16 = _t63 ^ _t128;
				_push(_t104);
				_push(__ebp);
				_t65 =  *0x9e6310; // 0x57443789
				_push(_t65 ^ _t128);
				 *[fs:0x0] =  &_v12;
				_t68 = _a4;
				_t105 = _t104 | 0xffffffff;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				_t118 = 0;
				asm("movq [esp+0x5c], xmm0");
				_v76 = 0xffffffff;
				_v80 = 0xffffffff;
				_v84 = _t105;
				if(_t68 != 0xffffffff) {
					_v76 = 0;
					_t118 = 1;
					_v28 = _t68;
				}
				_t69 =  *0x9e62a0; // 0xffffffff
				_t124 = TlsGetValue;
				if(_t69 != 0xffffffff && TlsGetValue(_t69) != 0) {
					_t100 =  *0x9e62a0; // 0xffffffff
					if(_t100 != 0xffffffff) {
						_t108 = TlsGetValue(_t100);
						_t100 =  *0x9e62a0; // 0xffffffff
					} else {
						_t108 = 0;
					}
					if( *((char*)(_t108 + 0x38)) != 0) {
						_v80 = _t118;
						if(_t100 != 0xffffffff) {
							_t102 = TlsGetValue(_t100);
						} else {
							_t102 = 0;
						}
						 *(_t128 + 0x58 + _t118 * 4) =  *(_t102 + 0x34);
						_t118 = _t118 + 1;
					}
				}
				_t121 = 0;
				_v72 = 0;
				_v4 = 0;
				if((_a16 & _a20) != 0xffffffff) {
					_t108 =  &_a8;
					E00948F40(_t108, _t116, _t118,  &_v92);
					_t91 = _v92.LowPart;
					if(_v92.LowPart <= 0x14) {
						if(_a24 == 0) {
							_t108 =  &_v60;
							E00901410(_t108, _t91, 0);
							asm("movdqu xmm0, [eax]");
							asm("movdqu [esp+0x7c], xmm0");
							asm("movdqu xmm0, [eax+0x10]");
							asm("movdqu [esp+0x8c], xmm0");
						}
					} else {
						_t121 = CreateWaitableTimerA(0, 0, 0);
						_v72 = _t121;
						if(_t121 != 0) {
							_t95 = E00947B80(_t105, _t116, _t118, _t124,  &_a8);
							_t128 = _t128 + 4;
							_v92.LowPart = _t95;
							_v88 = _t116;
							if((SetWaitableTimer(_t121,  &_v92, 0, 0, 0, 0) & 0xffffff00 | _t97 != 0x00000000) != 0) {
								_t105 = _t118;
								_v88 = _t118;
								 *(_t128 + 0x58 + _t118 * 4) = _t121;
								_t118 = _t118 + 1;
							}
						}
					}
				}
				_v93 = 0;
				_t109 = _t108 & 0xffffff00 | _t105 != 0xffffffff;
				_t106 = 0;
				_v94 = _t109;
				while(1) {
					_t116 = _t116 | 0xffffffff;
					if(_t109 == 0) {
						_t76 = E00948F40( &_a8, _t116, _t118,  &_v68);
						_t116 = _t116 | 0xffffffff;
						_t115 =  *_t76;
						_t106 =  *((intOrPtr*)(_t76 + 4));
						_v96 = _t115;
						_t109 = _v98;
						_v97 = _t115;
					}
					if(_t118 == 0) {
						goto L32;
					}
					_t79 =  !=  ? _t116 : _t106;
					_t81 = WaitForMultipleObjectsEx(_t118,  &_v28, 0,  !=  ? _t116 : _t106, 0);
					if(_t81 >= _t118) {
						L36:
						if(_a24 != 0) {
							_a16 = _a16 + 2;
							asm("adc dword [esp+0x88], 0xffffffff");
						}
						if(_v93 == 0) {
							L27:
							_v4 = 0xffffffff;
							if(_t121 != 0 && _t121 != 0xffffffff) {
								CloseHandle(_t121);
							}
							L31:
							 *[fs:0x0] = _v12;
							_pop(_t119);
							_pop(_t122);
							_pop(_t107);
							return E0094FF4A(_t107, _v16 ^ _t128, _t116, _t119, _t122);
						} else {
							_t109 = _v94;
							continue;
						}
					}
					if(_t81 == _v76) {
						L44:
						_v4 = 0xffffffff;
						if(_t121 != 0 && _t121 != 0xffffffff) {
							CloseHandle(_t121);
						}
						goto L31;
					}
					if(_t81 == _v80) {
						_t84 =  *0x9e62a0; // 0xffffffff
						if(_t84 != 0xffffffff) {
							_t85 = TlsGetValue(_t84);
						} else {
							_t85 = 0;
						}
						ResetEvent( *(_t85 + 0x34));
						_v94 = 0;
						E0094FF59( &_v94, 0x9e0718);
						goto L44;
					}
					if(_t81 != _v84) {
						goto L36;
					}
					goto L27;
					L32:
					if(_t106 != 0) {
						_push(_t106);
					} else {
						_push(_t106);
					}
					Sleep();
					goto L36;
				}
			}

0x009480b0
0x009480b0
0x009480b2
0x009480bd
0x009480be
0x009480c1
0x009480c8
0x009480cc
0x009480cd
0x009480d0
0x009480d7
0x009480dc
0x009480e2
0x009480e6
0x009480e9
0x009480ec
0x009480f4
0x009480f6
0x009480fc
0x00948104
0x0094810c
0x00948113
0x00948115
0x00948119
0x0094811e
0x0094811e
0x00948122
0x00948127
0x00948130
0x00948139
0x00948141
0x0094814a
0x0094814c
0x00948143
0x00948143
0x00948143
0x00948155
0x00948157
0x0094815e
0x00948165
0x00948160
0x00948160
0x00948160
0x0094816a
0x0094816e
0x0094816e
0x00948155
0x0094816f
0x00948171
0x00948183
0x0094818a
0x00948195
0x0094819c
0x009481a1
0x009481a8
0x00948204
0x00948209
0x0094820d
0x00948212
0x00948216
0x0094821c
0x00948221
0x00948221
0x009481aa
0x009481b3
0x009481b5
0x009481bb
0x009481c2
0x009481c7
0x009481ca
0x009481d2
0x009481ed
0x009481ef
0x009481f1
0x009481f5
0x009481f9
0x009481f9
0x009481ed
0x009481bb
0x009481a8
0x00948233
0x00948238
0x0094823b
0x0094823d
0x00948241
0x00948241
0x00948246
0x00948254
0x00948259
0x0094825c
0x0094825e
0x00948263
0x00948267
0x0094826b
0x0094826b
0x00948271
0x00000000
0x00000000
0x00948279
0x00948285
0x0094828d
0x009482e8
0x009482f0
0x009482f2
0x009482fa
0x009482fa
0x00948307
0x009482a5
0x009482a5
0x009482af
0x009482b7
0x009482b7
0x009482bf
0x009482c3
0x009482cb
0x009482cc
0x009482ce
0x009482dd
0x00948309
0x00948309
0x00000000
0x00948309
0x00948307
0x00948293
0x00948344
0x00948344
0x0094834e
0x00948356
0x00948356
0x00000000
0x0094835c
0x0094829d
0x00948312
0x0094831a
0x00948321
0x0094831c
0x0094831c
0x0094831c
0x0094832a
0x00948339
0x0094833f
0x00000000
0x0094833f
0x009482a3
0x00000000
0x00000000
0x00000000
0x009482de
0x009482e0
0x009482e5
0x009482e2
0x009482e2
0x009482e2
0x009482e6
0x00000000
0x009482e6

APIs

TlsGetValue.KERNEL32(FFFFFFFF), ref: 00948133
TlsGetValue.KERNEL32(FFFFFFFF), ref: 00948148
TlsGetValue.KERNEL32(FFFFFFFF), ref: 00948165
CreateWaitableTimerA.KERNEL32 ref: 009481AD
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 009481E0
WaitForMultipleObjectsEx.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 00948285
CloseHandle.KERNEL32(00000000), ref: 009482B7

Part of subcall function 00901410: GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetTickCount64,00000000,000FE4FA,00948212,?,00000000), ref: 0090142A
Part of subcall function 00901410: GetProcAddress.KERNEL32(00000000), ref: 00901431

Sleep.KERNEL32(00000000), ref: 009482E6
TlsGetValue.KERNEL32(FFFFFFFF), ref: 00948321
ResetEvent.KERNEL32(?), ref: 0094832A
__CxxThrowException@8.LIBCMT ref: 0094833F
CloseHandle.KERNEL32(00000000), ref: 00948356

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Value$Handle$CloseTimerWaitable$AddressCreateEventException@8ModuleMultipleObjectsProcResetSleepThrowWait
String ID:
API String ID: 4069466322-0
Opcode ID: 43a9dd5edbc57a2287bb89154b63e7fe1b77259b862acf4cfdb22156f5fbcf82
Instruction ID: d4e4a7708b7e9d30eb92dd73d5ae9dd0459757102395e4a18d5aaccc9630d735
Opcode Fuzzy Hash: 43a9dd5edbc57a2287bb89154b63e7fe1b77259b862acf4cfdb22156f5fbcf82
Instruction Fuzzy Hash: 70818B7150C7819FD320DF288884B6FBBE8BF99764F240B1AF4B5962E0DB70D9458B52

Uniqueness

Uniqueness Score: -1.00%

Function 00902F60, Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00902F60(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v0;
				intOrPtr* _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t135;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr* _t151;
				intOrPtr _t157;
				intOrPtr* _t158;
				intOrPtr _t165;
				intOrPtr* _t172;
				intOrPtr* _t175;
				intOrPtr _t178;
				signed int _t181;
				signed int _t186;
				intOrPtr* _t187;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				intOrPtr* _t194;
				intOrPtr* _t195;
				intOrPtr* _t203;
				intOrPtr* _t215;
				intOrPtr _t227;
				intOrPtr _t228;
				intOrPtr _t239;
				intOrPtr _t240;
				intOrPtr* _t241;
				intOrPtr* _t261;
				intOrPtr* _t262;
				intOrPtr* _t268;
				intOrPtr* _t269;
				intOrPtr* _t270;
				intOrPtr* _t272;
				intOrPtr* _t277;
				intOrPtr* _t279;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr _t288;
				signed int _t289;
				intOrPtr _t293;
				intOrPtr* _t294;
				intOrPtr* _t295;
				intOrPtr* _t296;
				intOrPtr* _t297;
				intOrPtr* _t300;
				intOrPtr* _t302;
				intOrPtr _t303;
				intOrPtr _t304;
				intOrPtr* _t305;
				intOrPtr* _t306;
				intOrPtr* _t308;
				intOrPtr* _t309;
				intOrPtr _t313;
				intOrPtr* _t314;
				intOrPtr* _t316;
				intOrPtr* _t319;
				intOrPtr* _t320;
				intOrPtr _t324;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr _t334;
				void* _t343;
				void* _t345;

				_push(__ecx);
				_t332 = __ecx;
				_t319 = _a4;
				_t268 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t268 < _t319) {
					L102:
					_push("invalid string position");
					E009295C5(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t343 = _t345;
					_push(_t268);
					_t302 = _v8;
					_push(_t332);
					_t333 = _t268;
					_push(_t319);
					__eflags = _t302;
					if(_t302 == 0) {
						L116:
						_t303 =  *((intOrPtr*)(_t333 + 0x10));
						_t135 = _v0;
						__eflags = _t303 - _t135;
						if(__eflags < 0) {
							_push("invalid string position");
							E009295C5(__eflags);
							goto L147;
						} else {
							_t324 = _a4;
							_t268 = _t303 - _t135;
							__eflags = _t268 - _t324;
							_push(_t261);
							_t261 = _a12;
							_t319 =  <  ? _t268 : _t324;
							__eflags = (_t135 | 0xffffffff) - _t261 - _t303 - _t319;
							if(__eflags <= 0) {
								L147:
								_push("string too long");
								E00929597(__eflags);
								asm("int3");
								asm("int3");
								_push(_t343);
								_t304 = _v28;
								_push(_t333);
								_t334 = _v32;
								_push(_t319);
								_t320 = _t268;
								__eflags = _t334 - _t304;
								if(_t334 != _t304) {
									__eflags =  *((intOrPtr*)(_t320 + 0x14)) - 0x10;
									_push(_t261);
									if( *((intOrPtr*)(_t320 + 0x14)) < 0x10) {
										_t262 = _t320;
									} else {
										_t262 =  *_t320;
									}
									_t269 = _v0;
									_t138 = _v4;
									__eflags = _t269;
									if(_t269 != 0) {
										_t270 = _t269 - _t138;
										__eflags = _t270;
									} else {
										_t270 = 0;
									}
									__eflags = _t138;
									if(_t138 != 0) {
										_t138 = _t138 - _t262;
										__eflags = _t138;
									}
									_t305 = _t304 - _t334;
									__eflags = _t305;
									_push(_t305);
									_push(_t334);
									_push(_t270);
									_push(_t138);
									L103();
									return _t320;
								} else {
									__eflags =  *((intOrPtr*)(_t320 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t320 + 0x14)) < 0x10) {
										_t306 = _t320;
									} else {
										_t306 =  *_t320;
									}
									_t272 = _v0;
									_t140 = _v4;
									__eflags = _t272;
									if(_t272 != 0) {
										_t273 = _t272 - _t140;
										__eflags = _t272 - _t140;
									} else {
										_t273 = 0;
									}
									__eflags = _t140;
									if(_t140 != 0) {
										__eflags = _t140 - _t306;
										L008F1A87(_t261, _t320, _t320, _t334, _t140 - _t306, _t273);
										return _t320;
									} else {
										L008F1A87(_t261, _t320, _t320, _t334, _t140, _t273);
										return _t320;
									}
								}
							} else {
								_t277 = _t268 - _t319;
								_a12 = _t277;
								__eflags = _t261 - _t319;
								if(_t261 < _t319) {
									_t165 =  *((intOrPtr*)(_t333 + 0x14));
									__eflags = _t165 - 0x10;
									if(_t165 < 0x10) {
										_a4 = _t333;
									} else {
										_a4 =  *_t333;
									}
									__eflags = _t165 - 0x10;
									if(_t165 < 0x10) {
										_t309 = _t333;
									} else {
										_t309 =  *_t333;
									}
									__eflags = _t277;
									if(_t277 != 0) {
										__eflags = _t309 + _v0 + _t261;
										E0094F050(_t309 + _v0 + _t261, _a4 + _v0 + _t319, _t277);
										_t345 = _t345 + 0xc;
									}
								}
								__eflags = _t261;
								if(_t261 != 0) {
									L129:
									_v12 = _t261 - _t319 +  *((intOrPtr*)(_t333 + 0x10));
									_t151 = L008F1154(_t261, _t333, _t319, _t333, _t261 - _t319 +  *((intOrPtr*)(_t333 + 0x10)), 0);
									__eflags = _t151;
									if(_t151 != 0) {
										__eflags = _t319 - _t261;
										if(_t319 < _t261) {
											_t157 =  *((intOrPtr*)(_t333 + 0x14));
											__eflags = _t157 - 0x10;
											if(_t157 < 0x10) {
												_a4 = _t333;
											} else {
												_a4 =  *_t333;
											}
											__eflags = _t157 - 0x10;
											if(_t157 < 0x10) {
												_t308 = _t333;
											} else {
												_t308 =  *_t333;
											}
											_t158 = _a12;
											__eflags = _t158;
											if(_t158 != 0) {
												__eflags = _t308 + _v0 + _t261;
												E0094F050(_t308 + _v0 + _t261, _a4 + _v0 + _t319, _t158);
												_t345 = _t345 + 0xc;
											}
										}
										__eflags =  *((intOrPtr*)(_t333 + 0x14)) - 0x10;
										if( *((intOrPtr*)(_t333 + 0x14)) < 0x10) {
											_t279 = _t333;
										} else {
											_t279 =  *_t333;
										}
										__eflags = _t261;
										if(_t261 != 0) {
											__eflags = _v0 + _t279;
											E00950440(_v0 + _t279, _a8, _t261);
										}
										L008F1825(_t333, _v12);
									}
								} else {
									__eflags = _t319;
									if(_t319 != 0) {
										goto L129;
									}
								}
								return _t333;
							}
						}
					} else {
						_t268 =  *((intOrPtr*)(_t333 + 0x14));
						__eflags = _t268 - 0x10;
						if(_t268 < 0x10) {
							_t172 = _t333;
						} else {
							_t172 =  *_t333;
						}
						__eflags = _t302 - _t172;
						if(_t302 < _t172) {
							goto L116;
						} else {
							__eflags = _t268 - 0x10;
							if(_t268 < 0x10) {
								_t319 = _t333;
							} else {
								_t319 =  *_t333;
							}
							__eflags =  *((intOrPtr*)(_t333 + 0x10)) + _t319 - _t302;
							if( *((intOrPtr*)(_t333 + 0x10)) + _t319 <= _t302) {
								goto L116;
							} else {
								__eflags = _t268 - 0x10;
								if(_t268 < 0x10) {
									_t175 = _t333;
								} else {
									_t175 =  *_t333;
								}
								_push(_a12);
								__eflags = _t302 - _t175;
								return E00902F60(_t333, _v0, _a4, _t333, _t302 - _t175);
							}
						}
					}
				} else {
					_push(_t261);
					_t261 = _a16;
					_t178 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t178 < _t261) {
						goto L102;
					} else {
						_t268 = _t268 - _t319;
						_t313 =  <  ? _t268 : _a8;
						_a8 = _t313;
						_t261 =  <  ? _t178 - _t261 : _a20;
						_t181 =  *((intOrPtr*)(__ecx + 0x10)) - _t313;
						_v8 = _t181;
						if((_t181 | 0xffffffff) - _t261 <= _v8) {
							_push("string too long");
							E00929597(__eflags);
							goto L102;
						} else {
							_t285 = _t268 - _t313;
							_t186 = _v8 + _t261;
							_a20 = _t285;
							_v8 = _t186;
							if( *((intOrPtr*)(__ecx + 0x10)) < _t186) {
								L008F1154(_t261, __ecx, _t319, __ecx, _t186, 0);
								_t285 = _a20;
								_t313 = _a8;
							}
							_t187 = _a12;
							if(_t332 == _t187) {
								__eflags = _t261 - _t313;
								if(_t261 > _t313) {
									__eflags = _a16 - _t319;
									if(_a16 > _t319) {
										__eflags = _t319 + _t313 - _a16;
										_t189 =  *((intOrPtr*)(_t332 + 0x14));
										if(_t319 + _t313 > _a16) {
											__eflags = _t189 - 0x10;
											if(_t189 < 0x10) {
												_a12 = _t332;
											} else {
												_a12 =  *_t332;
											}
											__eflags = _t189 - 0x10;
											if(_t189 < 0x10) {
												_t286 = _t332;
											} else {
												_t286 =  *_t332;
											}
											__eflags = _t313;
											if(_t313 != 0) {
												__eflags = _a12 + _a16;
												E0094F050(_t286 + _t319, _a12 + _a16, _t313);
												_t313 = _a8;
												_t345 = _t345 + 0xc;
											}
											_t190 =  *((intOrPtr*)(_t332 + 0x14));
											__eflags = _t190 - 0x10;
											if(_t190 < 0x10) {
												_a12 = _t332;
											} else {
												_a12 =  *_t332;
											}
											__eflags = _t190 - 0x10;
											if(_t190 < 0x10) {
												_t287 = _t332;
											} else {
												_t287 =  *_t332;
											}
											_t191 = _a20;
											__eflags = _t191;
											if(_t191 != 0) {
												__eflags = _t287 + _t319 + _t261;
												E0094F050(_t287 + _t319 + _t261, _a12 + _t319 + _t313, _t191);
												_t345 = _t345 + 0xc;
											}
											_t192 =  *((intOrPtr*)(_t332 + 0x14));
											__eflags = _t192 - 0x10;
											if(_t192 < 0x10) {
												_a12 = _t332;
											} else {
												_a12 =  *_t332;
											}
											__eflags = _t192 - 0x10;
											if(_t192 < 0x10) {
												_t314 = _t332;
											} else {
												_t314 =  *_t332;
											}
											_t288 = _a8;
											_t194 = _t261 - _t288;
											__eflags = _t194;
											if(_t194 != 0) {
												_push(_t194);
												_push(_a12 + _a16 + _t261);
												_t203 = _t319 + _t314 + _t288;
												__eflags = _t203;
												goto L96;
											}
										} else {
											__eflags = _t189 - 0x10;
											if(_t189 < 0x10) {
												_a4 = _t332;
											} else {
												_a4 =  *_t332;
												_t313 = _a8;
											}
											__eflags = _t189 - 0x10;
											if(_t189 < 0x10) {
												_a12 = _t332;
											} else {
												_a12 =  *_t332;
											}
											__eflags = _t285;
											if(_t285 != 0) {
												__eflags = _a12 + _t319 + _t261;
												E0094F050(_a12 + _t319 + _t261, _a4 + _t319 + _t313, _t285);
												_t313 = _a8;
												_t345 = _t345 + 0xc;
											}
											_t293 =  *((intOrPtr*)(_t332 + 0x14));
											__eflags = _t293 - 0x10;
											if(_t293 < 0x10) {
												_t215 = _t332;
											} else {
												_t215 =  *_t332;
											}
											__eflags = _t293 - 0x10;
											if(_t293 < 0x10) {
												_t294 = _t332;
											} else {
												_t294 =  *_t332;
											}
											__eflags = _t261;
											if(_t261 != 0) {
												_push(_t261);
												_push(_t215 - _t313 + _a16 + _t261);
												_t203 = _t294 + _t319;
												goto L96;
											}
										}
									} else {
										_t227 =  *((intOrPtr*)(_t332 + 0x14));
										__eflags = _t227 - 0x10;
										if(_t227 < 0x10) {
											_a4 = _t332;
										} else {
											_a4 =  *_t332;
											_t313 = _a8;
										}
										__eflags = _t227 - 0x10;
										if(_t227 < 0x10) {
											_a8 = _t332;
										} else {
											_a8 =  *_t332;
										}
										__eflags = _t285;
										if(_t285 != 0) {
											__eflags = _a8 + _t319 + _t261;
											E0094F050(_a8 + _t319 + _t261, _a4 + _t319 + _t313, _t285);
											_t345 = _t345 + 0xc;
										}
										_t228 =  *((intOrPtr*)(_t332 + 0x14));
										__eflags = _t228 - 0x10;
										if(_t228 < 0x10) {
											_t316 = _t332;
										} else {
											_t316 =  *_t332;
										}
										__eflags = _t228 - 0x10;
										if(_t228 < 0x10) {
											_t295 = _t332;
										} else {
											_t295 =  *_t332;
										}
										__eflags = _t261;
										if(_t261 != 0) {
											_push(_t261);
											_push(_a16 + _t316);
											_t203 = _t295 + _t319;
											goto L96;
										}
									}
								} else {
									_t239 =  *((intOrPtr*)(_t332 + 0x14));
									__eflags = _t239 - 0x10;
									if(_t239 < 0x10) {
										_a4 = _t332;
									} else {
										_a4 =  *_t332;
									}
									__eflags = _t239 - 0x10;
									if(_t239 < 0x10) {
										_t296 = _t332;
									} else {
										_t296 =  *_t332;
									}
									__eflags = _t261;
									if(_t261 != 0) {
										__eflags = _a4 + _a16;
										E0094F050(_t296 + _t319, _a4 + _a16, _t261);
										_t313 = _a8;
										_t345 = _t345 + 0xc;
									}
									_t240 =  *((intOrPtr*)(_t332 + 0x14));
									__eflags = _t240 - 0x10;
									if(_t240 < 0x10) {
										_a8 = _t332;
									} else {
										_a8 =  *_t332;
									}
									__eflags = _t240 - 0x10;
									if(_t240 < 0x10) {
										_t297 = _t332;
									} else {
										_t297 =  *_t332;
									}
									_t241 = _a20;
									__eflags = _t241;
									if(_t241 != 0) {
										_push(_t241);
										_push(_a8 + _t319 + _t313);
										_t203 = _t297 + _t319 + _t261;
										L96:
										_push(_t203);
										E0094F050();
										goto L97;
									}
								}
							} else {
								if( *((intOrPtr*)(_t332 + 0x14)) < 0x10) {
									_a8 = _t332;
								} else {
									_a8 =  *_t332;
									_t319 = _a4;
								}
								if( *((intOrPtr*)(_t332 + 0x14)) < 0x10) {
									_a20 = _t332;
								} else {
									_a20 =  *_t332;
									_t319 = _a4;
								}
								if(_t285 != 0) {
									E0094F050(_a20 + _t319 + _t261, _a8 + _t319 + _t313, _t285);
									_t187 = _a12;
									_t345 = _t345 + 0xc;
								}
								if( *((intOrPtr*)(_t187 + 0x14)) >= 0x10) {
									_t187 =  *_t187;
								}
								if( *((intOrPtr*)(_t332 + 0x14)) < 0x10) {
									_t300 = _t332;
								} else {
									_t300 =  *_t332;
								}
								if(_t261 != 0) {
									E00950440(_t300 + _t319, _t187 + _a16, _t261);
									L97:
								}
							}
							_t289 = _v8;
							 *(_t332 + 0x10) = _t289;
							if( *((intOrPtr*)(_t332 + 0x14)) < 0x10) {
								_t195 = _t332;
								 *((char*)(_t195 + _t289)) = 0;
								return _t195;
							} else {
								 *((char*)( *_t332 + _t289)) = 0;
								return _t332;
							}
						}
					}
				}
			}

0x00902f63
0x00902f65
0x00902f68
0x00902f6b
0x00902f70
0x009032a2
0x009032a2
0x009032a7
0x009032ac
0x009032ad
0x009032ae
0x009032af
0x009032b1
0x009032b3
0x009032b4
0x009032b7
0x009032b8
0x009032ba
0x009032bb
0x009032bd
0x0090330c
0x0090330c
0x0090330f
0x00903312
0x00903314
0x0090341a
0x0090341f
0x00000000
0x0090331a
0x0090331a
0x0090331f
0x00903321
0x00903323
0x00903324
0x00903327
0x00903331
0x00903333
0x00903424
0x00903424
0x00903429
0x0090342e
0x0090342f
0x00903430
0x00903433
0x00903436
0x00903437
0x0090343a
0x0090343b
0x0090343d
0x0090343f
0x00903485
0x00903489
0x0090348a
0x00903490
0x0090348c
0x0090348c
0x0090348c
0x00903492
0x00903495
0x00903498
0x0090349a
0x009034a0
0x009034a0
0x0090349c
0x0090349c
0x0090349c
0x009034a2
0x009034a4
0x009034a6
0x009034a6
0x009034a6
0x009034a8
0x009034a8
0x009034aa
0x009034ab
0x009034ac
0x009034ad
0x009034b0
0x009034bb
0x00903441
0x00903441
0x00903445
0x0090344b
0x00903447
0x00903447
0x00903447
0x0090344d
0x00903450
0x00903453
0x00903455
0x0090345b
0x0090345b
0x00903457
0x00903457
0x00903457
0x0090345d
0x0090345f
0x00903473
0x00903478
0x00903482
0x00903461
0x00903465
0x0090346f
0x0090346f
0x0090345f
0x00903339
0x00903339
0x0090333b
0x0090333e
0x00903340
0x00903342
0x00903345
0x00903348
0x00903351
0x0090334a
0x0090334c
0x0090334c
0x00903354
0x00903357
0x0090335d
0x00903359
0x00903359
0x00903359
0x0090335f
0x00903361
0x00903372
0x00903375
0x0090337a
0x0090337a
0x00903361
0x0090337d
0x0090337f
0x00903389
0x00903395
0x00903398
0x0090339d
0x0090339f
0x009033a1
0x009033a3
0x009033a5
0x009033a8
0x009033ab
0x009033b4
0x009033ad
0x009033af
0x009033af
0x009033b7
0x009033ba
0x009033c0
0x009033bc
0x009033bc
0x009033bc
0x009033c2
0x009033c5
0x009033c7
0x009033d8
0x009033db
0x009033e0
0x009033e0
0x009033c7
0x009033e3
0x009033e7
0x009033ed
0x009033e9
0x009033e9
0x009033e9
0x009033ef
0x009033f1
0x009033fa
0x009033fd
0x00903402
0x0090340a
0x0090340a
0x00903381
0x00903381
0x00903383
0x00000000
0x00000000
0x00903383
0x00903417
0x00903417
0x00903333
0x009032bf
0x009032bf
0x009032c2
0x009032c5
0x009032cb
0x009032c7
0x009032c7
0x009032c7
0x009032cd
0x009032cf
0x00000000
0x009032d1
0x009032d1
0x009032d4
0x009032da
0x009032d6
0x009032d6
0x009032d6
0x009032e1
0x009032e3
0x00000000
0x009032e5
0x009032e5
0x009032e8
0x009032ee
0x009032ea
0x009032ea
0x009032ea
0x009032f0
0x009032f3
0x00903309
0x00903309
0x009032e3
0x009032cf
0x00902f76
0x00902f79
0x00902f7a
0x00902f7d
0x00902f82
0x00000000
0x00902f88
0x00902f8b
0x00902f8f
0x00902f99
0x00902f9c
0x00902fa2
0x00902fa4
0x00902faf
0x00903298
0x0090329d
0x00000000
0x00902fb5
0x00902fb8
0x00902fba
0x00902fbc
0x00902fbf
0x00902fc5
0x00902fcc
0x00902fd1
0x00902fd4
0x00902fd4
0x00902fd7
0x00902fdc
0x00903053
0x00903055
0x009030ca
0x009030cd
0x00903143
0x00903146
0x00903149
0x009031be
0x009031c1
0x009031ca
0x009031c3
0x009031c5
0x009031c5
0x009031cd
0x009031d0
0x009031d6
0x009031d2
0x009031d2
0x009031d2
0x009031d8
0x009031da
0x009031df
0x009031e8
0x009031ed
0x009031f0
0x009031f0
0x009031f3
0x009031f6
0x009031f9
0x00903202
0x009031fb
0x009031fd
0x009031fd
0x00903205
0x00903208
0x0090320e
0x0090320a
0x0090320a
0x0090320a
0x00903210
0x00903213
0x00903215
0x00903223
0x00903226
0x0090322b
0x0090322b
0x0090322e
0x00903231
0x00903234
0x0090323d
0x00903236
0x00903238
0x00903238
0x00903240
0x00903243
0x00903249
0x00903245
0x00903245
0x00903245
0x0090324b
0x00903250
0x00903250
0x00903252
0x00903254
0x0090325d
0x00903262
0x00903262
0x00000000
0x00903262
0x0090314b
0x0090314b
0x0090314e
0x0090315a
0x00903150
0x00903152
0x00903155
0x00903155
0x0090315d
0x00903160
0x00903169
0x00903162
0x00903164
0x00903164
0x0090316c
0x0090316e
0x0090317e
0x00903181
0x00903186
0x00903189
0x00903189
0x0090318c
0x0090318f
0x00903192
0x00903198
0x00903194
0x00903194
0x00903194
0x0090319a
0x0090319d
0x009031a3
0x0090319f
0x0090319f
0x0090319f
0x009031a5
0x009031a7
0x009031b4
0x009031b5
0x009031b6
0x00000000
0x009031b6
0x009031a7
0x009030cf
0x009030cf
0x009030d2
0x009030d5
0x009030e1
0x009030d7
0x009030d9
0x009030dc
0x009030dc
0x009030e4
0x009030e7
0x009030f0
0x009030e9
0x009030eb
0x009030eb
0x009030f3
0x009030f5
0x00903105
0x00903108
0x0090310d
0x0090310d
0x00903110
0x00903113
0x00903116
0x0090311c
0x00903118
0x00903118
0x00903118
0x0090311e
0x00903121
0x00903127
0x00903123
0x00903123
0x00903123
0x00903129
0x0090312b
0x00903136
0x00903137
0x00903138
0x00000000
0x00903138
0x0090312b
0x00903057
0x00903057
0x0090305a
0x0090305d
0x00903066
0x0090305f
0x00903061
0x00903061
0x00903069
0x0090306c
0x00903072
0x0090306e
0x0090306e
0x0090306e
0x00903074
0x00903076
0x0090307b
0x00903084
0x00903089
0x0090308c
0x0090308c
0x0090308f
0x00903092
0x00903095
0x0090309e
0x00903097
0x00903099
0x00903099
0x009030a1
0x009030a4
0x009030aa
0x009030a6
0x009030a6
0x009030a6
0x009030ac
0x009030af
0x009030b1
0x009030b7
0x009030bf
0x009030c3
0x00903264
0x00903264
0x00903265
0x00000000
0x00903265
0x009030b1
0x00902fde
0x00902fe2
0x00902fee
0x00902fe4
0x00902fe6
0x00902fe9
0x00902fe9
0x00902ff5
0x00903001
0x00902ff7
0x00902ff9
0x00902ffc
0x00902ffc
0x00903006
0x00903019
0x0090301e
0x00903021
0x00903021
0x00903028
0x0090302a
0x0090302a
0x00903030
0x00903036
0x00903032
0x00903032
0x00903032
0x0090303a
0x00903049
0x0090326a
0x0090326a
0x0090303a
0x00903271
0x00903274
0x00903278
0x0090328a
0x0090328e
0x00903295
0x0090327a
0x0090327d
0x00903287
0x00903287
0x00903278
0x00902faf
0x00902f82

APIs

_memmove.LIBCMT ref: 00903019
_memmove.LIBCMT ref: 00903049
_memmove.LIBCMT ref: 00903084
_memmove.LIBCMT ref: 00903108
_memmove.LIBCMT ref: 00903181
_memmove.LIBCMT ref: 009031E8
_memmove.LIBCMT ref: 00903226
_memmove.LIBCMT ref: 00903265

Strings

invalid string position, xrefs: 009032A2
string too long, xrefs: 00903298

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 0fda203f25b040c59e53058e0b29bf96312f8217dbb6b6fd3817853837ce093a
Instruction ID: f8c6735eced9b274bd3778a4c4474bfa555c28c9e7fb47d613611e78a247c0fb
Opcode Fuzzy Hash: 0fda203f25b040c59e53058e0b29bf96312f8217dbb6b6fd3817853837ce093a
Instruction Fuzzy Hash: 09D15E7170420ADFDB28CF4CD8919AE77BEEF84700B24C929E865CB681D731EE518B94

Uniqueness

Uniqueness Score: -1.00%

Function 009295C5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E009295C5(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E0094FD51( &_v16,  &_a4);
				_v16 = 0x9c77e4;
				E0094FF59( &_v16, 0x9dd818);
				asm("int3");
				_push(_t50);
				E0094FD51( &_v44,  &_v24);
				_v44 = 0x9c77fc;
				E0094FF59( &_v44, 0x9dd838);
				asm("int3");
				_push(_t51);
				E00929370( &_v76, _v52);
				E0094FF59( &_v76, 0x9dd8ac);
				asm("int3");
				_push(_t51 - 0xc);
				E0094FD51( &_v104,  &_v84);
				_v104 = 0x9c77f0;
				E0094FF59( &_v104, 0x9d86a8);
				asm("int3");
				return "bad function call";
			}

0x009295c8
0x009295d8
0x009295e5
0x009295ed
0x009295f2
0x009295f3
0x00929606
0x00929613
0x0092961b
0x00929620
0x00929621
0x0092962d
0x0092963b
0x00929640
0x00929641
0x00929654
0x00929661
0x00929669
0x0092966e
0x00929674

APIs

std::exception::exception.LIBCMT ref: 009295D8

Part of subcall function 0094FD51: std::exception::_Copy_str.LIBCMT ref: 0094FD6A

__CxxThrowException@8.LIBCMT ref: 009295ED

Part of subcall function 0094FF59: RaiseException.KERNEL32(?,?,?,009DD784,?,?,?,?,?,0094EF03,?,009DD784,?,00000001), ref: 0094FFAE

std::exception::exception.LIBCMT ref: 00929606
__CxxThrowException@8.LIBCMT ref: 0092961B
std::regex_error::regex_error.LIBCPMT ref: 0092962D

Part of subcall function 00929370: std::exception::exception.LIBCMT ref: 0092938A

__CxxThrowException@8.LIBCMT ref: 0092963B
std::exception::exception.LIBCMT ref: 00929654
__CxxThrowException@8.LIBCMT ref: 00929669

Strings

bad function call, xrefs: 0092966F

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: 92b02b4c40152fb923294a2cf1d9b8b33a31d1a805c2cfde9b39a4c48e0586fd
Instruction ID: 98db9e3705ad6609545c192f018242749f55f57c360047188460155ee2c235dc
Opcode Fuzzy Hash: 92b02b4c40152fb923294a2cf1d9b8b33a31d1a805c2cfde9b39a4c48e0586fd
Instruction Fuzzy Hash: A511B974C0020DBB8F04EFE4C89ADCDBBBCEA44344F408966B914A7642EB74E2498B91

Uniqueness

Uniqueness Score: -1.00%

Function 00921B30, Relevance: 15.1, APIs: 10, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00921B30(void* __ecx, intOrPtr _a4, signed char* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				signed char* _t20;
				intOrPtr _t21;
				intOrPtr _t23;
				signed char* _t27;
				intOrPtr _t28;
				char* _t31;
				intOrPtr _t35;
				intOrPtr _t36;
				signed char* _t37;
				intOrPtr* _t40;

				_t33 = 0;
				_t40 = _a16;
				if(_a4 == 0xffffffff) {
					L13:
					_t21 = E0094A830();
					 *_t40 = 0;
					 *((intOrPtr*)(_t40 + 4)) = _t21;
					L14:
					return _t33;
				}
				if(_a12 == 0) {
					L5:
					_t35 = _a4;
					L6:
					__imp__#112(0);
					__imp__#3(_t35);
					_t33 = _t20;
					_t23 = E0094A830();
					__imp__#111();
					 *_t40 = _t23;
					 *((intOrPtr*)(_t40 + 4)) = _t23;
					if(_t33 == 0) {
						goto L13;
					}
					if( *((intOrPtr*)(_t40 + 4)) != E0094A830() ||  *_t40 != 0x2733) {
						if( *((intOrPtr*)(_t40 + 4)) != E0094A830() ||  *_t40 != 0x4d5) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						_t36 = _a4;
						_v8 = 0;
						__imp__#10(_t36, 0x8004667e,  &_v8);
						_t27 = _a8;
						 *_t27 =  *_t27 & 0x000000fc;
						__imp__#112(0);
						__imp__#3(_t36);
						_t33 = _t27;
						_t28 = E0094A830();
						__imp__#111();
						 *_t40 = _t28;
						 *((intOrPtr*)(_t40 + 4)) = _t28;
						L12:
						if(_t33 != 0) {
							goto L14;
						}
						goto L13;
					}
				}
				_t37 = _a8;
				if(( *_t37 & 0x00000008) == 0) {
					goto L5;
				}
				_v8 = 0;
				E0094A830();
				 *_t37 =  *_t37 | 0x00000008;
				__imp__#112(0);
				_t35 = _a4;
				_t31 =  &_v8;
				__imp__#21(_t35, 0xffff, 0x80, _t31, 4);
				_t20 = E0094A830();
				__imp__#111();
				if(_t31 == 0) {
					_t20 = E0094A830();
				}
				goto L6;
			}

0x00921b36
0x00921b3d
0x00921b40
0x00921c2f
0x00921c2f
0x00921c34
0x00921c3a
0x00921c3d
0x00921c45
0x00921c45
0x00921b49
0x00921b9a
0x00921b9a
0x00921b9d
0x00921b9f
0x00921ba6
0x00921bac
0x00921bae
0x00921bb5
0x00921bbb
0x00921bbd
0x00921bc2
0x00000000
0x00000000
0x00921bcc
0x00921bde
0x00000000
0x00000000
0x00000000
0x00000000
0x00921be8
0x00921be8
0x00921be8
0x00921bf5
0x00921bfc
0x00921c02
0x00921c07
0x00921c0a
0x00921c11
0x00921c17
0x00921c19
0x00921c20
0x00921c26
0x00921c28
0x00921c2b
0x00921c2d
0x00000000
0x00000000
0x00000000
0x00921c2d
0x00921bcc
0x00921b4b
0x00921b51
0x00000000
0x00000000
0x00921b55
0x00921b58
0x00921b5d
0x00921b62
0x00921b68
0x00921b6b
0x00921b7c
0x00921b84
0x00921b89
0x00921b91
0x00921b93
0x00921b93
0x00000000

APIs

#112.WS2_32(00000000,00000020,00000000,?,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921B62
#21.WS2_32(000000FF,0000FFFF,00000080,00000020,00000004,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921B7C
#111.WS2_32(?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921B89
#112.WS2_32(00000000,00000020,00000000,?,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921B9F
#3.WS2_32(000000FF,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921BA6
#111.WS2_32(?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921BB5
#10.WS2_32(000000FF,8004667E,00000020,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921BFC
#112.WS2_32(00000000,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921C0A
#3.WS2_32(000000FF,?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921C11
#111.WS2_32(?,?,00922BE6,00000020,?,00000001,00000000,00000020), ref: 00921C20

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: #111#112
String ID:
API String ID: 3591145537-0
Opcode ID: f6d36decba26a4260739cb5a4fd7e76df4ec5cd1e0e6abbd868e357f8ccd968f
Instruction ID: 9d0a05802ad2a592bc03dd933205645db9b4987a7d0b9e4791e393a94fdb6775
Opcode Fuzzy Hash: f6d36decba26a4260739cb5a4fd7e76df4ec5cd1e0e6abbd868e357f8ccd968f
Instruction Fuzzy Hash: 4F31F67095935AEFEB20AFB0D888B197BB8FF24311F004121F9558B2D5E770AC11CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FB670, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E008FB670(void* __ebx, void* __edx, signed int __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				long _v32;
				char _v48;
				intOrPtr _v52;
				long _v56;
				char _v72;
				char _v96;
				int _v100;
				long _v104;
				long _v108;
				char _v112;
				char _v116;
				char _v120;
				intOrPtr* _v124;
				signed int _t71;
				signed int _t72;
				intOrPtr _t90;
				void* _t100;
				intOrPtr _t105;
				intOrPtr _t110;
				void* _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr* _t147;
				intOrPtr* _t148;
				intOrPtr* _t149;
				void* _t151;
				signed int _t153;
				intOrPtr _t154;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t142 = __edi;
				_t141 = __edx;
				_t123 = __ebx;
				_t154 = _t153 - 0x70;
				_t71 =  *0x9e6310; // 0x57443789
				_t72 = _t71 ^ _t153;
				_v24 = _t72;
				 *[fs:0x0] =  &_v16;
				_v20 = _t154;
				_t146 = _a8;
				SetProcessShutdownParameters(0x100, 0);
				SetConsoleCtrlHandler(0x8f168b, 1);
				_v52 = 0xf;
				_v56 = 0;
				_v72 = 0;
				_v8 = 0;
				L008F1708( &_v96, _a4, _a8,  &_v72,  &_v120,  &_v112,  &_v116);
				_v8 = 1;
				__imp__?setActiveBrand@VgkConfig@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z( &_v72, _t72, __edi, __esi, __ebx,  *[fs:0x0], 0x9acc23, 0xffffffff, _t151);
				_v108 = 0;
				_v104 = 0;
				_v8 = 3;
				E00928A80("plex");
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				_push(1);
				L008F137A(__ebx,  &_v48, __edi, _a8, "X");
				_v8 = 4;
				E009267D0(_t141, "plex", 0x9bd336,  &_v48, 0x9bd336);
				_t156 = _t154 + 0x34;
				_v8 = 3;
				if(_v28 >= 0x10) {
					L0094EF04(_v48);
					_t156 = _t156 + 4;
				}
				_push(2);
				_v28 = 0xf;
				_v32 = 0;
				_v48 = 0;
				L008F137A(_t123,  &_v48, _t142, _t146, "sf");
				_v8 = 5;
				E009267D0(_t141, "plex", 0x9bd336,  &_v48, 0x9bd336);
				_t157 = _t156 + 0x10;
				_v8 = 3;
				if(_v28 >= 0x10) {
					L0094EF04(_v48);
					_t157 = _t157 + 4;
				}
				_t90 =  *0x9bda64; // 0x0
				do {
					_t164 = _t90;
				} while (_t90 != 0);
				L008F150A(E009264B0(_t90));
				_push(0x28);
				_t147 = E0094EEB3(_t123, _t142, _t164);
				_t158 = _t157 + 4;
				_v124 = _t147;
				_v8 = 6;
				_t165 = _t147;
				if(_t147 == 0) {
					_t147 = 0;
					__eflags = 0;
				} else {
					__imp__??0PCShowServer@@QAE@XZ();
					 *_t147 = 0x9bd4b4;
				}
				_v8 = 3;
				L008F12CB( &_v108, _t165, _t147);
				_t148 = _v108;
				 *((intOrPtr*)( *_t148 + 4))(_v112, _v116,  &_v72, _v120);
				E00901250( &_v100);
				_v8 = 7;
				_t100 = L008F115E( &_v48, "waitForServerUp_",  &_v72);
				_t159 = _t158 + 0xc;
				_v8 = 8;
				E00902D60( &_v100, _t165, 0, _t100);
				_v8 = 7;
				if(_v28 >= 0x10) {
					L0094EF04(_v48);
					_t159 = _t159 + 4;
				}
				E00902C70( &_v100);
				E00902490( &_v100);
				L008F19EC(0x9ea30c);
				_t105 =  *0x9bda64; // 0x0
				do {
				} while (_t105 != 0);
				 *((intOrPtr*)( *_t148 + 8))();
				_t149 = _v104;
				_v108 = 0;
				_v104 = 0;
				if(_t149 != 0) {
					_t143 = _t142 | 0xffffffff;
					asm("lock xadd [ecx], eax");
					if(_t143 == 0) {
						 *((intOrPtr*)( *_t149 + 4))();
						asm("lock xadd [eax], edi");
						if(_t143 == 1) {
							 *((intOrPtr*)( *_t149 + 8))();
						}
					}
				}
				_v8 = 3;
				E00901760( &_v100);
				E0094FC61(0);
				_t110 =  *0x9bda64; // 0x0
				do {
				} while (_t110 != 0);
				_push("unknown error");
				_push(0x9ea630);
				L008F1267(L008F14AB());
				_v100 = 1;
				return 0x8fb91e;
			}

0x008fb670
0x008fb670
0x008fb670
0x008fb681
0x008fb684
0x008fb689
0x008fb68b
0x008fb695
0x008fb69b
0x008fb69e
0x008fb6a8
0x008fb6b5
0x008fb6bb
0x008fb6c2
0x008fb6c9
0x008fb6d0
0x008fb6ec
0x008fb6f4
0x008fb6f9
0x008fb6ff
0x008fb706
0x008fb712
0x008fb716
0x008fb71e
0x008fb728
0x008fb72f
0x008fb733
0x008fb73a
0x008fb747
0x008fb756
0x008fb75b
0x008fb75e
0x008fb766
0x008fb76b
0x008fb770
0x008fb770
0x008fb773
0x008fb77d
0x008fb784
0x008fb78b
0x008fb78f
0x008fb79c
0x008fb7ab
0x008fb7b0
0x008fb7b3
0x008fb7bb
0x008fb7c0
0x008fb7c5
0x008fb7c5
0x008fb7c8
0x008fb7d0
0x008fb7d0
0x008fb7d0
0x008fb7de
0x008fb7e3
0x008fb7ea
0x008fb7ec
0x008fb7ef
0x008fb7f2
0x008fb7f6
0x008fb7f8
0x008fb80a
0x008fb80a
0x008fb7fa
0x008fb7fc
0x008fb802
0x008fb802
0x008fb810
0x008fb814
0x008fb81c
0x008fb82d
0x008fb833
0x008fb83b
0x008fb849
0x008fb84e
0x008fb857
0x008fb85b
0x008fb864
0x008fb868
0x008fb86d
0x008fb872
0x008fb872
0x008fb878
0x008fb880
0x008fb88a
0x008fb88f
0x008fb894
0x008fb894
0x008fb89c
0x008fb89f
0x008fb8a2
0x008fb8a9
0x008fb8b2
0x008fb8b4
0x008fb8bc
0x008fb8c0
0x008fb8c6
0x008fb8cc
0x008fb8d1
0x008fb8d7
0x008fb8d7
0x008fb8d1
0x008fb8c0
0x008fb8dd
0x008fb8e3
0x008fb922
0x008fb927
0x008fb930
0x008fb930
0x008fb934
0x008fb939
0x008fb944
0x008fb94c
0x008fb958

APIs

SetProcessShutdownParameters.KERNEL32(00000100,00000000,57443789), ref: 008FB6A8
SetConsoleCtrlHandler.KERNEL32(008F168B,00000001), ref: 008FB6B5
?setActiveBrand@VgkConfig@@SAXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.PCSHOWSERVER(00000000,?,?,?,00000000,?,?,?), ref: 008FB6F9

Part of subcall function 00928A80: GetModuleHandleExW.KERNEL32(00000004,00000000,?,?,?,?,00000003,?,?,009BD336,00000000,?,?), ref: 00928C58

??0PCShowServer@@QAE@XZ.PCSHOWSERVER(?,?,?,009BD524,00000002,?,?,009BD520,00000001), ref: 008FB7FC

Strings

unknown error, xrefs: 008FB934
waitForServerUp_, xrefs: 008FB843
plex, xrefs: 008FB70D, 008FB751, 008FB7A6

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: ?setActiveBrand@Config@@ConsoleCtrlD@2@@std@@@D@std@@HandleHandlerModuleParametersProcessServer@@ShowShutdownU?$char_traits@V?$allocator@V?$basic_string@
String ID: plex$unknown error$waitForServerUp_
API String ID: 2115739240-363326038
Opcode ID: 03f303c021fc2b88e12623fab9bae14457ecd06131a4f6426144c79bfbef92d3
Instruction ID: fab0d68170072b484e7356cc713d79b9c806f75b190548dae1b6d6f910a692d8
Opcode Fuzzy Hash: 03f303c021fc2b88e12623fab9bae14457ecd06131a4f6426144c79bfbef92d3
Instruction Fuzzy Hash: 7081AF70D0534CEBDF21DBA4C949BEEBBB8FF54718F144058E505A7292E7B45A08CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0091F870, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0091F870(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				char _v16;
				signed int _v20;
				struct _OSVERSIONINFOEXW _v304;
				signed int _v308;
				char _v312;
				intOrPtr _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t40;
				signed int _t41;
				longlong _t45;
				signed int _t47;
				signed int _t52;
				void* _t55;
				void* _t63;
				intOrPtr _t64;
				void* _t65;
				void* _t72;
				void* _t73;
				intOrPtr _t74;
				void* _t75;
				void* _t76;
				char _t77;
				void* _t78;
				void* _t79;
				signed int _t80;

				_t72 = __edx;
				_t40 =  *0x9e6310; // 0x57443789
				_t41 = _t40 ^ _t80;
				_v20 = _t41;
				 *[fs:0x0] =  &_v16;
				_t74 = __ecx;
				_t64 = _a8;
				 *(__ecx + 4) = 0;
				 *(__ecx + 8) = 0;
				_v316 = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) = _a4;
				 *(__ecx + 0x10) = 0;
				 *((intOrPtr*)(__ecx)) = 0x9be300;
				_v8 = 0;
				 *(__ecx + 0x14) = 0;
				 *(__ecx + 0x18) = 0;
				 *(__ecx + 0x1c) = 0;
				 *(__ecx + 0x20) = 0;
				 *(__ecx + 0x24) = 0;
				_t45 = E00950A90( &_v304, 0, 0x11c);
				_v304.dwOSVersionInfoSize = 0x11c;
				_v304.dwMajorVersion = 6;
				__imp__VerSetConditionMask(0, 0, 2, 3, _t41, _t73, _t76, _t63,  *[fs:0x0], 0x9b04c1, 0xffffffff);
				_push(_t72);
				_t47 = VerifyVersionInfoW( &_v304, 2, _t45);
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t74 + 0x28)) = ( ~_t47 & 0xfffffe0b) + 0x1f4;
				 *(_t74 + 0x2c) = 0;
				 *(_t74 + 0x30) = 0;
				_v8 = 3;
				 *(_t74 + 0x34) = 0;
				_t77 = E00922790();
				_t52 = E0094A830();
				_v312 = _t77;
				_v308 = _t52;
				_t85 = _t77;
				if(_t77 != 0) {
					_t52 = E00913940(_t74, _t77, _t85,  &_v312, "mutex");
				}
				 *(_t74 + 0x50) = 0;
				 *(_t74 + 0x54) = 0;
				 *(_t74 + 0x58) = 0;
				_v8 = 5;
				_t54 =  <  ? _t64 : _t52 | 0xffffffff;
				_t55 = CreateIoCompletionPort(0xffffffff, 0, 0,  <  ? _t64 : _t52 | 0xffffffff);
				 *(_t74 + 0x14) = _t55;
				if(_t55 == 0) {
					_t79 = GetLastError();
					_v312 = _t79;
					_v308 = E0094A830();
					_t88 = _t79;
					if(_t79 != 0) {
						E00913940(_t74, _t79, _t88,  &_v312, "iocp");
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t75);
				_pop(_t78);
				_pop(_t65);
				return E0094FF4A(_t65, _v20 ^ _t80, _t72, _t75, _t78);
			}

0x0091f870
0x0091f887
0x0091f88c
0x0091f88e
0x0091f898
0x0091f89e
0x0091f8a3
0x0091f8a6
0x0091f8ad
0x0091f8b4
0x0091f8ba
0x0091f8bd
0x0091f8c4
0x0091f8ca
0x0091f8d1
0x0091f8e3
0x0091f8ed
0x0091f8f4
0x0091f8fb
0x0091f902
0x0091f90a
0x0091f914
0x0091f926
0x0091f92c
0x0091f937
0x0091f93f
0x0091f94b
0x0091f94e
0x0091f955
0x0091f95f
0x0091f963
0x0091f96f
0x0091f971
0x0091f976
0x0091f97c
0x0091f982
0x0091f984
0x0091f992
0x0091f992
0x0091f997
0x0091f99e
0x0091f9a5
0x0091f9af
0x0091f9b6
0x0091f9c0
0x0091f9c6
0x0091f9cb
0x0091f9d3
0x0091f9d5
0x0091f9e0
0x0091f9e6
0x0091f9e8
0x0091f9f6
0x0091f9f6
0x0091f9e8
0x0091fa00
0x0091fa08
0x0091fa09
0x0091fa0a
0x0091fa18

APIs

_memset.LIBCMT ref: 0091F902
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000000,00000000,009EA470), ref: 0091F926
VerifyVersionInfoW.KERNEL32 ref: 0091F937

Part of subcall function 00922790: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,80000000,57443789,00000000,00000024,009EA470,00000000), ref: 009227D0
Part of subcall function 00922790: GetLastError.KERNEL32 ref: 009227DA

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0091F9C0
GetLastError.KERNEL32 ref: 0091F9CD

Part of subcall function 00913940: std::exception::exception.LIBCMT ref: 0091397F

Strings

mutex, xrefs: 0091F986
iocp, xrefs: 0091F9EA

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: ErrorLast$CompletionConditionCountCreateCriticalInfoInitializeMaskPortSectionSpinVerifyVersion_memsetstd::exception::exception
String ID: iocp$mutex
API String ID: 2066893925-1266449624
Opcode ID: 0ff18d6f672082056265060d74d00a2f0e2b101d8a9a8336049b037122601760
Instruction ID: 03edcbacc4b192c41f8e652f859fae4237c7d4420aeba74f277704f31112ee6e
Opcode Fuzzy Hash: 0ff18d6f672082056265060d74d00a2f0e2b101d8a9a8336049b037122601760
Instruction Fuzzy Hash: DF41AEB1905719ABE720DF24CC49BDABBF8FB04724F104259E9149B6C0D7B4AA54CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 008F3760, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E008F3760(void* __edi) {
				intOrPtr _v8;
				char _v12;
				int _v16;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				int _t19;
				long _t21;
				long _t23;
				void* _t25;
				void* _t26;
				void* _t27;
				int _t28;
				void* _t29;
				void* _t31;
				void* _t35;

				_t31 = _t35;
				_t21 = TlsAlloc();
				if(_t21 != 0xffffffff) {
					L2:
					 *0x9ea478 = _t21;
					return E0094F034(_t43, 0x9ba140);
				} else {
					_t26 = GetLastError();
					_t10 = E0094A830();
					_v12 = _t26;
					_t43 = _t26;
					_v8 = _t10;
					_t27 = _t25;
					if(_t26 != 0) {
						E00913940(_t21, _t27, __eflags,  &_v12, "tss");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t31);
						_push(_t21);
						_t23 = TlsAlloc();
						__eflags = _t23 - 0xffffffff;
						if(__eflags != 0) {
							L6:
							 *0x9ea468 = _t23;
							return E0094F034(__eflags, 0x9ba150);
						} else {
							_t28 = GetLastError();
							_t16 = E0094A830();
							_v16 = _t28;
							__eflags = _t28;
							_v12 = _t16;
							_t29 = _t27;
							if(__eflags != 0) {
								E00913940(_t23, _t29, __eflags,  &_v16, "tss");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t19 = InitializeSecurityDescriptor(0x9ea48c, 1);
								__eflags = _t19;
								if(_t19 != 0) {
									_t19 = SetSecurityDescriptorDacl(0x9ea48c, 1, 0, 0);
									__eflags = _t19;
									if(_t19 != 0) {
										 *0x9ea484 = 0x9ea48c;
										 *0x9ea480 = 0xc;
										 *0x9ea488 = 0;
										 *0x9ea4a0 = 0;
										return _t19;
									}
								}
								return _t19;
							} else {
								goto L6;
							}
						}
					} else {
						goto L2;
					}
				}
			}

0x008f3761
0x008f376d
0x008f3772
0x008f378d
0x008f3792
0x008f37a4
0x008f3774
0x008f377b
0x008f377d
0x008f3782
0x008f3785
0x008f3787
0x008f378a
0x008f378b
0x008f37ae
0x008f37b3
0x008f37b4
0x008f37b5
0x008f37b6
0x008f37b7
0x008f37b8
0x008f37b9
0x008f37ba
0x008f37bb
0x008f37bc
0x008f37bd
0x008f37be
0x008f37bf
0x008f37c0
0x008f37c6
0x008f37cd
0x008f37cf
0x008f37d2
0x008f37ed
0x008f37f2
0x008f3804
0x008f37d4
0x008f37db
0x008f37dd
0x008f37e2
0x008f37e5
0x008f37e7
0x008f37ea
0x008f37eb
0x008f380e
0x008f3813
0x008f3814
0x008f3815
0x008f3816
0x008f3817
0x008f3818
0x008f3819
0x008f381a
0x008f381b
0x008f381c
0x008f381d
0x008f381e
0x008f381f
0x008f3827
0x008f382d
0x008f382f
0x008f383c
0x008f3842
0x008f3844
0x008f3846
0x008f3850
0x008f385a
0x008f3864
0x00000000
0x008f3864
0x008f3844
0x008f386b
0x00000000
0x00000000
0x00000000
0x008f37eb
0x00000000
0x00000000
0x00000000
0x008f378b

APIs

TlsAlloc.KERNEL32 ref: 008F3767
GetLastError.KERNEL32 ref: 008F3775
TlsAlloc.KERNEL32(00000000,tss), ref: 008F37C7
GetLastError.KERNEL32 ref: 008F37D5

Part of subcall function 00913940: std::exception::exception.LIBCMT ref: 0091397F

InitializeSecurityDescriptor.ADVAPI32(009EA48C,00000001,?,tss), ref: 008F3827
SetSecurityDescriptorDacl.ADVAPI32(009EA48C,00000001,00000000,00000000), ref: 008F383C

Strings

tss, xrefs: 008F37A5, 008F3805

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AllocDescriptorErrorLastSecurity$DaclInitializestd::exception::exception
String ID: tss
API String ID: 1606189987-1638339373
Opcode ID: 05a9a45105776a79b4b2b8488dc4570ab3e38384841c840bfd6194f820ac9747
Instruction ID: e4b5c9917985be5a19802073a2d4a7e4f84597225d195a30418a4915c41318dc
Opcode Fuzzy Hash: 05a9a45105776a79b4b2b8488dc4570ab3e38384841c840bfd6194f820ac9747
Instruction Fuzzy Hash: D2210A71959348ABD7116B74AC8DB9D7B68A780774F100125FD00AB2F0F7B45E02A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 008F4AA0, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008F4AA0(signed int* _a4, intOrPtr* _a8, signed char _a11) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed char _v21;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v60;
				char _v80;
				char _v100;
				void* __ebx;
				signed int _t105;
				intOrPtr* _t108;
				signed int _t109;
				intOrPtr _t111;
				intOrPtr _t113;
				signed int _t114;
				signed int _t115;
				intOrPtr _t124;
				void* _t126;
				signed int _t133;
				signed int _t134;
				intOrPtr _t145;
				signed int _t148;
				signed int _t150;
				signed char _t153;
				intOrPtr _t155;
				signed int _t158;
				signed int _t159;
				signed char _t162;
				intOrPtr _t163;
				signed int _t168;
				void* _t170;
				signed int* _t171;
				intOrPtr* _t173;
				signed char _t178;
				intOrPtr* _t181;
				intOrPtr* _t182;
				signed char** _t183;
				signed int* _t184;
				signed int* _t185;
				intOrPtr* _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t192;
				void* _t194;
				signed char _t196;
				signed char* _t199;
				signed char _t200;
				signed int* _t201;
				intOrPtr _t203;
				signed int _t204;
				signed int _t207;
				signed int _t208;
				signed int _t210;
				void* _t211;
				signed int _t214;
				signed int _t216;

				_push(0xffffffff);
				_push(0x9ac200);
				_push( *[fs:0x0]);
				_t105 =  *0x9e6310; // 0x57443789
				_push(_t105 ^ _t210);
				 *[fs:0x0] =  &_v16;
				_v20 = _t211 - 0x54;
				_t108 = _a8;
				_t207 = 0;
				_v32 = 0;
				if( *_t108 != 0) {
					_t188 = _t108;
					_t170 = _t188 + 1;
					do {
						_t109 =  *_t188;
						_t188 = _t188 + 1;
						__eflags = _t109;
					} while (_t109 != 0);
					_t189 = _t188 - _t170;
					__eflags = _t189;
					L5:
					_t171 = _a4;
					_v28 = _t189;
					_t111 =  *((intOrPtr*)( *_t171 + 4));
					_t168 =  *(_t111 +  &(_t171[9]));
					_t203 =  *((intOrPtr*)(_t111 +  &(_t171[8])));
					_t214 = _t168;
					if(_t214 < 0) {
						L12:
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x24], xmm0");
						_t168 = _v36;
						_t204 = _v40;
						L13:
						_t190 =  *((intOrPtr*)(_t111 +  &(_t171[0xe])));
						_v40 = _t171;
						if(_t190 != 0) {
							 *((intOrPtr*)( *_t190 + 4))();
							_t171 = _a4;
						}
						_v8 = 0;
						_t113 =  *((intOrPtr*)( *_t171 + 4));
						if( *((intOrPtr*)(_t113 +  &(_t171[3]))) == 0) {
							_t163 =  *((intOrPtr*)(_t113 +  &(_t171[0xf])));
							if(_t163 != 0 && _t163 != _t171) {
								L008F14C9(_t168, _t163);
								_t171 = _a4;
							}
						}
						_t114 =  *_t171;
						_t192 =  *((intOrPtr*)(_t114 + 4)) + _t171;
						_t115 = _t114 & 0xffffff00 |  *((intOrPtr*)(_t192 + 0xc)) == 0x00000000;
						_v36 = _t115;
						_v8 = 1;
						if(_t115 != 0) {
							_v8 = 2;
							__eflags = ( *(_t192 + 0x14) & 0x000001c0) - 0x40;
							if(( *(_t192 + 0x14) & 0x000001c0) == 0x40) {
								L34:
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t171 + 4)) +  &(_t171[0xe]))))) + 0x24))))(_a8, _v28, 0) - _v28;
								if(__eflags != 0) {
									L47:
									_t207 = 4;
									L48:
									_t171 = _a4;
									L49:
									_t124 =  *((intOrPtr*)( *_t171 + 4));
									 *((intOrPtr*)(_t124 +  &(_t171[8]))) = 0;
									 *((intOrPtr*)(_t124 +  &(_t171[9]))) = 0;
									_v8 = 1;
									goto L51;
								}
								__eflags = _t192;
								if(__eflags != 0) {
									goto L47;
								} else {
									goto L36;
								}
								while(1) {
									L36:
									__eflags = _t168;
									if(__eflags < 0) {
										goto L48;
									}
									if(__eflags > 0) {
										L39:
										_t181 = _a4;
										_t145 =  *((intOrPtr*)( *_t181 + 4));
										_t196 =  *((intOrPtr*)(_t145 + _t181 + 0x40));
										_t182 =  *((intOrPtr*)(_t145 + _t181 + 0x38));
										_a11 = _t196;
										__eflags =  *( *(_t182 + 0x20));
										if( *( *(_t182 + 0x20)) == 0) {
											L43:
											_t148 =  *((intOrPtr*)( *_t182 + 0xc))(_t196 & 0x000000ff);
											L44:
											__eflags = _t148 - 0xffffffff;
											if(__eflags != 0) {
												_t204 = _t204 + 0xffffffff;
												asm("adc ebx, 0xffffffff");
												continue;
											}
											_t207 = _t207 | 0x00000004;
											goto L48;
										}
										_t150 =  *( *(_t182 + 0x30));
										__eflags = _t150;
										if(_t150 <= 0) {
											goto L43;
										}
										 *( *(_t182 + 0x30)) = _t150 - 1;
										_t183 =  *(_t182 + 0x20);
										_t199 =  *_t183;
										 *_t183 =  &(_t199[1]);
										_t153 = _a11;
										 *_t199 = _t153;
										_t148 = _t153 & 0x000000ff;
										goto L44;
									}
									__eflags = _t204;
									if(__eflags == 0) {
										goto L48;
									}
									goto L39;
								}
								goto L48;
							}
							while(1) {
								__eflags = _t168;
								if(__eflags < 0) {
									break;
								}
								if(__eflags > 0) {
									L26:
									_t155 =  *((intOrPtr*)( *_t171 + 4));
									_t200 =  *((intOrPtr*)(_t155 +  &(_t171[0x10])));
									_t184 =  *(_t155 +  &(_t171[0xe]));
									_v21 = _t200;
									__eflags =  *(_t184[8]);
									if( *(_t184[8]) == 0) {
										L30:
										_t192 =  *_t184;
										_t158 =  *((intOrPtr*)(_t192 + 0xc))(_t200 & 0x000000ff);
										L31:
										_t171 = _a4;
										__eflags = _t158 - 0xffffffff;
										if(_t158 != 0xffffffff) {
											_t204 = _t204 + 0xffffffff;
											asm("adc ebx, 0xffffffff");
											continue;
										}
										_t207 = _t207 | 0x00000004;
										__eflags = _t207;
										_v32 = _t207;
										break;
									}
									_t201 = _t184[0xc];
									_t159 =  *_t201;
									__eflags = _t159;
									if(_t159 <= 0) {
										_t200 = _v21;
										goto L30;
									}
									 *_t201 = _t159 - 1;
									_t185 = _t184[8];
									_t192 =  *_t185;
									 *_t185 = _t192 + 1;
									_t162 = _v21;
									 *_t192 = _t162;
									_t158 = _t162 & 0x000000ff;
									goto L31;
								}
								__eflags = _t204;
								if(_t204 == 0) {
									break;
								}
								goto L26;
							}
							__eflags = _t207;
							if(__eflags != 0) {
								goto L49;
							}
							goto L34;
						} else {
							_t207 = 4;
							L51:
							_t194 =  *((intOrPtr*)( *_t171 + 4)) + _t171;
							if(_t207 != 0) {
								_t133 =  *(_t194 + 0xc) | _t207;
								if( *((intOrPtr*)(_t194 + 0x38)) == 0) {
									_t133 = _t133 | 0x00000004;
								}
								_t134 = _t133 & 0x00000017;
								 *(_t194 + 0xc) = _t134;
								_t178 =  *(_t194 + 0x10) & _t134;
								if(_t178 != 0) {
									if((_t178 & 0x00000004) != 0) {
										_t178 =  &_v60;
										L008F1AF5(_t168, _t178, 1, 0x9e6000, "ios_base::badbit set");
										_v60 = 0x9c8be0;
										E0094FF59( &_v60, 0x9d870c);
									}
									_t229 = _t178 & 0x00000002;
									if((_t178 & 0x00000002) != 0) {
										L008F1AF5(_t168,  &_v80, 1, 0x9e6000, "ios_base::failbit set");
										_v80 = 0x9c8be0;
										E0094FF59( &_v80, 0x9d870c);
									}
									L008F1AF5(_t168,  &_v100, 1, 0x9e6000, "ios_base::eofbit set");
									_v100 = 0x9c8be0;
									E0094FF59( &_v100, 0x9d870c);
								}
							}
							_v8 = 0xffffffff;
							_t126 = L00929236(_t229);
							_t208 = _v40;
							if(_t126 == 0) {
								L008F167C(_t208);
							}
							_t173 =  *((intOrPtr*)( *((intOrPtr*)( *_t208 + 4)) + _t208 + 0x38));
							if(_t173 != 0) {
								 *((intOrPtr*)( *_t173 + 8))();
							}
							 *[fs:0x0] = _v16;
							return _a4;
						}
					}
					if(_t214 > 0) {
						L11:
						_t204 = _t203 - _t189;
						asm("sbb ebx, esi");
						goto L13;
					}
					if(_t203 == 0) {
						goto L12;
					}
					_t216 = _t168;
					if(_t216 < 0 || _t216 <= 0 && _t203 <= _t189) {
						goto L12;
					} else {
						goto L11;
					}
				}
				_t189 = 0;
				goto L5;
			}

0x008f4aa3
0x008f4aa5
0x008f4ab0
0x008f4ab7
0x008f4abe
0x008f4ac2
0x008f4ac8
0x008f4acb
0x008f4ace
0x008f4ad0
0x008f4ad6
0x008f4adc
0x008f4ade
0x008f4ae1
0x008f4ae1
0x008f4ae3
0x008f4ae4
0x008f4ae4
0x008f4ae8
0x008f4ae8
0x008f4aea
0x008f4aea
0x008f4aed
0x008f4af2
0x008f4af5
0x008f4af9
0x008f4afd
0x008f4aff
0x008f4b17
0x008f4b17
0x008f4b1a
0x008f4b1f
0x008f4b22
0x008f4b25
0x008f4b25
0x008f4b29
0x008f4b2e
0x008f4b34
0x008f4b37
0x008f4b37
0x008f4b3c
0x008f4b43
0x008f4b4b
0x008f4b4d
0x008f4b53
0x008f4b5b
0x008f4b60
0x008f4b60
0x008f4b53
0x008f4b63
0x008f4b68
0x008f4b6e
0x008f4b71
0x008f4b74
0x008f4b7d
0x008f4b91
0x008f4b95
0x008f4b98
0x008f4c04
0x008f4c1c
0x008f4c1f
0x008f4c93
0x008f4c93
0x008f4c98
0x008f4c98
0x008f4c9b
0x008f4c9d
0x008f4ca0
0x008f4ca8
0x008f4ce7
0x00000000
0x008f4ce7
0x008f4c21
0x008f4c23
0x00000000
0x00000000
0x00000000
0x00000000
0x008f4c25
0x008f4c25
0x008f4c25
0x008f4c27
0x00000000
0x00000000
0x008f4c29
0x008f4c2f
0x008f4c2f
0x008f4c34
0x008f4c37
0x008f4c3b
0x008f4c3f
0x008f4c45
0x008f4c48
0x008f4c78
0x008f4c7e
0x008f4c81
0x008f4c81
0x008f4c84
0x008f4c8b
0x008f4c8e
0x00000000
0x008f4c8e
0x008f4c86
0x00000000
0x008f4c86
0x008f4c4d
0x008f4c4f
0x008f4c51
0x00000000
0x00000000
0x008f4c57
0x008f4c59
0x008f4c5c
0x008f4c61
0x008f4c63
0x008f4c66
0x008f4c68
0x00000000
0x008f4c68
0x008f4c2b
0x008f4c2d
0x00000000
0x00000000
0x00000000
0x008f4c2d
0x00000000
0x008f4c25
0x008f4ba0
0x008f4ba0
0x008f4ba2
0x00000000
0x00000000
0x008f4ba4
0x008f4baa
0x008f4bac
0x008f4baf
0x008f4bb3
0x008f4bb7
0x008f4bbd
0x008f4bc0
0x008f4be5
0x008f4be8
0x008f4beb
0x008f4bee
0x008f4bee
0x008f4bf1
0x008f4bf4
0x008f4c6d
0x008f4c70
0x00000000
0x008f4c70
0x008f4bf6
0x008f4bf6
0x008f4bf9
0x00000000
0x008f4bf9
0x008f4bc2
0x008f4bc5
0x008f4bc7
0x008f4bc9
0x008f4be2
0x00000000
0x008f4be2
0x008f4bcc
0x008f4bce
0x008f4bd1
0x008f4bd6
0x008f4bd8
0x008f4bdb
0x008f4bdd
0x00000000
0x008f4bdd
0x008f4ba6
0x008f4ba8
0x00000000
0x00000000
0x00000000
0x008f4ba8
0x008f4bfc
0x008f4bfe
0x00000000
0x00000000
0x00000000
0x008f4b7f
0x008f4b7f
0x008f4cee
0x008f4cf3
0x008f4cf7
0x008f4d00
0x008f4d06
0x008f4d08
0x008f4d08
0x008f4d0e
0x008f4d11
0x008f4d14
0x008f4d16
0x008f4d1f
0x008f4d2d
0x008f4d30
0x008f4d3d
0x008f4d45
0x008f4d45
0x008f4d4a
0x008f4d4d
0x008f4d5e
0x008f4d6b
0x008f4d73
0x008f4d73
0x008f4d87
0x008f4d94
0x008f4d9c
0x008f4d9c
0x008f4d16
0x008f4da1
0x008f4da8
0x008f4dad
0x008f4db2
0x008f4db6
0x008f4db6
0x008f4dc0
0x008f4dc6
0x008f4dca
0x008f4dca
0x008f4dd3
0x008f4de1
0x008f4de1
0x008f4b7d
0x008f4b01
0x008f4b11
0x008f4b11
0x008f4b13
0x00000000
0x008f4b13
0x008f4b05
0x00000000
0x00000000
0x008f4b07
0x008f4b09
0x00000000
0x00000000
0x00000000
0x00000000
0x008f4b09
0x008f4ad8
0x00000000

APIs

__CxxThrowException@8.LIBCMT ref: 008F4D45
__CxxThrowException@8.LIBCMT ref: 008F4D73
__CxxThrowException@8.LIBCMT ref: 008F4D9C

Strings

ios_base::badbit set, xrefs: 008F4D21
ios_base::eofbit set, xrefs: 008F4D78
ios_base::failbit set, xrefs: 008F4D4F

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 1f19d04d4ab1f50ab0d2dc599a7bd46335cbd0b94caa9eabfe335b84afd88950
Instruction ID: d3b8f8e6aa4de17407249a604593d1346adc32fd3022faf8e7428b76dadbee9b
Opcode Fuzzy Hash: 1f19d04d4ab1f50ab0d2dc599a7bd46335cbd0b94caa9eabfe335b84afd88950
Instruction Fuzzy Hash: E0B15D74A012099FDB10CF68C494BAABBB1FF89328F249299E915DB392D771ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008FADC0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E008FADC0(signed int* __ecx, signed int _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int* _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int* _v36;
				char _v56;
				char _v76;
				char _v96;
				void* __ebx;
				signed int _t59;
				intOrPtr _t65;
				signed int _t66;
				signed int _t67;
				signed int _t81;
				signed int _t82;
				signed char* _t92;
				signed char _t95;
				void* _t100;
				intOrPtr* _t103;
				intOrPtr _t104;
				intOrPtr* _t105;
				void* _t108;
				intOrPtr* _t109;
				signed char _t114;
				signed char** _t117;
				intOrPtr _t119;
				signed char** _t121;
				signed char* _t122;
				signed int _t125;
				signed int* _t128;
				signed int _t130;
				void* _t131;

				_push(0xffffffff);
				_push(0x9acb30);
				_push( *[fs:0x0]);
				_push(_t100);
				_t59 =  *0x9e6310; // 0x57443789
				_push(_t59 ^ _t130);
				 *[fs:0x0] =  &_v16;
				_v20 = _t131 - 0x50;
				_t128 = __ecx;
				_v24 = __ecx;
				_v28 = 0;
				_v36 = __ecx;
				_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 4)) + __ecx + 0x38));
				if(_t103 != 0) {
					 *((intOrPtr*)( *_t103 + 4))();
				}
				_v8 = 0;
				_t65 =  *((intOrPtr*)( *_t128 + 4));
				if( *((intOrPtr*)(_t65 +  &(_t128[3]))) == 0) {
					_t119 =  *((intOrPtr*)(_t65 +  &(_t128[0xf])));
					if(_t119 != 0 && _t119 != _t128) {
						L008F14C9(_t100, _t119);
					}
				}
				_t66 =  *_t128;
				_t104 =  *((intOrPtr*)(_t66 + 4));
				_t67 = _t66 & 0xffffff00 |  *((intOrPtr*)(_t104 +  &(_t128[3]))) == 0x00000000;
				_v32 = _t67;
				_v8 = 1;
				if(_t67 != 0) {
					_t105 =  *((intOrPtr*)(_t104 +  &(_t128[0xe])));
					_v8 = 2;
					__eflags =  *( *(_t105 + 0x20));
					if( *( *(_t105 + 0x20)) == 0) {
						L11:
						__eflags =  *((intOrPtr*)( *_t105 + 0xc))(_a4 & 0x000000ff) - 0xffffffff;
						_t125 =  ==  ? 4 : 0;
						L12:
						_v8 = 1;
						goto L13;
					}
					_t121 =  *(_t105 + 0x30);
					_t92 =  *_t121;
					__eflags = _t92;
					if(_t92 <= 0) {
						goto L11;
					}
					 *_t121 = _t92 - 1;
					_t117 =  *(_t105 + 0x20);
					_t122 =  *_t117;
					 *_t117 =  &(_t122[1]);
					_t95 = _a4;
					 *_t122 = _t95;
					__eflags = (_t95 & 0x000000ff) - 0xffffffff;
					_t125 =  ==  ? 4 : 0;
					goto L12;
				} else {
					_t125 = 4;
					L13:
					_t108 =  *((intOrPtr*)( *_t128 + 4)) + _t128;
					if(_t125 != 0) {
						_t81 =  *(_t108 + 0xc) | _t125;
						if( *((intOrPtr*)(_t108 + 0x38)) == 0) {
							_t81 = _t81 | 0x00000004;
						}
						_t82 = _t81 & 0x00000017;
						 *(_t108 + 0xc) = _t82;
						_t114 =  *(_t108 + 0x10) & _t82;
						if(_t114 != 0) {
							if((_t114 & 0x00000004) != 0) {
								_t114 =  &_v56;
								L008F1AF5(_t100, _t114, 1, 0x9e6000, "ios_base::badbit set");
								_v56 = 0x9c8be0;
								E0094FF59( &_v56, 0x9d870c);
							}
							_t144 = _t114 & 0x00000002;
							if((_t114 & 0x00000002) != 0) {
								L008F1AF5(_t100,  &_v76, 1, 0x9e6000, "ios_base::failbit set");
								_v76 = 0x9c8be0;
								E0094FF59( &_v76, 0x9d870c);
							}
							L008F1AF5(_t100,  &_v96, 1, 0x9e6000, "ios_base::eofbit set");
							_v96 = 0x9c8be0;
							E0094FF59( &_v96, 0x9d870c);
						}
					}
					_v8 = 0xffffffff;
					if(L00929236(_t144) == 0) {
						L008F167C(_t128);
					}
					_t109 =  *((intOrPtr*)( *((intOrPtr*)( *_t128 + 4)) +  &(_t128[0xe])));
					if(_t109 != 0) {
						 *((intOrPtr*)( *_t109 + 8))();
					}
					 *[fs:0x0] = _v16;
					return _t128;
				}
			}

0x008fadc3
0x008fadc5
0x008fadd0
0x008fadd4
0x008fadd7
0x008fadde
0x008fade2
0x008fade8
0x008fadeb
0x008faded
0x008fadf4
0x008fadf7
0x008fadfd
0x008fae03
0x008fae07
0x008fae07
0x008fae0c
0x008fae13
0x008fae1b
0x008fae1d
0x008fae23
0x008fae29
0x008fae29
0x008fae23
0x008fae2e
0x008fae30
0x008fae38
0x008fae3b
0x008fae3e
0x008fae47
0x008fae53
0x008fae57
0x008fae5e
0x008fae61
0x008fae8e
0x008fae9a
0x008faea2
0x008faedc
0x008faedc
0x00000000
0x008faedc
0x008fae63
0x008fae66
0x008fae68
0x008fae6a
0x00000000
0x00000000
0x008fae6d
0x008fae6f
0x008fae72
0x008fae77
0x008fae7e
0x008fae81
0x008fae86
0x008fae89
0x00000000
0x008fae49
0x008fae49
0x008faee3
0x008faee8
0x008faeec
0x008faef5
0x008faefb
0x008faefd
0x008faefd
0x008faf00
0x008faf03
0x008faf09
0x008faf0b
0x008faf14
0x008faf22
0x008faf25
0x008faf32
0x008faf3a
0x008faf3a
0x008faf3f
0x008faf42
0x008faf53
0x008faf60
0x008faf68
0x008faf68
0x008faf7c
0x008faf89
0x008faf91
0x008faf91
0x008faf0b
0x008faf96
0x008fafa4
0x008fafa8
0x008fafa8
0x008fafb2
0x008fafb8
0x008fafbc
0x008fafbc
0x008fafc4
0x008fafd2
0x008fafd2

APIs

__CxxThrowException@8.LIBCMT ref: 008FAF3A
__CxxThrowException@8.LIBCMT ref: 008FAF68
__CxxThrowException@8.LIBCMT ref: 008FAF91

Strings

ios_base::badbit set, xrefs: 008FAF16
ios_base::eofbit set, xrefs: 008FAF6D
ios_base::failbit set, xrefs: 008FAF44

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: dd17e3a824fe0defa73486bef511a8d3b76215a227e56469537ad6948d4a96f6
Instruction ID: 7a525b5a5b2bb188825a596a73a459b0d0e81f31361aa2e82f1487a4d86e12ab
Opcode Fuzzy Hash: dd17e3a824fe0defa73486bef511a8d3b76215a227e56469537ad6948d4a96f6
Instruction Fuzzy Hash: 46518AB4A00208DFCB18CF68C595BA9B7F1FF84728F248199E519DB292CB75E901CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00902D90, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00902D90(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				void* _t30;
				WCHAR* _t32;
				long _t34;
				intOrPtr _t39;
				WCHAR* _t43;
				intOrPtr _t52;
				void* _t54;
				void* _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t60 = __edx;
				_t26 =  *0x9e6310; // 0x57443789
				_v8 = _t26 ^ _t63;
				_t61 = __ecx;
				_t30 = L008F115E( &_v32, "Local\\", _a8);
				_t51 = _t30;
				_t62 = __ecx + 4;
				_t65 = _t64 + 0xc;
				if(_t62 != _t30) {
					 *((intOrPtr*)(_t62 + 0x14)) = 0xf;
					 *(_t62 + 0x10) = 0;
					 *_t62 = 0;
					L008F17CB(_t62, _t51);
				}
				if(_v12 >= 0x10) {
					L0094EF04(_v32);
					_t65 = _t65 + 4;
				}
				_t32 = E00918730( &_v32, _t62);
				_t66 = _t65 + 8;
				if(_t32[0xa] >= 8) {
					_t32 =  *_t32;
				}
				 *(_t61 + 0x20) = CreateEventW(0, 0, 0, _t32);
				if(_v12 >= 8) {
					L0094EF04(_v32);
					_t66 = _t66 + 4;
				}
				_t34 = GetLastError();
				_t54 =  *(_t61 + 0x20);
				_t52 = _a4;
				if(_t54 == 0) {
					L19:
					if( *(_t61 + 0x20) != 0) {
						goto L23;
					} else {
						_t39 =  *0x9bda64; // 0x0
						do {
						} while (_t39 != 0);
						return E0094FF4A(_t52, _v8 ^ _t63, _t60, _t61, _t62);
					}
				} else {
					if(_t52 == 0) {
						L26:
						return E0094FF4A(_t52, _v8 ^ _t63, _t60, _t61, _t62);
					} else {
						if(_t34 != 0xb7) {
							L23:
							if(_t52 != 0 && E00901E50(_t52, _t60, _t61, 6, 0, 0) != 0) {
								E0091A220( *(_t61 + 0x20), 6);
							}
							goto L26;
						} else {
							if(_t54 != 0) {
								CloseHandle(_t54);
								_t43 = E00918730( &_v32, _t62);
								_t66 = _t66 + 8;
								if(_t43[0xa] >= 8) {
									_t43 =  *_t43;
								}
								 *(_t61 + 0x20) = CreateEventW(0, 0, 0, _t43);
								if(_v12 >= 8) {
									L0094EF04(_v32);
									_t66 = _t66 + 4;
								}
								GetLastError();
							}
							goto L19;
						}
					}
				}
			}

0x00902d90
0x00902d96
0x00902d9d
0x00902daa
0x00902db2
0x00902db7
0x00902db9
0x00902dbc
0x00902dc1
0x00902dd3
0x00902ddc
0x00902de4
0x00902de7
0x00902de7
0x00902df0
0x00902df5
0x00902dfa
0x00902dfa
0x00902e02
0x00902e07
0x00902e0e
0x00902e10
0x00902e10
0x00902e23
0x00902e26
0x00902e2b
0x00902e30
0x00902e30
0x00902e33
0x00902e39
0x00902e3c
0x00902e41
0x00902e99
0x00902e9d
0x00000000
0x00902e9f
0x00902e9f
0x00902ea4
0x00902ea4
0x00902eb8
0x00902eb8
0x00902e43
0x00902e45
0x00902ede
0x00902ef0
0x00902e4b
0x00902e50
0x00902ebb
0x00902ebd
0x00902ed6
0x00902edb
0x00000000
0x00902e52
0x00902e54
0x00902e57
0x00902e62
0x00902e67
0x00902e6e
0x00902e70
0x00902e70
0x00902e83
0x00902e86
0x00902e8b
0x00902e90
0x00902e90
0x00902e93
0x00902e93
0x00000000
0x00902e54
0x00902e50
0x00902e45

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,008FB860,?,?,008FB860), ref: 00902E19
GetLastError.KERNEL32(?,?,?,?,?,00000000,008FB860,?,?,008FB860), ref: 00902E33
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,008FB860,?,?,008FB860), ref: 00902E57
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,008FB860,?,?,008FB860), ref: 00902E79
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,008FB860,?,?,008FB860), ref: 00902E93

Strings

Local\, xrefs: 00902DAC

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: CreateErrorEventLast$CloseHandle
String ID: Local\
API String ID: 781342481-422136742
Opcode ID: 029ebe70cd5394dc600997f3042955540c6b3c00bd1d28216594309cf836fe19
Instruction ID: d6057739df415dde5b6102243575f14a0339ea45fa90ff5f3a1a5e6b2264a42e
Opcode Fuzzy Hash: 029ebe70cd5394dc600997f3042955540c6b3c00bd1d28216594309cf836fe19
Instruction Fuzzy Hash: C6412771A44305AFDB24AF60EC4DB6EB7A9FF11301F000069F9459B2D1D7319918DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008F81D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E008F81D0(intOrPtr __ecx, char _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed char** _v28;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t46;
				signed int _t50;
				char _t51;
				intOrPtr _t53;
				void* _t57;
				char _t58;
				char _t59;
				signed char** _t60;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr* _t73;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t80;
				signed char** _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				char* _t84;
				signed int _t87;
				void* _t88;
				void* _t95;

				_push(0xffffffff);
				_push(0x9ac7f0);
				_push( *[fs:0x0]);
				_push(_t80);
				_push(_t72);
				_t35 =  *0x9e6310; // 0x57443789
				_push(_t35 ^ _t87);
				 *[fs:0x0] =  &_v16;
				_v20 = _t88 - 0x38;
				_t53 = __ecx;
				_v24 = __ecx;
				_t81 = E0094FF24(_t72, _t80, _t95);
				_v28 = _t81;
				E009297E0(_t95,  &_v72);
				 *((intOrPtr*)(_t53 + 8)) = 0;
				_t96 = _a8;
				 *((intOrPtr*)(_t53 + 0x10)) = 0;
				 *((intOrPtr*)(_t53 + 0x14)) = 0;
				_v8 = 0;
				if(_a8 == 0) {
					_t82 =  *((intOrPtr*)(_t81 + 8));
				} else {
					_t82 = 0x9bd336;
				}
				E009297E0(_t96,  &_v72);
				_t73 = _t82;
				_t13 = _t73 + 1; // 0x9bd337
				_t57 = _t13;
				do {
					_t43 =  *_t73;
					_t73 = _t73 + 1;
					_t97 = _t43;
				} while (_t43 != 0);
				_t75 = _t73 - _t57 + 1;
				_push(_t75);
				_t67 = E0092923B(_t53, _t75, _t97);
				if(_t75 == 0) {
					L8:
					_t76 = 6;
					 *((intOrPtr*)(_t53 + 8)) = _t67;
					_push(6);
					_t83 = "false";
					_t45 = E0092923B(_t53, 6, _t100);
					_t69 = _t45 - _t83;
					do {
						_t58 =  *_t83;
						_t83 = _t83 + 1;
						 *((char*)(_t69 + _t83 - 1)) = _t58;
						_t76 = _t76 - 1;
						_t102 = _t76;
					} while (_t76 != 0);
					_t77 = 5;
					 *((intOrPtr*)(_t53 + 0x10)) = _t45;
					_push(5);
					_t84 = "true";
					_t46 = E0092923B(_t53, 5, _t102);
					_t71 = _t46 - _t84;
					do {
						_t59 =  *_t84;
						_t84 =  &(_t84[1]);
						 *((char*)(_t71 + _t84 - 1)) = _t59;
						_t77 = _t77 - 1;
					} while (_t77 != 0);
					 *((intOrPtr*)(_t53 + 0x14)) = _t46;
					if(_a8 == 0) {
						_t60 = _v28;
						 *((char*)(_t53 + 0xc)) =  *( *_t60) & 0x000000ff;
						_t50 =  *(_t60[1]) & 0x000000ff;
						 *(_t53 + 0xd) = _t50;
						 *[fs:0x0] = _v16;
						return _t50;
					} else {
						 *((short*)(_t53 + 0xc)) = 0x2c2e;
						 *[fs:0x0] = _v16;
						return _t46;
					}
				}
				_t66 = _t67 - _t82;
				do {
					_t51 =  *_t82;
					_t14 = _t82 + 1; // 0x203a00
					_t82 = _t14;
					 *((char*)(_t66 + _t82 - 1)) = _t51;
					_t75 = _t75 - 1;
					_t100 = _t75;
				} while (_t75 != 0);
				goto L8;
			}

0x008f81d3
0x008f81d5
0x008f81e0
0x008f81e5
0x008f81e6
0x008f81e7
0x008f81ee
0x008f81f2
0x008f81f8
0x008f81fb
0x008f81fd
0x008f8205
0x008f820b
0x008f820e
0x008f8216
0x008f821d
0x008f8221
0x008f8228
0x008f822f
0x008f8236
0x008f823f
0x008f8238
0x008f8238
0x008f8238
0x008f8246
0x008f824b
0x008f8250
0x008f8250
0x008f8253
0x008f8253
0x008f8255
0x008f8256
0x008f8256
0x008f825c
0x008f825d
0x008f8266
0x008f826a
0x008f827c
0x008f827c
0x008f8281
0x008f8284
0x008f8285
0x008f828a
0x008f8294
0x008f8296
0x008f8296
0x008f8298
0x008f829b
0x008f829f
0x008f829f
0x008f829f
0x008f82a2
0x008f82a7
0x008f82aa
0x008f82ab
0x008f82b0
0x008f82ba
0x008f82c0
0x008f82c0
0x008f82c2
0x008f82c5
0x008f82c9
0x008f82c9
0x008f82d0
0x008f82d3
0x008f82ef
0x008f82f7
0x008f82fd
0x008f8300
0x008f8306
0x008f8314
0x008f82d5
0x008f82d5
0x008f82de
0x008f82ec
0x008f82ec
0x008f82d3
0x008f826e
0x008f8270
0x008f8270
0x008f8272
0x008f8272
0x008f8275
0x008f8279
0x008f8279
0x008f8279
0x00000000

APIs

_localeconv.LIBCMT ref: 008F8200
__Getcvt.LIBCPMT ref: 008F820E

Part of subcall function 009297E0: ____lc_codepage_func.LIBCMT ref: 009297F7
Part of subcall function 009297E0: ____mb_cur_max_func.LIBCMT ref: 00929800
Part of subcall function 009297E0: ____lc_locale_name_func.LIBCMT ref: 00929808

__Getcvt.LIBCPMT ref: 008F8246

Strings

true, xrefs: 008F82AB
.,, xrefs: 008F82D5
false, xrefs: 008F8285

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Getcvt$____lc_codepage_func____lc_locale_name_func____mb_cur_max_func_localeconv
String ID: .,$false$true
API String ID: 3073657462-276263365
Opcode ID: d23c518c6a73c0ce3a06979e70e54a5202bd8dba5992cfa5bf1d39f4d9e2e939
Instruction ID: f380e35b6305330f83cc80d4c4ead296e9319aa9667d4f494c47584998fb8cae
Opcode Fuzzy Hash: d23c518c6a73c0ce3a06979e70e54a5202bd8dba5992cfa5bf1d39f4d9e2e939
Instruction Fuzzy Hash: 36413472D046858FCB11CF68D4407AABBE4FB81320F1481AEDC959B306DB36AA05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 008F5A50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E008F5A50(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v40;
				signed int _t26;
				void* _t39;
				signed int _t45;
				char _t47;
				intOrPtr _t51;
				signed int _t61;
				intOrPtr* _t64;
				signed int _t66;

				_push(0xffffffff);
				_push(0x9ac3c8);
				_push( *[fs:0x0]);
				_t26 =  *0x9e6310; // 0x57443789
				_push(_t26 ^ _t66);
				 *[fs:0x0] =  &_v16;
				E009290B8( &_v28, 0);
				_t61 =  *0x9ea5ac;
				_t47 =  *0x9ea304;
				_v8 = 0;
				_v20 = _t47;
				if(_t61 == 0) {
					E009290B8( &_v24, _t61);
					if( *0x9ea5ac == _t61) {
						_t45 =  *0x9ea59c + 1;
						 *0x9ea59c = _t45;
						 *0x9ea5ac = _t45;
					}
					E00929125( &_v24);
					_t61 =  *0x9ea5ac;
				}
				_t51 =  *_a4;
				if(_t61 >=  *((intOrPtr*)(_t51 + 0xc))) {
					_t64 = 0;
					goto L8;
				} else {
					_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 8)) + _t61 * 4));
					if(_t64 != 0) {
						L17:
						E00929125( &_v28);
						 *[fs:0x0] = _v16;
						return _t64;
					}
					L8:
					if( *((char*)(_t51 + 0x14)) == 0) {
						L11:
						if(_t64 != 0) {
							goto L17;
						}
						L12:
						if(_t47 == 0) {
							if(L008F1AE1( &_v20, _a4) == 0xffffffff) {
								E0094FCFE( &_v40, "bad cast");
								E0094FF59( &_v40, 0x9d87bc);
							}
							_t64 = _v20;
							 *0x9ea304 = _t64;
							 *((intOrPtr*)( *_t64 + 4))();
							E00929BA1(_t64);
						} else {
							_t64 = _t47;
						}
						goto L17;
					}
					_t39 = E00929BC9();
					if(_t61 >=  *((intOrPtr*)(_t39 + 0xc))) {
						goto L12;
					}
					_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 8)) + _t61 * 4));
					goto L11;
				}
			}

0x008f5a53
0x008f5a55
0x008f5a60
0x008f5a67
0x008f5a6e
0x008f5a72
0x008f5a7d
0x008f5a82
0x008f5a88
0x008f5a8e
0x008f5a95
0x008f5a9a
0x008f5aa0
0x008f5aab
0x008f5ab2
0x008f5ab3
0x008f5ab8
0x008f5ab8
0x008f5ac0
0x008f5ac5
0x008f5ac5
0x008f5ace
0x008f5ad3
0x008f5ae1
0x00000000
0x008f5ad5
0x008f5ad8
0x008f5add
0x008f5b4d
0x008f5b50
0x008f5b5a
0x008f5b68
0x008f5b68
0x008f5ae3
0x008f5ae7
0x008f5af9
0x008f5afb
0x00000000
0x00000000
0x008f5afd
0x008f5aff
0x008f5b17
0x008f5b21
0x008f5b2f
0x008f5b2f
0x008f5b34
0x008f5b39
0x008f5b41
0x008f5b45
0x008f5b01
0x008f5b01
0x008f5b01
0x00000000
0x008f5aff
0x008f5ae9
0x008f5af1
0x00000000
0x00000000
0x008f5af6
0x00000000
0x008f5af6

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F5A7D
std::_Lockit::_Lockit.LIBCPMT ref: 008F5AA0
std::bad_exception::bad_exception.LIBCMT ref: 008F5B21
__CxxThrowException@8.LIBCMT ref: 008F5B2F
std::_Facet_Register.LIBCPMT ref: 008F5B45

Strings

bad cast, xrefs: 008F5B19

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 227070478-3145022300
Opcode ID: 1461dc560f1fa782099aeaad48ec2f255950f65909fec019109494e168174dd4
Instruction ID: 2507a4c9041b549038221523b6f6ddd2702e08640dfb1e1fe1a7838cfe25783a
Opcode Fuzzy Hash: 1461dc560f1fa782099aeaad48ec2f255950f65909fec019109494e168174dd4
Instruction Fuzzy Hash: BA31A531904629DFCB11DF64D8C1AAEB7B4FB44724F144269EA15EB2A1DB31BD04CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008F5BB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E008F5BB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v40;
				signed int _t26;
				void* _t39;
				signed int _t45;
				char _t47;
				intOrPtr _t51;
				signed int _t61;
				intOrPtr* _t64;
				signed int _t66;

				_push(0xffffffff);
				_push(0x9ac3f8);
				_push( *[fs:0x0]);
				_t26 =  *0x9e6310; // 0x57443789
				_push(_t26 ^ _t66);
				 *[fs:0x0] =  &_v16;
				E009290B8( &_v28, 0);
				_t61 =  *0x9ea300;
				_t47 =  *0x9ea308;
				_v8 = 0;
				_v20 = _t47;
				if(_t61 == 0) {
					E009290B8( &_v24, _t61);
					if( *0x9ea300 == _t61) {
						_t45 =  *0x9ea59c + 1;
						 *0x9ea59c = _t45;
						 *0x9ea300 = _t45;
					}
					E00929125( &_v24);
					_t61 =  *0x9ea300;
				}
				_t51 =  *_a4;
				if(_t61 >=  *((intOrPtr*)(_t51 + 0xc))) {
					_t64 = 0;
					goto L8;
				} else {
					_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 8)) + _t61 * 4));
					if(_t64 != 0) {
						L17:
						E00929125( &_v28);
						 *[fs:0x0] = _v16;
						return _t64;
					}
					L8:
					if( *((char*)(_t51 + 0x14)) == 0) {
						L11:
						if(_t64 != 0) {
							goto L17;
						}
						L12:
						if(_t47 == 0) {
							if(L008F14D8( &_v20, _a4) == 0xffffffff) {
								E0094FCFE( &_v40, "bad cast");
								E0094FF59( &_v40, 0x9d87bc);
							}
							_t64 = _v20;
							 *0x9ea308 = _t64;
							 *((intOrPtr*)( *_t64 + 4))();
							E00929BA1(_t64);
						} else {
							_t64 = _t47;
						}
						goto L17;
					}
					_t39 = E00929BC9();
					if(_t61 >=  *((intOrPtr*)(_t39 + 0xc))) {
						goto L12;
					}
					_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 8)) + _t61 * 4));
					goto L11;
				}
			}

0x008f5bb3
0x008f5bb5
0x008f5bc0
0x008f5bc7
0x008f5bce
0x008f5bd2
0x008f5bdd
0x008f5be2
0x008f5be8
0x008f5bee
0x008f5bf5
0x008f5bfa
0x008f5c00
0x008f5c0b
0x008f5c12
0x008f5c13
0x008f5c18
0x008f5c18
0x008f5c20
0x008f5c25
0x008f5c25
0x008f5c2e
0x008f5c33
0x008f5c41
0x00000000
0x008f5c35
0x008f5c38
0x008f5c3d
0x008f5cad
0x008f5cb0
0x008f5cba
0x008f5cc8
0x008f5cc8
0x008f5c43
0x008f5c47
0x008f5c59
0x008f5c5b
0x00000000
0x00000000
0x008f5c5d
0x008f5c5f
0x008f5c77
0x008f5c81
0x008f5c8f
0x008f5c8f
0x008f5c94
0x008f5c99
0x008f5ca1
0x008f5ca5
0x008f5c61
0x008f5c61
0x008f5c61
0x00000000
0x008f5c5f
0x008f5c49
0x008f5c51
0x00000000
0x00000000
0x008f5c56
0x00000000
0x008f5c56

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F5BDD
std::_Lockit::_Lockit.LIBCPMT ref: 008F5C00
std::bad_exception::bad_exception.LIBCMT ref: 008F5C81
__CxxThrowException@8.LIBCMT ref: 008F5C8F
std::_Facet_Register.LIBCPMT ref: 008F5CA5

Strings

bad cast, xrefs: 008F5C79

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 227070478-3145022300
Opcode ID: 966616fdc72ad0342e767140cc368312e77d334fc89a39951900cb93b84c6e54
Instruction ID: 51ceb15037d43a5f8e0b99bccededa2ee7ab213deafedfb6abeb25d964acfe65
Opcode Fuzzy Hash: 966616fdc72ad0342e767140cc368312e77d334fc89a39951900cb93b84c6e54
Instruction Fuzzy Hash: ED31E131904719DFCB10DF64E8D1BAEB7B4FB54724F114169EA16AB2A2DB31BD00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008F8510, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E008F8510(intOrPtr* __ecx) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				char _v40;
				char _v60;
				char _v80;
				void* __ebx;
				signed int _t35;
				signed int _t39;
				signed int _t43;
				void* _t54;
				signed int _t60;
				void* _t61;
				signed char _t63;
				signed int _t74;

				_push(0xffffffff);
				_push(0x9ac870);
				_push( *[fs:0x0]);
				_push(_t54);
				_t35 =  *0x9e6310; // 0x57443789
				_push(_t35 ^ _t74);
				 *[fs:0x0] =  &_v16;
				_v20 = _t74 - 0x40;
				_v8 = 0;
				_t39 =  *( *__ecx + 4);
				if( *((intOrPtr*)(_t39 + __ecx + 0xc)) != 0 || ( *(_t39 + __ecx + 0x14) & 0x00000002) == 0) {
					L11:
					 *[fs:0x0] = _v16;
					return _t39;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + __ecx + 0x38)))) + 0x34))();
					if(_t39 != 0xffffffff) {
						goto L11;
					} else {
						_t60 =  *( *__ecx + 4);
						_t61 = _t60 + __ecx;
						_t43 =  *(_t60 + __ecx + 0xc) | 0x00000004;
						if( *((intOrPtr*)(_t61 + 0x38)) == 0) {
							_t43 = _t43 | 0x00000004;
						}
						_t39 = _t43 & 0x00000017;
						 *(_t61 + 0xc) = _t39;
						_t63 =  *(_t61 + 0x10) & _t39;
						if(_t63 == 0) {
							goto L11;
						} else {
							if((_t63 & 0x00000004) != 0) {
								_t63 =  &_v40;
								L008F1AF5(_t54, _t63, 1, 0x9e6000, "ios_base::badbit set");
								_v40 = 0x9c8be0;
								E0094FF59( &_v40, 0x9d870c);
							}
							if((_t63 & 0x00000002) != 0) {
								L008F1AF5(_t54,  &_v60, 1, 0x9e6000, "ios_base::failbit set");
								_v60 = 0x9c8be0;
								E0094FF59( &_v60, 0x9d870c);
							}
							L008F1AF5(_t54,  &_v80, 1, 0x9e6000, "ios_base::eofbit set");
							_v80 = 0x9c8be0;
							E0094FF59( &_v80, 0x9d870c);
							return 0x8f8624;
						}
					}
				}
			}

0x008f8513
0x008f8515
0x008f8520
0x008f8524
0x008f8527
0x008f852e
0x008f8532
0x008f8538
0x008f853f
0x008f8546
0x008f854e
0x008f8624
0x008f8627
0x008f8635
0x008f855f
0x008f8565
0x008f856b
0x00000000
0x008f8571
0x008f8573
0x008f857a
0x008f857c
0x008f8583
0x008f8585
0x008f8585
0x008f8588
0x008f858b
0x008f8591
0x008f8593
0x00000000
0x008f8599
0x008f859c
0x008f85aa
0x008f85ad
0x008f85ba
0x008f85c2
0x008f85c2
0x008f85ca
0x008f85db
0x008f85e8
0x008f85f0
0x008f85f0
0x008f8604
0x008f8611
0x008f8619
0x008f8623
0x008f8623
0x008f8593
0x008f856b

APIs

__CxxThrowException@8.LIBCMT ref: 008F85C2
__CxxThrowException@8.LIBCMT ref: 008F85F0
__CxxThrowException@8.LIBCMT ref: 008F8619

Strings

ios_base::badbit set, xrefs: 008F859E
ios_base::eofbit set, xrefs: 008F85F5
ios_base::failbit set, xrefs: 008F85CC

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: c4e1e28b1d97db06e05928004a638820baaacead6510534f7db38a8c4093a63b
Instruction ID: d3a76e9b1e708643ee93383f4120963123cc39778d09cc6b578e7156460daa8e
Opcode Fuzzy Hash: c4e1e28b1d97db06e05928004a638820baaacead6510534f7db38a8c4093a63b
Instruction Fuzzy Hash: 3B31AB70A00208EFCB24CB68C94AFA9B7F4FB54718F5040A9E516E76C2DBB5ED04CA40

Uniqueness

Uniqueness Score: -1.00%

Function 008F9010, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E008F9010(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v20;
				char _v24;
				char _v32;
				char _v40;
				intOrPtr _v48;
				signed int _t27;
				signed int _t29;
				void* _t35;
				void* _t38;
				signed int _t41;
				intOrPtr _t42;
				void* _t49;
				signed int _t51;
				void* _t56;
				signed int _t57;

				_t38 = __ebx;
				_t57 = _t56 - 0x14;
				_t27 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t27;
				_t41 =  *(__ecx + 0x10) & _t27;
				_t60 = _t41;
				if(_t41 == 0) {
					return _t27;
				} else {
					__eflags = _a8;
					if(_a8 != 0) {
						E0094FF59(0, 0);
						goto L8;
					} else {
						__eflags = __cl & 0x00000004;
						if((__cl & 0x00000004) != 0) {
							L8:
							__ecx =  &_v24;
							L008F1AF5(__ebx,  &_v24, 1, 0x9e6000, "ios_base::badbit set");
							_v24 = 0x9c8be0;
							E0094FF59( &_v24, 0x9d870c);
							goto L9;
						} else {
							__eflags = __cl & 0x00000002;
							__ecx =  &_v24;
							if((__cl & 0x00000002) != 0) {
								L9:
								_push("ios_base::failbit set");
							} else {
								_push("ios_base::eofbit set");
							}
						}
					}
					_push(0x9e6000);
					_push(1);
					L008F1AF5(__ebx, __ecx);
					_v24 = 0x9c8be0;
					E0094FF59( &_v24, 0x9d870c);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__ecx = __ecx -  *((intOrPtr*)(__ecx - 4));
					_push(0xffffffff);
					_push(0x9ac8ab);
					_push( *[fs:0x0]);
					_t29 =  *0x9e6310; // 0x57443789
					_push(_t29 ^ _t57);
					 *[fs:0x0] =  &_v40;
					_t51 = _t41;
					_push(0x2c);
					_t42 = E0094EEB3(_t38, _t49, _t60);
					_v48 = _t42;
					_v32 = 0;
					if(_t42 == 0) {
						L14:
						__eflags = 0;
						 *[fs:0x0] = _v20;
						return 0;
					} else {
						_v24 = 0;
						_t35 = L008F19E7(_t42, _t51 - 0x28, _v24, 1);
						if(_t35 == 0) {
							goto L14;
						} else {
							 *[fs:0x0] = _v20;
							return _t35 + 0x20 +  *((intOrPtr*)( *((intOrPtr*)(_t35 + 0x20)) + 4));
						}
					}
				}
			}

0x008f9010
0x008f9016
0x008f9019
0x008f901c
0x008f9022
0x008f9022
0x008f9024
0x008f9043
0x008f9026
0x008f9026
0x008f902a
0x008f904a
0x00000000
0x008f902c
0x008f902c
0x008f902f
0x008f904f
0x008f905b
0x008f905e
0x008f906b
0x008f9073
0x00000000
0x008f9031
0x008f9031
0x008f9034
0x008f9037
0x008f9078
0x008f9078
0x008f9039
0x008f9039
0x008f9039
0x008f9037
0x008f902f
0x008f907d
0x008f9082
0x008f9084
0x008f9091
0x008f9099
0x008f909e
0x008f909f
0x008f90a0
0x008f90a1
0x008f90a2
0x008f90a3
0x008f90a4
0x008f90a5
0x008f90a6
0x008f90a7
0x008f90a8
0x008f90a9
0x008f90aa
0x008f90ab
0x008f90ac
0x008f90ad
0x008f90ae
0x008f90af
0x008f90b0
0x008f90b1
0x008f90b2
0x008f90b3
0x008f90b4
0x008f90b5
0x008f90b6
0x008f90b7
0x008f90b8
0x008f90b9
0x008f90ba
0x008f90bb
0x008f90bc
0x008f90bd
0x008f90be
0x008f90bf
0x008f90c0
0x008f90c1
0x008f90c2
0x008f90d3
0x008f90d5
0x008f90e0
0x008f90e5
0x008f90ec
0x008f90f0
0x008f90f6
0x008f90f8
0x008f90ff
0x008f9104
0x008f9107
0x008f9110
0x008f9143
0x008f9143
0x008f9148
0x008f9154
0x008f9112
0x008f9114
0x008f911f
0x008f9126
0x00000000
0x008f9128
0x008f9136
0x008f9142
0x008f9142
0x008f9126
0x008f9110

APIs

__CxxThrowException@8.LIBCMT ref: 008F904A
__CxxThrowException@8.LIBCMT ref: 008F9073
__CxxThrowException@8.LIBCMT ref: 008F9099

Strings

ios_base::badbit set, xrefs: 008F904F
ios_base::eofbit set, xrefs: 008F9039
ios_base::failbit set, xrefs: 008F9078

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 17350444db7728a962ac2f9032a92290ae22216afddeefba51280a4b43bd9445
Instruction ID: e8fdcb28b6cdc51baddcbeda34252ade3e92460a440d0dd82654bb7865d0d6d8
Opcode Fuzzy Hash: 17350444db7728a962ac2f9032a92290ae22216afddeefba51280a4b43bd9445
Instruction Fuzzy Hash: EF01DD7094070D6BCF14EA74CA17FBE77B4AB90758F204054F645B51C3EEA5AA04CA67

Uniqueness

Uniqueness Score: -1.00%

Function 00922CE0, Relevance: 9.1, APIs: 6, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00922CE0(struct _CRITICAL_SECTION* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				struct _CRITICAL_SECTION* _v20;
				char _v24;
				struct _CRITICAL_SECTION* _v28;
				signed int _t36;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t53;
				struct _CRITICAL_SECTION* _t56;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr* _t66;
				struct _CRITICAL_SECTION* _t69;
				intOrPtr* _t70;
				signed int _t72;

				_push(0xffffffff);
				_push(0x9b09c0);
				_push( *[fs:0x0]);
				_t36 =  *0x9e6310; // 0x57443789
				_push(_t36 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t69 = __ecx;
				_v20 = __ecx;
				_v28 = __ecx;
				EnterCriticalSection(__ecx);
				_v24 = 1;
				_t65 =  *((intOrPtr*)(_t69 + 0x1c));
				_t53 = _a4;
				_v8 = 0;
				if(_t65 == 0) {
					L9:
					LeaveCriticalSection(_t69);
					_v24 = 0;
					_t70 = _a8( *((intOrPtr*)(_t69 + 0x18)));
					_a4 = _t70;
					 *((intOrPtr*)(_t70 + 4)) =  *_t53;
					_v8 = 1;
					 *((intOrPtr*)(_t70 + 8)) =  *((intOrPtr*)(_t53 + 4));
					EnterCriticalSection(_v20);
					_t56 = _v20;
					_v24 = 1;
					_t66 =  *((intOrPtr*)(_t56 + 0x1c));
					if(_t66 == 0) {
						L18:
						_t66 = _t70;
						 *((intOrPtr*)(_t70 + 0x10)) =  *((intOrPtr*)(_t56 + 0x1c));
						 *((intOrPtr*)(_t56 + 0x1c)) = _t70;
						_t70 = 0;
					} else {
						do {
							_t60 =  *((intOrPtr*)(_t66 + 8));
							if(_t60 == 0) {
								L13:
								_t61 =  *((intOrPtr*)(_t66 + 4));
								if( *((intOrPtr*)(_t66 + 4)) == 0) {
									goto L16;
								} else {
									_t47 =  *_t53;
									_t89 = _t47;
									if(_t47 == 0 || E00950B3E(_t61, _t89, _t47) == 0) {
										goto L16;
									}
								}
							} else {
								_t46 =  *((intOrPtr*)(_t53 + 4));
								if(_t46 == 0 || _t60 != _t46) {
									goto L13;
								}
							}
							goto L19;
							L16:
							_t66 =  *((intOrPtr*)(_t66 + 0x10));
						} while (_t66 != 0);
						_t56 = _v20;
						goto L18;
					}
					L19:
					_v8 = 0;
					if(_t70 != 0) {
						 *((intOrPtr*)( *_t70))(1);
					}
					_t69 = _v20;
				} else {
					do {
						_t62 =  *((intOrPtr*)(_t65 + 8));
						if(_t62 == 0) {
							L5:
							_t63 =  *((intOrPtr*)(_t65 + 4));
							if( *((intOrPtr*)(_t65 + 4)) == 0) {
								goto L8;
							} else {
								_t50 =  *_t53;
								_t81 = _t50;
								if(_t50 == 0 || E00950B3E(_t63, _t81, _t50) == 0) {
									goto L8;
								}
							}
						} else {
							_t49 =  *((intOrPtr*)(_t53 + 4));
							if(_t49 == 0 || _t62 != _t49) {
								goto L5;
							}
						}
						goto L22;
						L8:
						_t65 =  *((intOrPtr*)(_t65 + 0x10));
					} while (_t65 != 0);
					goto L9;
				}
				L22:
				LeaveCriticalSection(_t69);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x00922ce3
0x00922ce5
0x00922cf0
0x00922cf7
0x00922cfe
0x00922d02
0x00922d08
0x00922d0a
0x00922d0e
0x00922d11
0x00922d17
0x00922d1b
0x00922d1e
0x00922d21
0x00922d2a
0x00922d68
0x00922d69
0x00922d72
0x00922d79
0x00922d7e
0x00922d86
0x00922d8c
0x00922d90
0x00922d93
0x00922d99
0x00922d9c
0x00922da0
0x00922da5
0x00922dda
0x00922ddd
0x00922ddf
0x00922de2
0x00922de5
0x00922da7
0x00922da7
0x00922da7
0x00922dac
0x00922db9
0x00922db9
0x00922dbe
0x00000000
0x00922dc0
0x00922dc0
0x00922dc2
0x00922dc4
0x00000000
0x00000000
0x00922dc4
0x00922dae
0x00922dae
0x00922db3
0x00000000
0x00000000
0x00922db3
0x00000000
0x00922dd0
0x00922dd0
0x00922dd3
0x00922dd7
0x00000000
0x00922dd7
0x00922de7
0x00922de7
0x00922ded
0x00922df5
0x00922df5
0x00922df7
0x00922d30
0x00922d30
0x00922d30
0x00922d35
0x00922d46
0x00922d46
0x00922d4b
0x00000000
0x00922d4d
0x00922d4d
0x00922d4f
0x00922d51
0x00000000
0x00000000
0x00922d51
0x00922d37
0x00922d37
0x00922d3c
0x00000000
0x00000000
0x00922d3c
0x00000000
0x00922d61
0x00922d61
0x00922d64
0x00000000
0x00922d30
0x00922dfa
0x00922dfb
0x00922e06
0x00922e14

APIs

EnterCriticalSection.KERNEL32(00000003,57443789,00000008,00000030,?), ref: 00922D11
type_info::operator==.LIBCMT ref: 00922D54
LeaveCriticalSection.KERNEL32(00000003), ref: 00922D69
EnterCriticalSection.KERNEL32(?), ref: 00922D93
type_info::operator==.LIBCMT ref: 00922DC7
LeaveCriticalSection.KERNEL32(?), ref: 00922DFB

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: CriticalSection$EnterLeavetype_info::operator==
String ID:
API String ID: 262606368-0
Opcode ID: 107f37bd045606dcf933896229a422a8677836e3aea23386ca14f3fbeaa4bbea
Instruction ID: ca2e05ddc736f796773915d32c64d28db870aa6155f5a7e3819171d1ac046510
Opcode Fuzzy Hash: 107f37bd045606dcf933896229a422a8677836e3aea23386ca14f3fbeaa4bbea
Instruction Fuzzy Hash: 11418835A01665ABDF24CF69E880BAABBB8FF45710F14855EEC159B784D731ED00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009288F0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E009288F0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16) {
				signed int _t27;
				intOrPtr _t34;
				signed int _t42;
				intOrPtr* _t52;
				intOrPtr* _t54;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				void* _t69;
				intOrPtr* _t72;
				void* _t77;

				_push(__ebx);
				_push(__esi);
				_t72 = __ecx;
				_push(__edi);
				_t62 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t62 < _a4) {
					L35:
					_push("invalid string position");
					E009295C5(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eflags = 0;
					return 0;
				} else {
					_t52 = _a8;
					_t27 = _a12;
					_t56 =  *((intOrPtr*)(_t52 + 0x10));
					if(_t56 < _t27) {
						goto L35;
					} else {
						_t69 =  <  ? _t56 - _t27 : _a16;
						if((_t27 | 0xffffffff) - _t62 <= _t69) {
							_push("string too long");
							E00929597(__eflags);
							goto L35;
						} else {
							if(_t69 != 0) {
								_a16 = _t62 + _t69;
								if(L008F1154(_t52, __ecx, _t69, __ecx, _t62 + _t69, 0) != 0) {
									_t34 =  *((intOrPtr*)(__ecx + 0x14));
									if(_t34 < 0x10) {
										_a8 = __ecx;
									} else {
										_a8 =  *__ecx;
									}
									if(_t34 < 0x10) {
										_t63 = _t72;
									} else {
										_t63 =  *_t72;
									}
									_t59 = _a4;
									_t36 =  *((intOrPtr*)(_t72 + 0x10)) != _t59;
									if( *((intOrPtr*)(_t72 + 0x10)) != _t59) {
										E0094F050(_t63 + _t59 + _t69, _a8 + _t59, _t36);
										_t59 = _a4;
										_t77 = _t77 + 0xc;
									}
									if(_t72 != _t52) {
										__eflags =  *((intOrPtr*)(_t52 + 0x14)) - 0x10;
										if( *((intOrPtr*)(_t52 + 0x14)) >= 0x10) {
											_t52 =  *_t52;
										}
										__eflags =  *((intOrPtr*)(_t72 + 0x14)) - 0x10;
										if( *((intOrPtr*)(_t72 + 0x14)) < 0x10) {
											_t64 = _t72;
										} else {
											_t64 =  *_t72;
										}
										__eflags = _t69;
										if(_t69 != 0) {
											__eflags = _a12 + _t52;
											E00950440(_t64 + _t59, _a12 + _t52, _t69);
											goto L31;
										}
									} else {
										_t42 = _a12;
										if(_t59 < _t42) {
											_t42 = _t42 + _t69;
										}
										_t65 =  *((intOrPtr*)(_t72 + 0x14));
										if(_t65 < 0x10) {
											_t54 = _t72;
										} else {
											_t54 =  *_t72;
										}
										if(_t65 < 0x10) {
											_t66 = _t72;
										} else {
											_t66 =  *_t72;
										}
										if(_t69 != 0) {
											E0094F050(_t66 + _t59, _t42 + _t54, _t69);
											L31:
										}
									}
									L008F1825(_t72, _a16);
								}
							}
							return _t72;
						}
					}
				}
			}

0x009288f3
0x009288f4
0x009288f5
0x009288f7
0x009288f8
0x009288fe
0x00928a0c
0x00928a0c
0x00928a11
0x00928a16
0x00928a17
0x00928a18
0x00928a19
0x00928a1a
0x00928a1b
0x00928a1c
0x00928a1d
0x00928a1e
0x00928a1f
0x00928a20
0x00928a22
0x00928904
0x00928904
0x00928907
0x0092890a
0x0092890f
0x00000000
0x00928915
0x0092891c
0x00928926
0x00928a02
0x00928a07
0x00000000
0x0092892c
0x0092892e
0x0092893c
0x00928946
0x0092894c
0x00928952
0x0092895b
0x00928954
0x00928956
0x00928956
0x00928961
0x00928967
0x00928963
0x00928963
0x00928963
0x0092896c
0x0092896f
0x00928971
0x00928980
0x00928985
0x00928988
0x00928988
0x0092898d
0x009289c4
0x009289c8
0x009289ca
0x009289ca
0x009289cc
0x009289d0
0x009289d6
0x009289d2
0x009289d2
0x009289d2
0x009289d8
0x009289da
0x009289df
0x009289e7
0x00000000
0x009289e7
0x0092898f
0x0092898f
0x00928994
0x00928996
0x00928996
0x00928998
0x0092899e
0x009289a4
0x009289a0
0x009289a0
0x009289a0
0x009289a9
0x009289af
0x009289ab
0x009289ab
0x009289ab
0x009289b3
0x009289bd
0x009289ec
0x009289ec
0x009289b3
0x009289f4
0x009289f4
0x00928946
0x009289ff
0x009289ff
0x00928926
0x0092890f

APIs

_memmove.LIBCMT ref: 00928980
_memmove.LIBCMT ref: 009289BD
_memmove.LIBCMT ref: 009289E7

Strings

invalid string position, xrefs: 00928A0C
string too long, xrefs: 00928A02

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 2f29d0c0a7b0bb62310f6cddbc47fa5197cfe83f97359a050a5150d9e00aa69c
Instruction ID: 2e1981bdf26600ad6b744563077d9caffa09197337b669a249bac83c6477ebb9
Opcode Fuzzy Hash: 2f29d0c0a7b0bb62310f6cddbc47fa5197cfe83f97359a050a5150d9e00aa69c
Instruction Fuzzy Hash: F631B7753022269BDF18DE18E985D7F776AEFC4740720492AE8558738ADF31EC808B96

Uniqueness

Uniqueness Score: -1.00%

Function 00948F40, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00948F40(intOrPtr* __ecx, intOrPtr __edx, void* __edi, char* _a4) {
				intOrPtr _v4;
				char _v8;
				intOrPtr _v12;
				_Unknown_base(*)()* _v16;
				intOrPtr _v20;
				char* _t32;
				char* _t33;
				void* _t34;
				intOrPtr _t35;
				_Unknown_base(*)()* _t37;
				char* _t38;
				intOrPtr _t40;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				char _t48;
				void* _t49;
				void* _t51;
				intOrPtr* _t54;

				_t49 = __edi;
				_t47 = __edx;
				_t54 = __ecx;
				if(( *(__ecx + 8) &  *(__ecx + 0xc)) != 0xffffffff) {
					__eflags =  *((char*)(__ecx + 0x10));
					if(__eflags == 0) {
						E00902500(__edx, __eflags,  &_v16, E00902820);
						_t55 = _t54 + 0x18;
						_t40 =  *((intOrPtr*)(_t54 + 0x18));
						__eflags = _v12 -  *((intOrPtr*)(_t54 + 0x1c));
						if(__eflags < 0) {
							L17:
							E00949520( &_v8, _t55,  &_v16);
							_t42 = E00951400(_v8, _v4, 0x3e8, 0) + 1;
							__eflags = _t42;
							asm("adc edx, 0x0");
							_v20 = _t47;
							if(_t42 != 0) {
								L20:
								_t48 = 1;
							} else {
								__eflags = _t42 - 0xfffffffe;
								if(_t42 > 0xfffffffe) {
									goto L20;
								} else {
									_t48 = 0;
								}
							}
							goto L21;
						} else {
							if(__eflags > 0) {
								L16:
								_t33 = _a4;
								 *_t33 = 0;
								 *((intOrPtr*)(_t33 + 4)) = 0;
								return _t33;
							} else {
								__eflags = _v16 - _t40;
								if(_v16 < _t40) {
									goto L17;
								} else {
									goto L16;
								}
							}
						}
					} else {
						_t44 =  *0x9ea3ec;
						__eflags = _t44;
						if(_t44 == 0) {
							_t37 = GetProcAddress(GetModuleHandleW(L"KERNEL32.DLL"), "GetTickCount64");
							__eflags = _t37;
							_t44 =  !=  ? _t37 : 0x901db0;
							 *0x9ea3ec = 0x901db0;
						}
						_t34 =  *_t44(_t49);
						_t45 =  *((intOrPtr*)(_t54 + 8));
						_t51 = _t34 -  *_t54;
						_t35 =  *((intOrPtr*)(_t54 + 0xc));
						asm("sbb edx, [esi+0x4]");
						__eflags = _t47 - _t35;
						if(__eflags > 0) {
							L11:
							asm("xorps xmm0, xmm0");
							asm("movlpd [esp+0x8], xmm0");
							_t42 = _v16;
							goto L12;
						} else {
							if(__eflags < 0) {
								L8:
								_t42 = _t45 - _t51;
								__eflags = _t42;
								asm("sbb eax, edx");
								_v12 = _t35;
								if(_t42 != 0) {
									L10:
									_t48 = 1;
								} else {
									__eflags = _t42 - 0xfffffffe;
									if(_t42 <= 0xfffffffe) {
										L12:
										_t48 = 0;
									} else {
										goto L10;
									}
								}
							} else {
								__eflags = _t51 - _t45;
								if(_t51 >= _t45) {
									goto L11;
								} else {
									goto L8;
								}
							}
						}
						L21:
						_t32 = _a4;
						__eflags = _t48;
						_t43 =  !=  ? 0xfffffffe : _t42;
						 *((intOrPtr*)(_t32 + 4)) =  !=  ? 0xfffffffe : _t42;
						 *_t32 = _t48;
						return _t32;
					}
				} else {
					_t38 = _a4;
					 *_t38 = 1;
					 *((intOrPtr*)(_t38 + 4)) = 0xfffffffe;
					return _t38;
				}
			}

0x00948f40
0x00948f40
0x00948f44
0x00948f4f
0x00948f66
0x00948f6a
0x00948ff0
0x00948ff8
0x00948ffe
0x00949000
0x00949004
0x00949023
0x0094902e
0x0094904c
0x0094904c
0x0094904f
0x00949052
0x00949056
0x00949061
0x00949061
0x00949058
0x00949058
0x0094905b
0x00000000
0x0094905d
0x0094905d
0x0094905d
0x0094905b
0x00000000
0x00949006
0x00949006
0x0094900e
0x0094900e
0x00949013
0x00949016
0x00949020
0x00949008
0x00949008
0x0094900c
0x00000000
0x00000000
0x00000000
0x00000000
0x0094900c
0x00949006
0x00948f6c
0x00948f6c
0x00948f72
0x00948f74
0x00948f87
0x00948f8d
0x00948f94
0x00948f97
0x00948f97
0x00948f9e
0x00948fa0
0x00948fa5
0x00948fa7
0x00948faa
0x00948fad
0x00948faf
0x00948fd1
0x00948fd1
0x00948fd4
0x00948fda
0x00000000
0x00948fb1
0x00948fb1
0x00948fb7
0x00948fb7
0x00948fb7
0x00948fb9
0x00948fbb
0x00948fbf
0x00948fc6
0x00948fc6
0x00948fc1
0x00948fc1
0x00948fc4
0x00948fde
0x00948fde
0x00000000
0x00000000
0x00000000
0x00948fc4
0x00948fb3
0x00948fb3
0x00948fb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00948fb5
0x00948fb1
0x00949066
0x00949066
0x0094906a
0x00949071
0x00949075
0x00949078
0x0094907d
0x0094907d
0x00948f51
0x00948f51
0x00948f56
0x00948f59
0x00948f63
0x00948f63

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,GetTickCount64,00000000), ref: 00948F80
GetProcAddress.KERNEL32(00000000), ref: 00948F87

Strings

KERNEL32.DLL, xrefs: 00948F7B
GetTickCount64, xrefs: 00948F76

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 1646373207-3320051239
Opcode ID: 0b455dd392867267fb64238bd455c49c0ffbb7340c164d4f9a0d47b0ca2a885a
Instruction ID: 0dd4a5bd275f2b81f6c1c845b7e04466a7eaac20063cb566e5b79742b0956b46
Opcode Fuzzy Hash: 0b455dd392867267fb64238bd455c49c0ffbb7340c164d4f9a0d47b0ca2a885a
Instruction Fuzzy Hash: 85319131A087419FD714DB28C884F6BBBDAAFD4760F148A6DF056872E1E7709C488B82

Uniqueness

Uniqueness Score: -1.00%

Function 008F9CB0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E008F9CB0(void* __ebx, intOrPtr* __ecx) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				char _v44;
				signed int _t37;
				intOrPtr* _t44;
				signed int _t56;
				signed int _t57;
				void* _t64;
				intOrPtr* _t70;
				intOrPtr _t73;
				void* _t74;
				signed char _t76;
				char* _t77;
				intOrPtr* _t79;
				signed int _t81;

				_t64 = __ebx;
				_push(0xffffffff);
				_push(0x9ac968);
				_push( *[fs:0x0]);
				_t37 =  *0x9e6310; // 0x57443789
				_push(_t37 ^ _t81);
				 *[fs:0x0] =  &_v16;
				_t79 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 4)) + __ecx + 0x38)) == 0) {
					L16:
					 *[fs:0x0] = _v16;
					return _t79;
				}
				L008F162C(__ecx);
				_v8 = 0;
				if(_v20 == 0 ||  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 4)) + __ecx + 0x38)))) + 0x34))() != 0xffffffff) {
					L12:
					_v8 = 0xffffffff;
					_t44 = L00929236(__eflags);
					__eflags = _t44;
					if(_t44 == 0) {
						L008F167C(_v24);
					}
					_t70 =  *((intOrPtr*)( *((intOrPtr*)( *_v24 + 4)) + _v24 + 0x38));
					__eflags = _t70;
					if(_t70 != 0) {
						 *((intOrPtr*)( *_t70 + 8))();
					}
					goto L16;
				} else {
					_t73 =  *((intOrPtr*)( *__ecx + 4));
					_t74 = _t73 + __ecx;
					_t56 =  *(_t73 + __ecx + 0xc) | 0x00000004;
					if( *((intOrPtr*)(_t74 + 0x38)) == 0) {
						_t56 = _t56 | 0x00000004;
					}
					_t57 = _t56 & 0x00000017;
					 *(_t74 + 0xc) = _t57;
					_t76 =  *(_t74 + 0x10) & _t57;
					if(_t76 == 0) {
						goto L12;
					} else {
						if((_t76 & 0x00000004) != 0) {
							_t76 =  &_v44;
							L008F1AF5(_t64, _t76, 1, 0x9e6000, "ios_base::badbit set");
							_v44 = 0x9c8be0;
							E0094FF59( &_v44, 0x9d870c);
						}
						_t77 =  &_v44;
						if((_t76 & 0x00000002) == 0) {
							L11:
							_push("ios_base::eofbit set");
							goto L10;
						} else {
							_push("ios_base::failbit set");
							L10:
							_push(0x9e6000);
							_push(1);
							L008F1AF5(_t64, _t77);
							_v44 = 0x9c8be0;
							E0094FF59( &_v44, 0x9d870c);
							goto L11;
						}
					}
				}
			}

0x008f9cb0
0x008f9cb3
0x008f9cb5
0x008f9cc0
0x008f9cc5
0x008f9ccc
0x008f9cd0
0x008f9cd6
0x008f9ce2
0x008f9dcd
0x008f9dd2
0x008f9dde
0x008f9dde
0x008f9cec
0x008f9cf5
0x008f9cfc
0x008f9da0
0x008f9da0
0x008f9da7
0x008f9dac
0x008f9dae
0x008f9db3
0x008f9db3
0x008f9dc0
0x008f9dc4
0x008f9dc6
0x008f9dca
0x008f9dca
0x00000000
0x008f9d19
0x008f9d1b
0x008f9d22
0x008f9d24
0x008f9d2b
0x008f9d2d
0x008f9d2d
0x008f9d30
0x008f9d33
0x008f9d39
0x008f9d3b
0x00000000
0x008f9d3d
0x008f9d40
0x008f9d4e
0x008f9d51
0x008f9d5e
0x008f9d66
0x008f9d66
0x008f9d6e
0x008f9d71
0x008f9d99
0x008f9d99
0x00000000
0x008f9d73
0x008f9d73
0x008f9d78
0x008f9d78
0x008f9d7d
0x008f9d7f
0x008f9d8c
0x008f9d94
0x00000000
0x008f9d94
0x008f9d71
0x008f9d3b

APIs

__CxxThrowException@8.LIBCMT ref: 008F9D66
__CxxThrowException@8.LIBCMT ref: 008F9D94

Strings

ios_base::badbit set, xrefs: 008F9D42
ios_base::eofbit set, xrefs: 008F9D99
ios_base::failbit set, xrefs: 008F9D73

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 8a1e65e01f28d97476bf752f99290ceccfe9cfb2617b0dee2eee5d68c6c77f7b
Instruction ID: 89e4aea9525587cdaa2c20a0db332276b892d19b5a79d13236c3042eddbeb280
Opcode Fuzzy Hash: 8a1e65e01f28d97476bf752f99290ceccfe9cfb2617b0dee2eee5d68c6c77f7b
Instruction Fuzzy Hash: DA317774A002089FCB24EB68C986FA977E4FB48728F644158E642EB6D2DB71AD44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008F2C80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E008F2C80(void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t19;
				long _t21;
				long _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t35;

				_t31 = _t35;
				_t21 = TlsAlloc();
				if(_t21 != 0xffffffff) {
					L2:
					 *0x9ea478 = _t21;
					return E0094F034(_t43, 0x9b9900);
				} else {
					_t26 = GetLastError();
					_t10 = E0094A830();
					_v12 = _t26;
					_t43 = _t26;
					_v8 = _t10;
					_pop(_t27);
					if(_t26 != 0) {
						E00913940(_t21, _t27, __eflags,  &_v12, "tss");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t31);
						_push(_t21);
						_t23 = TlsAlloc();
						__eflags = _t23 - 0xffffffff;
						if(__eflags != 0) {
							L6:
							 *0x9ea468 = _t23;
							return E0094F034(__eflags, 0x9b9910);
						} else {
							_t28 = GetLastError();
							_t16 = E0094A830();
							_v16 = _t28;
							__eflags = _t28;
							_v12 = _t16;
							_t29 = _t27;
							if(__eflags != 0) {
								E00913940(_t23, _t29, __eflags,  &_v16, "tss");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t19 = E0094A830();
								 *0x9ea4e8 = _t19;
								return _t19;
							} else {
								goto L6;
							}
						}
					} else {
						goto L2;
					}
				}
			}

0x008f2c81
0x008f2c8d
0x008f2c92
0x008f2cad
0x008f2cb2
0x008f2cc4
0x008f2c94
0x008f2c9b
0x008f2c9d
0x008f2ca2
0x008f2ca5
0x008f2ca7
0x008f2caa
0x008f2cab
0x008f2cce
0x008f2cd3
0x008f2cd4
0x008f2cd5
0x008f2cd6
0x008f2cd7
0x008f2cd8
0x008f2cd9
0x008f2cda
0x008f2cdb
0x008f2cdc
0x008f2cdd
0x008f2cde
0x008f2cdf
0x008f2ce0
0x008f2ce6
0x008f2ced
0x008f2cef
0x008f2cf2
0x008f2d0d
0x008f2d12
0x008f2d24
0x008f2cf4
0x008f2cfb
0x008f2cfd
0x008f2d02
0x008f2d05
0x008f2d07
0x008f2d0a
0x008f2d0b
0x008f2d2e
0x008f2d33
0x008f2d34
0x008f2d35
0x008f2d36
0x008f2d37
0x008f2d38
0x008f2d39
0x008f2d3a
0x008f2d3b
0x008f2d3c
0x008f2d3d
0x008f2d3e
0x008f2d3f
0x008f2d40
0x008f2d45
0x008f2d4a
0x00000000
0x00000000
0x00000000
0x008f2d0b
0x00000000
0x00000000
0x00000000
0x008f2cab

APIs

TlsAlloc.KERNEL32 ref: 008F2C87
GetLastError.KERNEL32 ref: 008F2C95
TlsAlloc.KERNEL32(00000000,tss), ref: 008F2CE7
GetLastError.KERNEL32 ref: 008F2CF5

Part of subcall function 00913940: std::exception::exception.LIBCMT ref: 0091397F

Strings

tss, xrefs: 008F2CC5, 008F2D25

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AllocErrorLast$std::exception::exception
String ID: tss
API String ID: 3465236094-1638339373
Opcode ID: f3c738473379bb02d32df514438be6408deaf0872b15182be29c988defd1f241
Instruction ID: 5bb3267cc070857d68c27e369ae44f1b782451185283cc0104d0b7141ac9e39d
Opcode Fuzzy Hash: f3c738473379bb02d32df514438be6408deaf0872b15182be29c988defd1f241
Instruction Fuzzy Hash: 5C114071C5A21C9B9711BBB46D4A8EE7778DAC1731F000266FD0097390E7704D4397E2

Uniqueness

Uniqueness Score: -1.00%

Function 0091A220, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0091A220(intOrPtr _a4, intOrPtr _a8) {
				struct _SECURITY_DESCRIPTOR* _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t16;
				int _t21;
				signed int _t23;

				_push(0);
				_t16 =  &_v8;
				_v8 = 0;
				_push(_t16);
				_push(1);
				_push(L"S:(ML;;NW;;;LW)");
				_t23 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				L009794CA();
				if(_t16 != 0) {
					_t21 = GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16);
					if(_t21 != 0) {
						__imp__SetSecurityInfo(_a4, _a8, 0x10, 0, 0, 0, _v12);
						_t23 = 0 | _t21 == 0x00000000;
					}
					LocalFree(_v8);
				}
				return _t23;
			}

0x0091a227
0x0091a229
0x0091a22c
0x0091a233
0x0091a234
0x0091a236
0x0091a23b
0x0091a23d
0x0091a244
0x0091a24b
0x0091a252
0x0091a259
0x0091a26a
0x0091a272
0x0091a285
0x0091a28d
0x0091a28d
0x0091a293
0x0091a293
0x0091a29f

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,00000006,00000000), ref: 0091A252
GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000,00000008), ref: 0091A26A
SetSecurityInfo.ADVAPI32(00000000,00000000,00000010,00000000,00000000,00000000,00000000), ref: 0091A285
LocalFree.KERNEL32(00000000), ref: 0091A293

Strings

S:(ML;;NW;;;LW), xrefs: 0091A236

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Security$Descriptor$ConvertFreeInfoLocalSaclString
String ID: S:(ML;;NW;;;LW)
API String ID: 3116297227-495562761
Opcode ID: a9d835b7980b13aef53d8de5d774ea78dc3e95b62d4823e7cf544edd6123090e
Instruction ID: ea53dc4c26d46d9a4ade60d92b46828172977a3c7aa2cdf97b6142b205528029
Opcode Fuzzy Hash: a9d835b7980b13aef53d8de5d774ea78dc3e95b62d4823e7cf544edd6123090e
Instruction Fuzzy Hash: 5D012875A4520CBAEF119FA1CC46BDEBBBCAB04700F104451B914AA1A0D7B29A58EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00962C0C, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00962C0C(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x9eb1d4, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x9eb70c - _t7;
								if(__eflags == 0) {
									_t9 = E00954BEF(__eflags);
									 *_t9 = E00954C48(GetLastError());
									goto L17;
								} else {
									__eflags = E0095BE69(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00954BEF(__eflags);
										 *_t12 = E00954C48(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0095BE69(_t6, _t31);
						 *((intOrPtr*)(E00954BEF(__eflags))) = 0xc;
						goto L12;
					} else {
						E0094FC75(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00951738(__ebx, __edx, __edi, _a8);
				}
			}

0x00962c13
0x00962c21
0x00962c24
0x00962c26
0x00962c35
0x00962c68
0x00962c68
0x00962c6b
0x00000000
0x00000000
0x00962c38
0x00962c3a
0x00962c3c
0x00962c3c
0x00962c3c
0x00962c49
0x00962c4f
0x00962c51
0x00962c53
0x00962cb3
0x00962cb3
0x00962c55
0x00962c55
0x00962c5b
0x00962c9d
0x00962cb1
0x00000000
0x00962c5d
0x00962c64
0x00962c66
0x00962c85
0x00962c99
0x00962c7f
0x00962c7f
0x00962c7f
0x00000000
0x00000000
0x00000000
0x00962c66
0x00962c5b
0x00000000
0x00962c81
0x00962c6e
0x00962c79
0x00000000
0x00962c28
0x00962c2b
0x00962c31
0x00962c31
0x00962c82
0x00962c84
0x00962c15
0x00962c1f
0x00962c1f

APIs

_malloc.LIBCMT ref: 00962C18

Part of subcall function 00951738: __FF_MSGBANNER.LIBCMT ref: 0095174F
Part of subcall function 00951738: __NMSG_WRITE.LIBCMT ref: 00951756
Part of subcall function 00951738: HeapAlloc.KERNEL32(?,00000000,00000001,?,?,?,?,0094EED0,?), ref: 0095177B

_free.LIBCMT ref: 00962C2B

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 134daf769b8b117b070da1a610b9968f951a6a835a49f249a5f9e0b8350cc784
Instruction ID: 201c655e83ca4790f8645e40c12017a90b1630aee10ac93fed9d16f25234011a
Opcode Fuzzy Hash: 134daf769b8b117b070da1a610b9968f951a6a835a49f249a5f9e0b8350cc784
Instruction Fuzzy Hash: 4D113632409A16ABCB207F75ED4675E3B9C9F94362B208965FD859E160DB3CCC849790

Uniqueness

Uniqueness Score: -1.00%

Function 00901E50, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00901E50(void* __ebx, void* __edx, void* __edi, signed int _a4, signed int _a8, short _a12) {
				signed int _v8;
				char _v270;
				struct _OSVERSIONINFOEXW _v292;
				void* __esi;
				signed int _t19;
				void* _t41;
				intOrPtr* _t43;
				signed int _t44;

				_t41 = __edx;
				_t19 =  *0x9e6310; // 0x57443789
				_v8 = _t19 ^ _t44;
				_v292.dwOSVersionInfoSize = 0x11c;
				_v292.szCSDVersion = 0;
				_v292.dwMajorVersion = 0;
				_v292.dwMinorVersion = 0;
				_v292.dwBuildNumber = 0;
				_v292.dwPlatformId = 0;
				E00950A90( &_v270, 0, 0xfe);
				_t43 = __imp__VerSetConditionMask;
				_v292.wServicePackMajor = 0;
				_v292.wSuiteMask = 0;
				 *_t43(0, 0, 2, 3, 1, 3, 0x20, 3);
				 *_t43(0, _t41);
				 *_t43(0, _t41);
				_v292.dwMajorVersion = _a4 & 0x0000ffff;
				_v292.dwMinorVersion = _a8 & 0x0000ffff;
				_v292.wServicePackMajor = _a12;
				VerifyVersionInfoW( &_v292, 0x23, 0);
				asm("sbb eax, eax");
				return E0094FF4A(__ebx, _v8 ^ _t44, _t41, __edi, _t43, _t41);
			}

0x00901e50
0x00901e59
0x00901e60
0x00901e66
0x00901e76
0x00901e84
0x00901e8e
0x00901e98
0x00901ea2
0x00901eac
0x00901eb1
0x00901ebc
0x00901ebf
0x00901ed0
0x00901ed4
0x00901ed8
0x00901ee0
0x00901ef6
0x00901f00
0x00901f04
0x00901f10
0x00901f1e

APIs

_memset.LIBCMT ref: 00901EAC
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,?), ref: 00901ED0
VerSetConditionMask.KERNEL32(00000000,?,?,?,?), ref: 00901ED4
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,?), ref: 00901ED8
VerifyVersionInfoW.KERNEL32 ref: 00901F04

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: bc1ff08080675ad17ccc378231d58b5db5712166174ffb6e40ac3a4051262e85
Instruction ID: 8a1ae308fbf60fc045fee83854544e8dc8925bd3fa8426287a37935f5e613dc4
Opcode Fuzzy Hash: bc1ff08080675ad17ccc378231d58b5db5712166174ffb6e40ac3a4051262e85
Instruction Fuzzy Hash: 12211F70E4431CAFDB64DF65DC56BEA7BB8EF48700F008599B649EB280D6B45B448F90

Uniqueness

Uniqueness Score: -1.00%

Function 0091B800, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0091B800() {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t91;
				intOrPtr* _t92;
				void* _t93;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t113;

				_push(0x2c);
				_t45 = E0094EEB3(_t82, _t93, _t113);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_v8 = "bad allocation";
					E0094FD76( &_v20,  &_v8);
					_v20 = 0x9c77b4;
					E0094FF59( &_v20, 0x9dd784);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0094FDB4( &_v52);
					_v52 = 0x9c7808;
					E0094FF59( &_v52, 0x9dd874);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0094FD51( &_v76,  &_v56);
					_v76 = 0x9c77cc;
					E0094FF59( &_v76, 0x9dd7a0);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0094FD51( &_v72,  &_v52);
					_v72 = 0x9c77d8;
					E0094FF59( &_v72, 0x9dd7dc);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0094FD51( &_v88,  &_v68);
					_v88 = 0x9c77e4;
					E0094FF59( &_v88, 0x9dd818);
					asm("int3");
					_push(_t108);
					E0094FD51( &_v116,  &_v96);
					_v116 = 0x9c77fc;
					E0094FF59( &_v116, 0x9dd838);
					asm("int3");
					_push(_t109);
					E00929370( &_v148, _v124);
					E0094FF59( &_v148, 0x9dd8ac);
					asm("int3");
					_push(_t109 - 0xc);
					E0094FD51( &_v176,  &_v156);
					_v176 = 0x9c77f0;
					E0094FF59( &_v176, 0x9d86a8);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t91 = _t1;
					 *_t45 = _t45;
					if(_t91 != 0) {
						 *_t91 = _t45;
					}
					_t92 = _t45 + 8;
					if(_t92 != 0) {
						 *_t92 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x0091b800
0x0091b802
0x0091b807
0x0091b80c
0x00929517
0x0092951a
0x0092951f
0x0092952a
0x00929537
0x0092953f
0x00929544
0x00929545
0x00929548
0x0092954e
0x0092955b
0x00929563
0x00929568
0x00929569
0x0092956a
0x0092956c
0x0092957c
0x00929589
0x00929591
0x00929596
0x00929597
0x00929598
0x0092959a
0x009295aa
0x009295b7
0x009295bf
0x009295c4
0x009295c5
0x009295c8
0x009295d8
0x009295e5
0x009295ed
0x009295f2
0x009295f3
0x00929606
0x00929613
0x0092961b
0x00929620
0x00929621
0x0092962d
0x0092963b
0x00929640
0x00929641
0x00929654
0x00929661
0x00929669
0x0092966e
0x00929674
0x0091b812
0x0091b812
0x0091b812
0x0091b815
0x0091b819
0x0091b81b
0x0091b81b
0x0091b81d
0x0091b822
0x0091b824
0x0091b824
0x0091b826
0x0091b82c
0x0091b82c

APIs

std::exception::exception.LIBCMT ref: 0092952A
__CxxThrowException@8.LIBCMT ref: 0092953F
__CxxThrowException@8.LIBCMT ref: 00929563
std::exception::exception.LIBCMT ref: 0092957C
__CxxThrowException@8.LIBCMT ref: 00929591

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception
String ID:
API String ID: 2370478142-0
Opcode ID: a2fe2ece76c2e6d84e4c6b7aa10fdcdc439feb1ead15dfff4aeb82fe24b3b7b9
Instruction ID: 8d01c27f18cce7a3aca34328770a722181e4fd26c69a1dd917b6954dc40f6819
Opcode Fuzzy Hash: a2fe2ece76c2e6d84e4c6b7aa10fdcdc439feb1ead15dfff4aeb82fe24b3b7b9
Instruction Fuzzy Hash: 31115474D0130DABDB04EFA4C855EDEB7FCAF40704F4084A9E91597292EB74E608CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0097A910, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0097A910(void* __ebx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t95;
				void* _t96;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(0x18);
				_t45 = E0094EEB3(__ebx, __edi, __eflags);
				_t102 = _t101 + 4;
				if(_t45 == 0) {
					_t103 = _t102 - 0x10;
					_push(1);
					_v8 = "bad allocation";
					E0094FD76( &_v20,  &_v8);
					_v20 = 0x9c77b4;
					E0094FF59( &_v20, 0x9dd784);
					asm("int3");
					_push(_t102);
					_t104 = _t103 - 0xc;
					E0094FDB4( &_v52);
					_v52 = 0x9c7808;
					E0094FF59( &_v52, 0x9dd874);
					asm("int3");
					_push(_t103);
					_t95 = _t104;
					_t105 = _t104 - 0xc;
					E0094FD51( &_v76,  &_v56);
					_v76 = 0x9c77cc;
					E0094FF59( &_v76, 0x9dd7a0);
					asm("int3");
					_push(_t95);
					_t96 = _t105;
					_t106 = _t105 - 0xc;
					E0094FD51( &_v72,  &_v52);
					_v72 = 0x9c77d8;
					E0094FF59( &_v72, 0x9dd7dc);
					asm("int3");
					_push(_t96);
					_t107 = _t106 - 0xc;
					E0094FD51( &_v88,  &_v68);
					_v88 = 0x9c77e4;
					E0094FF59( &_v88, 0x9dd818);
					asm("int3");
					_push(_t106);
					E0094FD51( &_v116,  &_v96);
					_v116 = 0x9c77fc;
					E0094FF59( &_v116, 0x9dd838);
					asm("int3");
					_push(_t107);
					E00929370( &_v148, _v124);
					E0094FF59( &_v148, 0x9dd8ac);
					asm("int3");
					_push(_t107 - 0xc);
					E0094FD51( &_v176,  &_v156);
					_v176 = 0x9c77f0;
					E0094FF59( &_v176, 0x9d86a8);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0097a910
0x0097a912
0x0097a917
0x0097a91c
0x00929517
0x0092951a
0x0092951f
0x0092952a
0x00929537
0x0092953f
0x00929544
0x00929545
0x00929548
0x0092954e
0x0092955b
0x00929563
0x00929568
0x00929569
0x0092956a
0x0092956c
0x0092957c
0x00929589
0x00929591
0x00929596
0x00929597
0x00929598
0x0092959a
0x009295aa
0x009295b7
0x009295bf
0x009295c4
0x009295c5
0x009295c8
0x009295d8
0x009295e5
0x009295ed
0x009295f2
0x009295f3
0x00929606
0x00929613
0x0092961b
0x00929620
0x00929621
0x0092962d
0x0092963b
0x00929640
0x00929641
0x00929654
0x00929661
0x00929669
0x0092966e
0x00929674
0x0097a922
0x0097a922
0x0097a922
0x0097a925
0x0097a927
0x0097a929
0x0097a92b
0x0097a92b
0x0097a92d
0x0097a930
0x0097a932
0x0097a934
0x0097a934
0x0097a936
0x0097a93c
0x0097a93c

APIs

std::exception::exception.LIBCMT ref: 0092952A
__CxxThrowException@8.LIBCMT ref: 0092953F
__CxxThrowException@8.LIBCMT ref: 00929563
std::exception::exception.LIBCMT ref: 0092957C
__CxxThrowException@8.LIBCMT ref: 00929591

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception
String ID:
API String ID: 2370478142-0
Opcode ID: f108200004b7fb3c0f1bfa42941242043305a3e2550929b49c42c58e0f02cd62
Instruction ID: bf76eb08fd7720a4d3331cf951c76bec3bf02e20bd85e955cea80b7f91073a98
Opcode Fuzzy Hash: f108200004b7fb3c0f1bfa42941242043305a3e2550929b49c42c58e0f02cd62
Instruction Fuzzy Hash: 64114674D0130DABCB14EFA4C855EDEB7FCAF40704F4084A5A91597692EB74D608CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0090EED0, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0090EED0() {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t91;
				intOrPtr* _t92;
				void* _t93;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t113;

				_push(0x20);
				_t45 = E0094EEB3(_t82, _t93, _t113);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_v8 = "bad allocation";
					E0094FD76( &_v20,  &_v8);
					_v20 = 0x9c77b4;
					E0094FF59( &_v20, 0x9dd784);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0094FDB4( &_v52);
					_v52 = 0x9c7808;
					E0094FF59( &_v52, 0x9dd874);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0094FD51( &_v76,  &_v56);
					_v76 = 0x9c77cc;
					E0094FF59( &_v76, 0x9dd7a0);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0094FD51( &_v72,  &_v52);
					_v72 = 0x9c77d8;
					E0094FF59( &_v72, 0x9dd7dc);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0094FD51( &_v88,  &_v68);
					_v88 = 0x9c77e4;
					E0094FF59( &_v88, 0x9dd818);
					asm("int3");
					_push(_t108);
					E0094FD51( &_v116,  &_v96);
					_v116 = 0x9c77fc;
					E0094FF59( &_v116, 0x9dd838);
					asm("int3");
					_push(_t109);
					E00929370( &_v148, _v124);
					E0094FF59( &_v148, 0x9dd8ac);
					asm("int3");
					_push(_t109 - 0xc);
					E0094FD51( &_v176,  &_v156);
					_v176 = 0x9c77f0;
					E0094FF59( &_v176, 0x9d86a8);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t91 = _t1;
					 *_t45 = _t45;
					if(_t91 != 0) {
						 *_t91 = _t45;
					}
					_t92 = _t45 + 8;
					if(_t92 != 0) {
						 *_t92 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x0090eed0
0x0090eed2
0x0090eed7
0x0090eedc
0x00929517
0x0092951a
0x0092951f
0x0092952a
0x00929537
0x0092953f
0x00929544
0x00929545
0x00929548
0x0092954e
0x0092955b
0x00929563
0x00929568
0x00929569
0x0092956a
0x0092956c
0x0092957c
0x00929589
0x00929591
0x00929596
0x00929597
0x00929598
0x0092959a
0x009295aa
0x009295b7
0x009295bf
0x009295c4
0x009295c5
0x009295c8
0x009295d8
0x009295e5
0x009295ed
0x009295f2
0x009295f3
0x00929606
0x00929613
0x0092961b
0x00929620
0x00929621
0x0092962d
0x0092963b
0x00929640
0x00929641
0x00929654
0x00929661
0x00929669
0x0092966e
0x00929674
0x0090eee2
0x0090eee2
0x0090eee2
0x0090eee5
0x0090eee9
0x0090eeeb
0x0090eeeb
0x0090eeed
0x0090eef2
0x0090eef4
0x0090eef4
0x0090eef6
0x0090eefc
0x0090eefc

APIs

std::exception::exception.LIBCMT ref: 0092952A
__CxxThrowException@8.LIBCMT ref: 0092953F
__CxxThrowException@8.LIBCMT ref: 00929563
std::exception::exception.LIBCMT ref: 0092957C
__CxxThrowException@8.LIBCMT ref: 00929591

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception
String ID:
API String ID: 2370478142-0
Opcode ID: 962c3ef12e2a35bb14d98f2bb70beb54ab8c54bc4b350206482c23521d7731aa
Instruction ID: 55f0b51830693396d415fdbdb47030dedfa1a37c868714ea3b1087917e46d0d5
Opcode Fuzzy Hash: 962c3ef12e2a35bb14d98f2bb70beb54ab8c54bc4b350206482c23521d7731aa
Instruction Fuzzy Hash: 4E114274D0130DABCB14EFA4C855EDEB7FCAF40704F4084A9A91497692EB74E608CA91

Uniqueness

Uniqueness Score: -1.00%

Function 008F8B10, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 391COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008F8BB5

Strings

invalid string position, xrefs: 008F8D32, 008F8D3C
string too long, xrefs: 008F8BE9, 008F8D46

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 78864c1ebb1970ea62a39e60360efe7d849dc96eb8a045cecbb3a16289ca49a5
Instruction ID: 7f00d423144cc66cadb88f85630335322c694947c3c68ceb00e58630b4ff2a91
Opcode Fuzzy Hash: 78864c1ebb1970ea62a39e60360efe7d849dc96eb8a045cecbb3a16289ca49a5
Instruction Fuzzy Hash: C3710472304218DBDB249E6CE840A7AF7AAFFD1761F10452FFA45CB681CB719841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 009706D5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009706D5(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00970198(_t28, ?str?) != 0) {
					if(E00970198(_t28, ?str?) != 0) {
						return E00976CFC(_t28);
					}
					if(E0095B898(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E0095B898(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x009706d9
0x009706de
0x00970706
0x00000000
0x00970734
0x00970726
0x00970757
0x00000000
0x00970757
0x00000000
0x00970728
0x00970755
0x00000000
0x00000000
0x0097075b
0x00970760
0x00970764
0x00970764
0x0097072d

APIs

_wcscmp.LIBCMT ref: 009706EC
_wcscmp.LIBCMT ref: 009706FD

Strings

ACP, xrefs: 009706E6
OCP, xrefs: 009706F7

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: fb1e7ffab5c1fb7f070919daace272550cbc05efa02a10408ed3a634ba122007
Instruction ID: 5574cdff0b462eda3f5335f12abab9a904000c2eac0ad6b2ff85d0c29a823ee3
Opcode Fuzzy Hash: fb1e7ffab5c1fb7f070919daace272550cbc05efa02a10408ed3a634ba122007
Instruction Fuzzy Hash: 6A01B973605605E6EB14AA18DC82FEA739CDF85795F04C415FA0CDE181F774FA40CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00902890, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00902890(signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				intOrPtr* _t16;
				signed int _t18;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;

				_t18 = __edx;
				_t16 =  *0x9ea3ec;
				_t19 = _t21 - 0x20;
				if(_t16 == 0) {
					_t16 =  !=  ? GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "GetTickCount64") : 0x901db0;
					 *0x9ea3ec = 0x901db0;
				}
				 *_t19 =  *_t16();
				 *((intOrPtr*)(_t19 + 8)) = _a4;
				 *((intOrPtr*)(_t19 + 0xc)) = _a8;
				 *((intOrPtr*)(_t19 + 4)) = _t18;
				 *((char*)(_t19 + 0x10)) = 1;
				E00902500(_t18, 0x901db0, _t19 + 0x18, E00902820);
				_push(0xffffffff);
				return E009480B0(_t18, _t20);
			}

0x00902890
0x00902893
0x0090289d
0x009028a1
0x009028c1
0x009028c4
0x009028c4
0x009028cc
0x009028d1
0x009028d7
0x009028e3
0x009028e6
0x009028ea
0x009028f2
0x009028fe

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetTickCount64,?,008FFD39,00000000,?,?,?,000003E8,00000000), ref: 009028AD
GetProcAddress.KERNEL32(00000000), ref: 009028B4

Strings

KERNEL32.DLL, xrefs: 009028A8
GetTickCount64, xrefs: 009028A3

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 1646373207-3320051239
Opcode ID: 48bcd1b27255050fb14a62cbe1cceb7fded522e7186c5c6cc73addecb9b41f8e
Instruction ID: 2ffc0027e847dd331105e8e67288d332181c5d203c95b60af709578aae28a174
Opcode Fuzzy Hash: 48bcd1b27255050fb14a62cbe1cceb7fded522e7186c5c6cc73addecb9b41f8e
Instruction Fuzzy Hash: 11F062756093409FC728EF69AC85A8A7BE8AF58725700C52DF85EC7291E630A8448BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00901410, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00901410(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t15;
				intOrPtr* _t17;
				intOrPtr* _t19;
				_Unknown_base(*)()* _t23;

				_t17 =  *0x9ea3ec;
				_t19 = __ecx;
				if(_t17 == 0) {
					_t15 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "GetTickCount64");
					_t23 = _t15;
					_t17 =  !=  ? _t15 : 0x901db0;
					 *0x9ea3ec = 0x901db0;
				}
				 *_t19 =  *_t17();
				 *((intOrPtr*)(_t19 + 8)) = _a4;
				 *((intOrPtr*)(_t19 + 0xc)) = _a8;
				 *((intOrPtr*)(_t19 + 4)) = _t17;
				 *((char*)(_t19 + 0x10)) = 1;
				E00902500(_t17, _t23, _t19 + 0x18, E00902820);
				return _t19;
			}

0x00901413
0x0090141a
0x0090141e
0x00901431
0x00901437
0x0090143e
0x00901441
0x00901441
0x00901449
0x0090144e
0x00901454
0x00901460
0x00901463
0x00901467
0x00901473

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetTickCount64,00000000,000FE4FA,00948212,?,00000000), ref: 0090142A
GetProcAddress.KERNEL32(00000000), ref: 00901431

Strings

KERNEL32.DLL, xrefs: 00901425
GetTickCount64, xrefs: 00901420

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 1646373207-3320051239
Opcode ID: 679ee1334e6d3435e972b33df9051b655e7e14bc01c7f2632a1823b6a679a31e
Instruction ID: b8daea1fbf3c5e151421ba9eb4809d720ac20d1f8d3a6e10966cd57afe74fceb
Opcode Fuzzy Hash: 679ee1334e6d3435e972b33df9051b655e7e14bc01c7f2632a1823b6a679a31e
Instruction Fuzzy Hash: 5FF030756157409FC310DF69DC84A86BBE8AF99711700C52AE889C7661E770E8048B91

Uniqueness

Uniqueness Score: -1.00%

Function 0097BF10, Relevance: 6.5, APIs: 4, Instructions: 462
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0097BF10(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t179;
				intOrPtr _t180;
				intOrPtr* _t183;
				void* _t184;
				intOrPtr* _t185;
				void* _t186;
				intOrPtr* _t187;
				intOrPtr* _t196;
				intOrPtr _t211;
				char _t212;
				intOrPtr* _t219;
				void* _t220;
				intOrPtr* _t222;
				void* _t223;
				intOrPtr _t231;
				char _t232;
				intOrPtr* _t237;
				void* _t238;
				intOrPtr* _t239;
				void* _t240;
				intOrPtr* _t241;
				void* _t242;
				intOrPtr* _t243;
				void* _t244;
				intOrPtr _t245;
				intOrPtr* _t246;
				intOrPtr _t247;
				intOrPtr _t248;
				intOrPtr _t250;
				intOrPtr _t251;
				intOrPtr* _t252;
				intOrPtr* _t256;
				intOrPtr* _t257;
				intOrPtr* _t264;
				intOrPtr _t272;
				intOrPtr* _t275;
				intOrPtr _t276;
				intOrPtr* _t277;
				intOrPtr _t282;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr* _t288;
				intOrPtr* _t291;
				intOrPtr* _t292;
				intOrPtr* _t293;
				intOrPtr _t295;
				intOrPtr _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				intOrPtr _t299;
				intOrPtr* _t300;
				intOrPtr* _t301;
				intOrPtr _t302;
				intOrPtr _t303;
				void* _t304;
				intOrPtr* _t305;
				intOrPtr _t306;
				intOrPtr _t307;
				void* _t308;
				void* _t309;
				void* _t347;

				_t245 = _a12;
				_v48 = _a4;
				_t299 = _a8;
				_t290 = 0x2aaaaaab * (_t245 - _t299) >> 0x20 >> 2;
				_v32 = _t299;
				_v36 = _t245;
				asm("cdq");
				_t305 = _t299 + (((0x2aaaaaab * (_t245 - _t299) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t245 - _t299) >> 0x20 >> 2) - _t290 >> 1) + ((0x2aaaaaab * (_t245 - _t299) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t245 - _t299) >> 0x20 >> 2) - _t290 >> 1) * 2) * 8;
				_t16 = _t245 - 0x18; // -24
				_v24 = _t305;
				E0097B8E0(_t245, _t245 - _t299, _t299, _t305, _t16, _a16);
				_t309 = _t308 + 0x10;
				_t300 = _t305 + 0x18;
				_v20 = _t300;
				if(_v32 >= _t305) {
					L18:
					if(_t300 >= _t245) {
						L35:
						_t179 = _t305;
						_t246 = _t300;
						_v12 = _t179;
						while(1) {
							L36:
							_v28 = _t246;
							L37:
							while(1) {
								L37:
								while(1) {
									if(_t246 >= _v36) {
										L58:
										if(_t179 <= _v32) {
											L94:
											if(_t347 != 0) {
												_t180 = _t179 - 0x18;
												_v12 = _t180;
												if(_t246 != _v36) {
													E00916BA0(_t246, _t180);
													_t179 = _v12;
													_t309 = _t309 + 8;
													_t246 = _t246 + 0x18;
													goto L36;
												}
												_t305 = _t305 - 0x18;
												_v24 = _t305;
												if(_t180 != _t305) {
													E00918520(_t246, _t180, _t305);
													_t296 = _v12;
													 *((intOrPtr*)(_t296 + 0x10)) =  *((intOrPtr*)(_t305 + 0x10));
													 *((intOrPtr*)(_t305 + 0x10)) =  *((intOrPtr*)(_t296 + 0x10));
													 *((intOrPtr*)(_t296 + 0x14)) =  *((intOrPtr*)(_t305 + 0x14));
													 *((intOrPtr*)(_t305 + 0x14)) =  *((intOrPtr*)(_t296 + 0x14));
												}
												_t300 = _t300 - 0x18;
												_v20 = _t300;
												E00916BA0(_t305, _t300);
												_t179 = _v12;
												_t309 = _t309 + 8;
												continue;
											}
											if(_t246 == _v36) {
												_t196 = _v48;
												 *((intOrPtr*)(_t196 + 4)) = _t300;
												 *_t196 = _t305;
												return _t196;
											}
											if(_t300 == _t246 || _t305 == _t300) {
												L113:
												_t264 = _t246;
												_t291 = _t305;
												_t300 = _t300 + 0x18;
												_v16 = _t264;
												_t305 = _t305 + 0x18;
												_v20 = _t300;
												_t246 = _t246 + 0x18;
												_v8 = _t291;
												_v24 = _t305;
												_v28 = _t246;
												if(_t291 != _t264) {
													E00918520(_t246, _t291, _t264);
													_t298 = _v16;
													_t302 = _v8;
													 *((intOrPtr*)(_t302 + 0x10)) =  *((intOrPtr*)(_t298 + 0x10));
													 *((intOrPtr*)(_t298 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
													 *((intOrPtr*)(_t302 + 0x14)) =  *((intOrPtr*)(_t298 + 0x14));
													_t300 = _v20;
													_t179 = _v12;
													 *((intOrPtr*)(_t298 + 0x14)) =  *((intOrPtr*)(_t302 + 0x14));
												}
												continue;
											} else {
												if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
													if( *((intOrPtr*)(_t300 + 0x14)) >= 0x10) {
														_v16 =  *_t300;
														_t204 =  *((intOrPtr*)(_t305 + 0x10)) + 1;
														if( *((intOrPtr*)(_t305 + 0x10)) + 1 != 0) {
															E00950440(_t300, _t305, _t204);
															_t309 = _t309 + 0xc;
														}
														 *_t305 = _v16;
														L112:
														 *((intOrPtr*)(_t305 + 0x10)) =  *((intOrPtr*)(_t300 + 0x10));
														 *((intOrPtr*)(_t300 + 0x10)) =  *((intOrPtr*)(_t305 + 0x10));
														 *((intOrPtr*)(_t305 + 0x14)) =  *((intOrPtr*)(_t300 + 0x14));
														_t179 = _v12;
														 *((intOrPtr*)(_t300 + 0x14)) =  *((intOrPtr*)(_t305 + 0x14));
														goto L113;
													}
													_v16 = 0;
													_v40 = 0;
													_t292 = _t305;
													_t272 =  >  ? _v16 : _t305 + 0x10 - _t305;
													_v16 = _t272;
													if(_t272 == 0) {
														goto L112;
													}
													_t247 = _v40;
													_t211 = _t300 - _t305;
													_t303 = _t272;
													_v44 = _t211;
													_t306 = _t211;
													do {
														_t212 =  *((intOrPtr*)(_t306 + _t292));
														_t292 = _t292 + 1;
														_t247 = _t247 + 1;
														 *((char*)(_t292 - 1)) = _t212;
														 *((char*)(_t306 + _t292 - 1)) =  *((intOrPtr*)(_t292 - 1));
													} while (_t247 != _t303);
													_t305 = _v24;
													_t246 = _v28;
													_t300 = _v20;
													goto L112;
												}
												if( *((intOrPtr*)(_t300 + 0x14)) < 0x10) {
													_v16 =  *_t305;
													_t215 =  *((intOrPtr*)(_t300 + 0x10)) + 1;
													if( *((intOrPtr*)(_t300 + 0x10)) + 1 != 0) {
														E00950440(_t305, _t300, _t215);
														_t309 = _t309 + 0xc;
													}
													 *_t300 = _v16;
												} else {
													 *_t305 =  *_t300;
													 *_t300 =  *_t305;
												}
												goto L112;
											}
										}
										_t301 = _t179 - 0x18;
										_v8 = _t301;
										do {
											if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
												_t275 = _t305;
											} else {
												_t275 =  *_t305;
											}
											if( *((intOrPtr*)(_t301 + 0x14)) < 0x10) {
												_t219 = _t301;
											} else {
												_t219 =  *_t301;
											}
											_t220 = E00985DD1(_t301, _t305, _t219, _t275);
											_t309 = _t309 + 8;
											if(_t220 >= 0) {
												if( *((intOrPtr*)(_t301 + 0x14)) < 0x10) {
													_t277 = _t301;
												} else {
													_t277 =  *_t301;
												}
												if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
													_t222 = _t305;
												} else {
													_t222 =  *_t305;
												}
												_t223 = E00985DD1(_t301, _t305, _t222, _t277);
												_t309 = _t309 + 8;
												if(_t223 < 0) {
													_t179 = _v12;
													_t276 = _v32;
													L93:
													_t246 = _v28;
													_t347 = _t179 - _t276;
													_t300 = _v20;
													goto L94;
												} else {
													_t305 = _t305 - 0x18;
													_v24 = _t305;
													if(_t305 == _t301) {
														goto L90;
													}
													if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
														if( *((intOrPtr*)(_t301 + 0x14)) >= 0x10) {
															_t248 =  *_t301;
															_t225 =  *((intOrPtr*)(_t305 + 0x10)) + 1;
															if( *((intOrPtr*)(_t305 + 0x10)) + 1 != 0) {
																E00950440(_t301, _t305, _t225);
																_t309 = _t309 + 0xc;
															}
															 *_t305 = _t248;
															L89:
															 *((intOrPtr*)(_t305 + 0x10)) =  *((intOrPtr*)(_t301 + 0x10));
															 *((intOrPtr*)(_t301 + 0x10)) =  *((intOrPtr*)(_t305 + 0x10));
															 *((intOrPtr*)(_t305 + 0x14)) =  *((intOrPtr*)(_t301 + 0x14));
															 *((intOrPtr*)(_t301 + 0x14)) =  *((intOrPtr*)(_t305 + 0x14));
															goto L90;
														}
														_t293 = _t305;
														_t282 =  >  ? 0 : _t305 + 0x10 - _t305;
														_v40 = _t282;
														if(_t282 == 0) {
															goto L89;
														}
														_t304 = 0;
														_t231 = _t301 - _t305;
														_t251 = _t282;
														_v16 = _t231;
														_t307 = _t231;
														do {
															_t232 =  *((intOrPtr*)(_t307 + _t293));
															_t293 = _t293 + 1;
															_t304 = _t304 + 1;
															 *((char*)(_t293 - 1)) = _t232;
															 *((char*)(_t307 + _t293 - 1)) =  *((intOrPtr*)(_t293 - 1));
														} while (_t304 != _t251);
														_t305 = _v24;
														_t301 = _v8;
														goto L89;
													}
													if( *((intOrPtr*)(_t301 + 0x14)) < 0x10) {
														_t250 =  *_t305;
														_t234 =  *((intOrPtr*)(_t301 + 0x10)) + 1;
														if( *((intOrPtr*)(_t301 + 0x10)) + 1 != 0) {
															E00950440(_t305, _t301, _t234);
															_t309 = _t309 + 0xc;
														}
														 *_t301 = _t250;
													} else {
														 *_t305 =  *_t301;
														 *_t301 =  *_t305;
													}
													goto L89;
												}
											}
											L90:
											_t301 = _t301 - 0x18;
											_t276 = _v32;
											_t179 = _v12 - 0x18;
											_v12 = _t179;
											_v8 = _t301;
										} while (_t276 < _t179);
										goto L93;
									}
									_v8 = _t300 - 4;
									do {
										if( *((intOrPtr*)(_t246 + 0x14)) < 0x10) {
											_t256 = _t246;
										} else {
											_t256 =  *_t246;
										}
										if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
											_t183 = _t305;
										} else {
											_t183 =  *_t305;
										}
										_t184 = E00985DD1(_t300, _t305, _t183, _t256);
										_t309 = _t309 + 8;
										if(_t184 >= 0) {
											if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
												_t257 = _t305;
											} else {
												_t257 =  *_t305;
											}
											if( *((intOrPtr*)(_t246 + 0x14)) < 0x10) {
												_t185 = _t246;
											} else {
												_t185 =  *_t246;
											}
											_t186 = E00985DD1(_t300, _t305, _t185, _t257);
											_t309 = _t309 + 8;
											if(_t186 < 0) {
												break;
											} else {
												_t187 = _t300;
												_t295 = _v8 + 0x18;
												_t300 = _t300 + 0x18;
												_v8 = _t295;
												if(_t187 != _t246) {
													_t45 = _t295 - 0x14; // -44
													if(_t45 != _t246) {
														_t46 = _t295 - 0x14; // -44
														E00918520(_t246, _t46, _t246);
														_t297 = _v8;
														_t48 = _t246 + 0x10; // 0x3f8d1c2
														 *((intOrPtr*)(_t297 - 4)) =  *_t48;
														 *((intOrPtr*)(_t246 + 0x10)) =  *((intOrPtr*)(_t297 - 4));
														_t52 = _t246 + 0x14; // 0xaaabb8c8
														 *_t297 =  *_t52;
														 *((intOrPtr*)(_t246 + 0x14)) =  *_t297;
													}
												}
												goto L56;
											}
										}
										L56:
										_t246 = _t246 + 0x18;
									} while (_t246 < _v36);
									_t179 = _v12;
									_v20 = _t300;
									_v28 = _t246;
									goto L58;
								}
							}
						}
					}
					L19:
					L19:
					if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
						_t237 = _t305;
					} else {
						_t237 =  *_t305;
					}
					if( *((intOrPtr*)(_t300 + 0x14)) < 0x10) {
						_t285 = _t300;
					} else {
						_t285 =  *_t300;
					}
					_t238 = E00985DD1(_t300, _t305, _t285, _t237);
					_t309 = _t309 + 8;
					if(_t238 < 0) {
						goto L34;
					}
					if( *((intOrPtr*)(_t300 + 0x14)) < 0x10) {
						_t286 = _t300;
					} else {
						_t286 =  *_t300;
					}
					if( *((intOrPtr*)(_t305 + 0x14)) < 0x10) {
						_t239 = _t305;
					} else {
						_t239 =  *_t305;
					}
					_t240 = E00985DD1(_t300, _t305, _t239, _t286);
					_t309 = _t309 + 8;
					if(_t240 >= 0) {
						_t300 = _t300 + 0x18;
						if(_t300 < _t245) {
							goto L19;
						}
					}
					L34:
					_v20 = _t300;
					goto L35;
				} else {
					_t252 = _t305 - 0x18;
					do {
						if( *((intOrPtr*)(_t252 + 0x2c)) < 0x10) {
							_t241 = _t305;
						} else {
							_t241 =  *_t305;
						}
						if( *((intOrPtr*)(_t252 + 0x14)) < 0x10) {
							_t287 = _t252;
						} else {
							_t287 =  *_t252;
						}
						_t242 = E00985DD1(_t300, _t305, _t287, _t241);
						_t309 = _t309 + 8;
						if(_t242 < 0) {
							break;
						} else {
							if( *((intOrPtr*)(_t252 + 0x14)) < 0x10) {
								_t288 = _t252;
							} else {
								_t288 =  *_t252;
							}
							if( *((intOrPtr*)(_t252 + 0x2c)) < 0x10) {
								_t243 = _t305;
							} else {
								_t243 =  *_t305;
							}
							_t244 = E00985DD1(_t300, _t305, _t243, _t288);
							_t309 = _t309 + 8;
							if(_t244 < 0) {
								break;
							} else {
								goto L16;
							}
						}
						L16:
						_t305 = _t305 - 0x18;
						_t252 = _t252 - 0x18;
					} while (_v32 < _t305);
					_t245 = _v36;
					_v24 = _t305;
					goto L18;
				}
			}

0x0097bf1a
0x0097bf1f
0x0097bf29
0x0097bf33
0x0097bf38
0x0097bf40
0x0097bf43
0x0097bf4b
0x0097bf4e
0x0097bf51
0x0097bf57
0x0097bf5c
0x0097bf5f
0x0097bf62
0x0097bf68
0x0097bfcd
0x0097bfcf
0x0097c027
0x0097c027
0x0097c029
0x0097c02b
0x0097c02e
0x0097c02e
0x0097c02e
0x00000000
0x0097c031
0x00000000
0x0097c031
0x0097c034
0x0097c0dc
0x0097c0e1
0x0097c224
0x0097c224
0x0097c361
0x0097c364
0x0097c36a
0x0097c3b3
0x0097c3b8
0x0097c3bb
0x0097c3be
0x00000000
0x0097c3be
0x0097c36c
0x0097c36f
0x0097c374
0x0097c379
0x0097c37e
0x0097c387
0x0097c38a
0x0097c393
0x0097c396
0x0097c396
0x0097c399
0x0097c39e
0x0097c3a1
0x0097c3a6
0x0097c3a9
0x00000000
0x0097c3a9
0x0097c22d
0x0097c3c6
0x0097c3c9
0x0097c3cd
0x0097c3d4
0x0097c3d4
0x0097c235
0x0097c307
0x0097c307
0x0097c309
0x0097c30b
0x0097c30e
0x0097c311
0x0097c314
0x0097c317
0x0097c31a
0x0097c31d
0x0097c320
0x0097c325
0x0097c32e
0x0097c333
0x0097c339
0x0097c342
0x0097c347
0x0097c350
0x0097c353
0x0097c356
0x0097c359
0x0097c359
0x00000000
0x0097c243
0x0097c247
0x0097c27d
0x0097c2d3
0x0097c2d9
0x0097c2da
0x0097c2df
0x0097c2e4
0x0097c2e4
0x0097c2ea
0x0097c2ec
0x0097c2f2
0x0097c2f5
0x0097c2fe
0x0097c301
0x0097c304
0x00000000
0x0097c304
0x0097c282
0x0097c28b
0x0097c294
0x0097c298
0x0097c29c
0x0097c2a1
0x00000000
0x00000000
0x0097c2a3
0x0097c2a8
0x0097c2aa
0x0097c2ac
0x0097c2af
0x0097c2b1
0x0097c2b1
0x0097c2b4
0x0097c2ba
0x0097c2bb
0x0097c2be
0x0097c2c2
0x0097c2c6
0x0097c2c9
0x0097c2cc
0x00000000
0x0097c2cc
0x0097c24d
0x0097c25e
0x0097c264
0x0097c265
0x0097c26a
0x0097c26f
0x0097c26f
0x0097c275
0x0097c24f
0x0097c253
0x0097c255
0x0097c255
0x00000000
0x0097c24d
0x0097c235
0x0097c0e7
0x0097c0ea
0x0097c0f0
0x0097c0f4
0x0097c0fa
0x0097c0f6
0x0097c0f6
0x0097c0f6
0x0097c100
0x0097c106
0x0097c102
0x0097c102
0x0097c102
0x0097c10a
0x0097c10f
0x0097c114
0x0097c11e
0x0097c124
0x0097c120
0x0097c120
0x0097c120
0x0097c12a
0x0097c130
0x0097c12c
0x0097c12c
0x0097c12c
0x0097c134
0x0097c139
0x0097c13e
0x0097c216
0x0097c219
0x0097c21c
0x0097c21c
0x0097c21f
0x0097c221
0x00000000
0x0097c144
0x0097c144
0x0097c147
0x0097c14c
0x00000000
0x00000000
0x0097c156
0x0097c183
0x0097c1d0
0x0097c1d2
0x0097c1d3
0x0097c1d8
0x0097c1dd
0x0097c1dd
0x0097c1e0
0x0097c1e2
0x0097c1e8
0x0097c1eb
0x0097c1f4
0x0097c1f7
0x00000000
0x0097c1f7
0x0097c18c
0x0097c192
0x0097c195
0x0097c19a
0x00000000
0x00000000
0x0097c19e
0x0097c1a0
0x0097c1a2
0x0097c1a4
0x0097c1a7
0x0097c1b0
0x0097c1b0
0x0097c1b3
0x0097c1b9
0x0097c1ba
0x0097c1bd
0x0097c1c1
0x0097c1c5
0x0097c1c8
0x00000000
0x0097c1c8
0x0097c15c
0x0097c16b
0x0097c16d
0x0097c16e
0x0097c173
0x0097c178
0x0097c178
0x0097c17b
0x0097c15e
0x0097c162
0x0097c164
0x0097c164
0x00000000
0x0097c15c
0x0097c13e
0x0097c1fa
0x0097c1fd
0x0097c200
0x0097c203
0x0097c206
0x0097c209
0x0097c20c
0x00000000
0x0097c214
0x0097c03d
0x0097c040
0x0097c044
0x0097c04a
0x0097c046
0x0097c046
0x0097c046
0x0097c050
0x0097c056
0x0097c052
0x0097c052
0x0097c052
0x0097c05a
0x0097c05f
0x0097c064
0x0097c06a
0x0097c070
0x0097c06c
0x0097c06c
0x0097c06c
0x0097c076
0x0097c07c
0x0097c078
0x0097c078
0x0097c078
0x0097c080
0x0097c085
0x0097c08a
0x00000000
0x0097c08c
0x0097c08f
0x0097c091
0x0097c094
0x0097c097
0x0097c09c
0x0097c09e
0x0097c0a3
0x0097c0a6
0x0097c0a9
0x0097c0ae
0x0097c0b1
0x0097c0b7
0x0097c0ba
0x0097c0bf
0x0097c0c2
0x0097c0c4
0x0097c0c4
0x0097c0a3
0x00000000
0x0097c09c
0x0097c08a
0x0097c0c7
0x0097c0c7
0x0097c0ca
0x0097c0d3
0x0097c0d6
0x0097c0d9
0x00000000
0x0097c0d9
0x0097c031
0x0097c031
0x0097c02e
0x00000000
0x0097bfd1
0x0097bfd5
0x0097bfdb
0x0097bfd7
0x0097bfd7
0x0097bfd7
0x0097bfe1
0x0097bfe7
0x0097bfe3
0x0097bfe3
0x0097bfe3
0x0097bfeb
0x0097bff0
0x0097bff5
0x00000000
0x00000000
0x0097bffb
0x0097c001
0x0097bffd
0x0097bffd
0x0097bffd
0x0097c007
0x0097c00d
0x0097c009
0x0097c009
0x0097c009
0x0097c011
0x0097c016
0x0097c01b
0x0097c01d
0x0097c022
0x00000000
0x00000000
0x0097c022
0x0097c024
0x0097c024
0x00000000
0x0097bf6a
0x0097bf6a
0x0097bf70
0x0097bf74
0x0097bf7a
0x0097bf76
0x0097bf76
0x0097bf76
0x0097bf80
0x0097bf86
0x0097bf82
0x0097bf82
0x0097bf82
0x0097bf8a
0x0097bf8f
0x0097bf94
0x00000000
0x0097bf96
0x0097bf9a
0x0097bfa0
0x0097bf9c
0x0097bf9c
0x0097bf9c
0x0097bfa6
0x0097bfac
0x0097bfa8
0x0097bfa8
0x0097bfa8
0x0097bfb0
0x0097bfb5
0x0097bfba
0x00000000
0x00000000
0x00000000
0x00000000
0x0097bfba
0x0097bfbc
0x0097bfbc
0x0097bfbf
0x0097bfc2
0x0097bfc7
0x0097bfca
0x00000000
0x0097bfca

APIs

_memmove.LIBCMT ref: 0097C173
_memmove.LIBCMT ref: 0097C1D8
_memmove.LIBCMT ref: 0097C26A
_memmove.LIBCMT ref: 0097C2DF

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e4fc68d1f2da5adab928fd36f4ac81351e221a7056a107b70c4684b7480e9ab6
Instruction ID: 14372d7c4186ea2a1c22235bba957814887fd4d59cd8486f3f5c91df3b20aa93
Opcode Fuzzy Hash: e4fc68d1f2da5adab928fd36f4ac81351e221a7056a107b70c4684b7480e9ab6
Instruction Fuzzy Hash: 64023CB2A00206DFCB18DF58C98456EFBF5FF89700750896DE85AA7341D731AA84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 009717C9, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009717C9(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00952063( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0096577F( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							__eflags = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00954BEF(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x009717d1
0x009717d6
0x009717f0
0x00000000
0x009717f0
0x009717d8
0x009717dd
0x00000000
0x00000000
0x009717e2
0x009717ff
0x00971804
0x00971807
0x0097180e
0x0097182d
0x00971834
0x00971836
0x0097187a
0x00971886
0x00971889
0x0097188e
0x00971897
0x00971899
0x009718a9
0x009718a9
0x009718ad
0x009718af
0x009718b2
0x009718b2
0x009718b2
0x009718b2
0x00000000
0x009718b8
0x0097189b
0x0097189b
0x009718a0
0x009718a0
0x009718a3
0x00000000
0x009718a3
0x00971838
0x0097183b
0x0097183f
0x00971868
0x00971868
0x00971868
0x0097186b
0x0097186b
0x00000000
0x00000000
0x0097186d
0x00971871
0x00000000
0x00000000
0x00971873
0x00971873
0x00971873
0x00000000
0x00971873
0x00971841
0x00971841
0x00971844
0x00000000
0x00000000
0x00971848
0x00971852
0x00971858
0x0097185b
0x00971861
0x00971864
0x00971866
0x00000000
0x00000000
0x00000000
0x00971866
0x00971810
0x00971813
0x00971815
0x0097181a
0x0097181a
0x0097181f
0x00000000
0x0097181f
0x009717e4
0x009717e9
0x009717ed
0x009717ed
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009717FF
__isleadbyte_l.LIBCMT ref: 0097182D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,009875EF,?,00BFBBEF,00000003), ref: 0097185B
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,009875EF,?,00BFBBEF,00000003), ref: 00971891

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 743465196cf8524391e236ca723ec225c7dbfc8c19090ad3d45e028b521b7f39
Instruction ID: b3579a783a8a5befc2cc93faa7a7e338dc2066557664fd14bdb008a1c7199a24
Opcode Fuzzy Hash: 743465196cf8524391e236ca723ec225c7dbfc8c19090ad3d45e028b521b7f39
Instruction Fuzzy Hash: B731D232A04246EFDB25CF79CC85BAA7BBDFF41350F158528E8189B1A1D730D891DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009616CC, Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E009616CC(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E009659EE(_a4, 0x55);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00954AA5(_t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E0096600E(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0095C254(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0x9e6310; // 0x57443789
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00961E22(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E0094FF4A(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}

0x009616d3
0x009616d9
0x009616e4
0x009616eb
0x009616f8
0x009616fa
0x009616ff
0x00961704
0x0096170a
0x00961713
0x00961718
0x0096171d
0x00961725
0x00961726
0x00961727
0x00961728
0x00961729
0x0096172a
0x0096172f
0x00961733
0x00961963
0x00961964
0x0096196c
0x00961973
0x00961976
0x0096197a
0x00961980
0x009619ab
0x009619b1
0x009619bb
0x009619c4
0x0096171f
0x0096171f
0x00000000
0x0096171f
0x00961706
0x00961706
0x00000000
0x00961706
0x009616ed
0x009616ed
0x00961707
0x00961709
0x00961709
0x009616d5
0x009616d8
0x009616d8

APIs

_wcsnlen.LIBCMT ref: 009616DF

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _wcsnlen
String ID:
API String ID: 3628947076-0
Opcode ID: e261ff09c6dab2099c955a5d964d28a87180f74b8dc16c9c8f0496b479d909ae
Instruction ID: 85a6c14edec2b02ded7ab6aaae35127af60fa072194eb902609b4788e7314264
Opcode Fuzzy Hash: e261ff09c6dab2099c955a5d964d28a87180f74b8dc16c9c8f0496b479d909ae
Instruction Fuzzy Hash: 5C210A726082086EEB10DBA4EC95FBB73ACDB857A1F584165FD09CA190EA71DE409790

Uniqueness

Uniqueness Score: -1.00%

Function 008F64D0, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E008F64D0(intOrPtr __ecx, char* _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v32;
				void* __esi;
				signed int _t25;
				char* _t30;
				void* _t36;
				void* _t41;
				void* _t42;
				intOrPtr _t44;
				signed int _t46;

				_push(0xffffffff);
				_push(0x9ac5ba);
				_push( *[fs:0x0]);
				_t25 =  *0x9e6310; // 0x57443789
				_push(_t25 ^ _t46);
				 *[fs:0x0] =  &_v16;
				_t44 = __ecx;
				_v20 = __ecx;
				E009290B8(__ecx, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_t30 = _a4;
				_v8 = 6;
				_t50 = _t30;
				if(_t30 == 0) {
					_a4 = "bad locale name";
					E0094FD51( &_v32,  &_a4);
					_v32 = 0x9c77f0;
					_t30 = E0094FF59( &_v32, 0x9d86a8);
				}
				E00929CA4(_t36, _t41, _t42, _t44, _t50, _t44, _t30);
				 *[fs:0x0] = _v16;
				return _t44;
			}

0x008f64d3
0x008f64d5
0x008f64e0
0x008f64e5
0x008f64ec
0x008f64f0
0x008f64f6
0x008f64f8
0x008f64fd
0x008f6502
0x008f6509
0x008f6510
0x008f6514
0x008f651b
0x008f6521
0x008f6528
0x008f652c
0x008f652f
0x008f6533
0x008f6536
0x008f6539
0x008f653c
0x008f653f
0x008f6542
0x008f6546
0x008f6548
0x008f654d
0x008f6558
0x008f6565
0x008f656d
0x008f656d
0x008f6574
0x008f6581
0x008f658d

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F64FD
std::exception::exception.LIBCMT ref: 008F6558

Part of subcall function 0094FD51: std::exception::_Copy_str.LIBCMT ref: 0094FD6A

__CxxThrowException@8.LIBCMT ref: 008F656D

Part of subcall function 0094FF59: RaiseException.KERNEL32(?,?,?,009DD784,?,?,?,?,?,0094EF03,?,009DD784,?,00000001), ref: 0094FFAE

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008F6574

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 73090415-0
Opcode ID: 62667ffe289c8118201ef01a6fcb126d986e1bc41742c8be305dcecb1c79342c
Instruction ID: 238d0a98177d3b82564f5246b27389225dc5f0688b225ca1c943bcf3c8a816dc
Opcode Fuzzy Hash: 62667ffe289c8118201ef01a6fcb126d986e1bc41742c8be305dcecb1c79342c
Instruction Fuzzy Hash: 2C219D708047489FD720CF68C945B8BBBF8EF19714F008A2EE85AD7781E775A608CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00924A10, Relevance: 6.0, APIs: 4, Instructions: 48
networkCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00924A10(signed int __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _t11;
				signed int* _t16;
				signed int _t17;

				__imp__#112(0);
				__imp__WSASocketW(_a4, _a8, _a12, 0, 0, 1);
				_t17 = __eax;
				_t11 = E0094A830();
				__imp__#111();
				_t16 = _a16;
				 *_t16 = _t11;
				_t16[1] = _t11;
				if(_t17 != 0xffffffff) {
					if(_a4 == 0x17) {
						_a16 = 0;
						__imp__#21(_t17, 0x29, 0x1b,  &_a16, 4);
					}
					_t16[1] = E0094A830();
					 *_t16 = 0;
					return _t17;
				} else {
					return _t11 | _t17;
				}
			}

0x00924a18
0x00924a2d
0x00924a33
0x00924a35
0x00924a3c
0x00924a42
0x00924a45
0x00924a47
0x00924a4d
0x00924a5a
0x00924a61
0x00924a6e
0x00924a6e
0x00924a79
0x00924a80
0x00924a88
0x00924a4f
0x00924a55
0x00924a55

APIs

#112.WS2_32(00000000,00000020,00000000,?,?,00922B72,009EA4DD,?,?,00000020,57443789,00000020,?,?,009EA4DD,00000000), ref: 00924A18
WSASocketW.WS2_32(?,00000020,57443789,00000000,00000000,00000001), ref: 00924A2D
#111.WS2_32(?,00922B72,009EA4DD,?,?,00000020,57443789,00000020,?,?,009EA4DD,00000000,00000000,00000400,00000000,?), ref: 00924A3C
#21.WS2_32(00000000,00000029,0000001B,00000020,00000004,?,00922B72,009EA4DD,?,?), ref: 00924A6E

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: #111#112Socket
String ID:
API String ID: 2215229741-0
Opcode ID: 97b2dfb32ee5d8f7b1b4fef3ee817f7862a22e57dcb981d664075eb27bcdfa9b
Instruction ID: dea3be7b3fdeefdb93a6786949d3763f1ae8d0b442365df7bd4d09e3dfb43c75
Opcode Fuzzy Hash: 97b2dfb32ee5d8f7b1b4fef3ee817f7862a22e57dcb981d664075eb27bcdfa9b
Instruction Fuzzy Hash: AB01A275641208AFEF209F64EC85F9A3FA8EB88721F104121FA189F2E1D3719815DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FC360, Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008FC360(void* __ecx) {
				struct tagMSG _v32;
				int _t8;
				int _t14;
				intOrPtr _t16;
				void* _t22;

				_t22 = __ecx;
				_t8 = GetMessageA( &_v32, 0, 0, 0);
				if(_t8 != 0) {
					do {
						if(_v32.message != 0x40a) {
							goto L5;
						}
						E0090EE70(_t22 + 4, 1);
						_t16 =  *0x9bda64; // 0x0
						do {
						} while (_t16 != 0);
						L5:
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						_t14 = GetMessageA( &_v32, 0, 0, 0);
					} while (_t14 != 0);
					return _t14;
				}
				return _t8;
			}

0x008fc378
0x008fc37a
0x008fc37e
0x008fc387
0x008fc38e
0x00000000
0x00000000
0x008fc395
0x008fc39a
0x008fc3a0
0x008fc3a0
0x008fc3a4
0x008fc3a8
0x008fc3ae
0x008fc3be
0x008fc3c0
0x00000000
0x008fc3c4
0x008fc3ca

APIs

GetMessageA.USER32 ref: 008FC37A
TranslateMessage.USER32(?), ref: 008FC3A8
DispatchMessageA.USER32 ref: 008FC3AE
GetMessageA.USER32 ref: 008FC3BE

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: aef96c9559eb458fce6cc5b2427c865c604b53e2ef171935929ea5f6765937f0
Instruction ID: 26e457873b1ac6b3055625c0533d4354bf4f3e23bf7c4bc545618fc5ebdd252e
Opcode Fuzzy Hash: aef96c9559eb458fce6cc5b2427c865c604b53e2ef171935929ea5f6765937f0
Instruction Fuzzy Hash: 1301AF72A4530DAADB20DAA4DD86FBA77ACAB04740F504022E704E71D0E7B4B90687A5

Uniqueness

Uniqueness Score: -1.00%

Function 008F8900, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008F896C

Strings

invalid string position, xrefs: 008F89A0
string too long, xrefs: 008F89AA, 008F8A82, 008F8A8C

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6daebb663e85e81804d25a17ecdc3cbe0a7db3953f4fcb17b5be886af980cd7c
Instruction ID: 66d41d7792fcd84c0bd03f8cc1fbbd10df3297ceabf79d553aa76662b22c0bfa
Opcode Fuzzy Hash: 6daebb663e85e81804d25a17ecdc3cbe0a7db3953f4fcb17b5be886af980cd7c
Instruction Fuzzy Hash: AA51D732300219DFDB249E7DE840A7ABBA9FBD1761F10092EF655C7291CB71AC4487A5

Uniqueness

Uniqueness Score: -1.00%

Function 008F8DF0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008F8EAD

Strings

string too long, xrefs: 008F8EDC

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID: string too long
API String ID: 4104443479-2556327735
Opcode ID: b33e0a90f25313aabb0aaae9632ff68747918cac26adef875172de2da4283738
Instruction ID: 44409708b312fa2f77d718d74acd9442d2ed60e40807f9b82a378210bb1b50ed
Opcode Fuzzy Hash: b33e0a90f25313aabb0aaae9632ff68747918cac26adef875172de2da4283738
Instruction Fuzzy Hash: 9031093230061CDBDB209D6CEC8097EF7A9FBD5765B20092AFA95CB651CB31DC5483A0

Uniqueness

Uniqueness Score: -1.00%

Function 008F5900, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 008F592D

Part of subcall function 0094FCFE: std::exception::exception.LIBCMT ref: 0094FD08

__CxxThrowException@8.LIBCMT ref: 008F59AE

Part of subcall function 0094FF59: RaiseException.KERNEL32(?,?,?,009DD784,?,?,?,?,?,0094EF03,?,009DD784,?,00000001), ref: 0094FFAE

Strings

bad cast, xrefs: 008F5925

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 2533763573-3145022300
Opcode ID: 9c2dc162cee49e1a8109fb4582830974ce511298eb2da51850ac16edeb88b977
Instruction ID: 01248adae37a895de97703ddfec16def98d7b376e821b98bd2ad0b51f3b4f6a0
Opcode Fuzzy Hash: 9c2dc162cee49e1a8109fb4582830974ce511298eb2da51850ac16edeb88b977
Instruction Fuzzy Hash: 8B314F71D0024DEBCB00DFA8C985BEEBBF8EB45754F108665F915E7241EB34AA448B91

Uniqueness

Uniqueness Score: -1.00%

Function 00918F10, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00918F10(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebp;
				intOrPtr _t36;
				signed int _t49;
				intOrPtr _t53;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr _t63;
				intOrPtr* _t67;

				_push(__ebx);
				_t49 = _a4;
				_t67 = __ecx;
				_push(__edi);
				_t53 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t53 < _t49) {
					_push("invalid string position");
					E009295C5(__eflags);
					goto L17;
				} else {
					_t63 = _a8;
					if((__eax | 0xffffffff) - _t53 <= _t63) {
						L17:
						_push("string too long");
						E00929597(__eflags);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E00914660(_v16, _v20, _v12, _v8);
						return _v20;
					} else {
						if(_t63 == 0) {
							L15:
							return _t67;
						} else {
							_push(0);
							_a4 = _t53 + _t63;
							if(E00918200(_t49, __ecx, _t63, _t53 + _t63) == 0) {
								goto L15;
							} else {
								_t36 =  *((intOrPtr*)(__ecx + 0x14));
								if(_t36 < 8) {
									_t59 = __ecx;
								} else {
									_t59 =  *__ecx;
								}
								if(_t36 < 8) {
									_t56 = _t67;
								} else {
									_t56 =  *_t67;
								}
								_t38 =  *(_t67 + 0x10) != _t49;
								if( *(_t67 + 0x10) != _t49) {
									E0094F050(_t56 + (_t49 + _t63) * 2, _t59 + _t49 * 2, _t38 + _t38);
								}
								E00917F50(_t67, _t49, _t63, _a12);
								_t58 = _a4;
								 *(_t67 + 0x10) = _t58;
								if( *((intOrPtr*)(_t67 + 0x14)) < 8) {
									__eflags = 0;
									 *((short*)(_t67 + _t58 * 2)) = 0;
									goto L15;
								} else {
									 *((short*)( *_t67 + _t58 * 2)) = 0;
									return _t67;
								}
							}
						}
					}
				}
			}

0x00918f13
0x00918f14
0x00918f18
0x00918f1a
0x00918f1b
0x00918f20
0x00918fbe
0x00918fc3
0x00000000
0x00918f26
0x00918f26
0x00918f30
0x00918fc8
0x00918fc8
0x00918fcd
0x00918fd2
0x00918fd3
0x00918fd4
0x00918fd5
0x00918fd6
0x00918fd7
0x00918fd8
0x00918fd9
0x00918fda
0x00918fdb
0x00918fdc
0x00918fdd
0x00918fde
0x00918fdf
0x00918fef
0x00918ff8
0x00918f36
0x00918f38
0x00918fb5
0x00918fbb
0x00918f3a
0x00918f3f
0x00918f42
0x00918f4c
0x00000000
0x00918f4e
0x00918f4e
0x00918f54
0x00918f5a
0x00918f56
0x00918f56
0x00918f56
0x00918f5f
0x00918f65
0x00918f61
0x00918f61
0x00918f61
0x00918f6a
0x00918f6c
0x00918f7c
0x00918f81
0x00918f8b
0x00918f94
0x00918f97
0x00918f9a
0x00918faf
0x00918fb1
0x00000000
0x00918f9c
0x00918fa1
0x00918faa
0x00918faa
0x00918f9a
0x00918f4c
0x00918f38
0x00918f30

APIs

_memmove.LIBCMT ref: 00918F7C

Strings

invalid string position, xrefs: 00918FBE
string too long, xrefs: 00918FC8

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: dad6c2bed5030606d7f20dcb9f3939c965492aa521858c2cc7668733b88236f7
Instruction ID: 1a4583487d157510cb0e7cf51e8e6f38febddf40d15fef6b3cb02ac588e7d478
Opcode Fuzzy Hash: dad6c2bed5030606d7f20dcb9f3939c965492aa521858c2cc7668733b88236f7
Instruction Fuzzy Hash: 66218031300209ABCB24DE68D880DDBB7AAEFC4750B10492EF919C7351DF31E9969BE0

Uniqueness

Uniqueness Score: -1.00%

Function 008F2BB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E008F2BB0(void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t7;
				long _t13;
				void* _t16;
				void* _t17;

				_t13 = TlsAlloc();
				if(_t13 != 0xffffffff) {
					L2:
					 *0x9ea468 = _t13;
					return E0094F034(_t26, 0x9b9890);
				} else {
					_t16 = GetLastError();
					_t7 = E0094A830();
					_v12 = _t16;
					_t26 = _t16;
					_v8 = _t7;
					_pop(_t17);
					if(_t16 != 0) {
						E00913940(_t13, _t17, __eflags,  &_v12, "tss");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						return E0094F034(__eflags, 0x9b98c0);
					} else {
						goto L2;
					}
				}
			}

0x008f2bbd
0x008f2bc2
0x008f2bdd
0x008f2be2
0x008f2bf4
0x008f2bc4
0x008f2bcb
0x008f2bcd
0x008f2bd2
0x008f2bd5
0x008f2bd7
0x008f2bda
0x008f2bdb
0x008f2bfe
0x008f2c03
0x008f2c04
0x008f2c05
0x008f2c06
0x008f2c07
0x008f2c08
0x008f2c09
0x008f2c0a
0x008f2c0b
0x008f2c0c
0x008f2c0d
0x008f2c0e
0x008f2c0f
0x008f2c1b
0x00000000
0x00000000
0x00000000
0x008f2bdb

APIs

TlsAlloc.KERNEL32 ref: 008F2BB7
GetLastError.KERNEL32 ref: 008F2BC5

Strings

tss, xrefs: 008F2BF5

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: de6f860e93e01eda7deb042af690c319bbd30cca53197d89e89343f92bddf453
Instruction ID: 888f88ad356c7cb9106ff455455bfc0577fb2098fb7ae7c8b71411587e443be6
Opcode Fuzzy Hash: de6f860e93e01eda7deb042af690c319bbd30cca53197d89e89343f92bddf453
Instruction Fuzzy Hash: 95F05C72C1A21C9787117FF46C4ACEE777899C1770B100262FE0097290EB70094393D2

Uniqueness

Uniqueness Score: -1.00%

Function 0094EEB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0094EEB3(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v0;
				char* _v8;
				int _v20;
				void* _t10;
				int _t11;
				int _t15;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t19;
				void* _t24;
				void* _t25;

				_t25 = __edi;
				_t19 = __ebx;
				while(1) {
					_t10 = E00951738(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					_t11 = E0095BE69(_t10, _a4);
					__eflags = _t11;
					if(_t11 == 0) {
						_push(1);
						_v8 = "bad allocation";
						E0094FD76( &_v20,  &_v8);
						_v20 = 0x9c77b4;
						_t15 = E0094FF59( &_v20, 0x9dd784);
						asm("int3");
						__eflags = _v20;
						if(_v20 != 0) {
							_t15 = HeapFree( *0x9eb1d4, 0, _v0);
							__eflags = _t15;
							if(__eflags == 0) {
								_t16 = E00954BEF(__eflags);
								_t18 = E00954C48(GetLastError());
								 *_t16 = _t18;
								return _t18;
							}
						}
						return _t15;
					} else {
						continue;
					}
					L10:
				}
				return _t10;
				goto L10;
			}

0x0094eeb3
0x0094eeb3
0x0094eec8
0x0094eecb
0x0094eed3
0x00000000
0x00000000
0x0094eebe
0x0094eec4
0x0094eec6
0x0094eed9
0x0094eede
0x0094eee9
0x0094eef6
0x0094eefe
0x0094ef03
0x0094fc78
0x0094fc7c
0x0094fc89
0x0094fc8f
0x0094fc91
0x0094fc94
0x0094fca2
0x0094fca8
0x00000000
0x0094fcaa
0x0094fc91
0x0094fcac
0x00000000
0x00000000
0x00000000
0x00000000
0x0094eec6
0x0094eed8
0x00000000

APIs

Part of subcall function 00951738: __FF_MSGBANNER.LIBCMT ref: 0095174F
Part of subcall function 00951738: __NMSG_WRITE.LIBCMT ref: 00951756
Part of subcall function 00951738: HeapAlloc.KERNEL32(?,00000000,00000001,?,?,?,?,0094EED0,?), ref: 0095177B

std::exception::exception.LIBCMT ref: 0094EEE9
__CxxThrowException@8.LIBCMT ref: 0094EEFE

Part of subcall function 0094FF59: RaiseException.KERNEL32(?,?,?,009DD784,?,?,?,?,?,0094EF03,?,009DD784,?,00000001), ref: 0094FFAE

Strings

h(, xrefs: 0094EECB

Memory Dump Source

Source File: 00000001.00000002.645282965.00000000008F1000.00000020.00020000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.645279012.00000000008F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645345923.00000000009AC000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645353926.00000000009B9000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.645359179.00000000009BC000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645374725.00000000009D4000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645385552.00000000009E5000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645390316.00000000009E6000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645395544.00000000009E7000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.645401246.00000000009ED000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.645405725.00000000009EE000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.645410798.00000000009F1000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_ciscovideoguard.jbxd

Similarity

API ID: AllocExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: h(
API String ID: 2103478672-2090917321
Opcode ID: 21234154b1fc8c8706fa760f7b95250a99407f8f7bc768a7da5a01b5e7955968
Instruction ID: dc43f04a46ae93c17c50268bcf1b7eefa87046ccbf699af9e495dc701e7afc9c
Opcode Fuzzy Hash: 21234154b1fc8c8706fa760f7b95250a99407f8f7bc768a7da5a01b5e7955968
Instruction Fuzzy Hash: 84E0ED7490020EAADF20FFA4DC12EEF77BCBF01314F0004A5EC14AA1C1EBB09A088690

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ciscovideoguard.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ciscovideoguard.exe PID: 7164 Parent PID: 5996

General

Chronological Activities

Analysis Process: conhost.exe PID: 4824 Parent PID: 7164

General

Chronological Activities

Disassembly

Function 008F28A0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
memoryCOMMON

Function 00970F4A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMON

Function 00902500, Relevance: 4.6, APIs: 3, Instructions: 89
timeCOMMON

Function 0090D1D0, Relevance: 4.6, APIs: 3, Instructions: 58
memoryCOMMON

Function 009566AE, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 0095B812, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 008F2880, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 00952C60, Relevance: .1, Instructions: 76
COMMONCrypto

Function 008F50F0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 132
COMMON

Function 00961E22, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Function 00947B80, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 185
libraryloadertimeCOMMON

Function 009480B0, Relevance: 18.2, APIs: 12, Instructions: 212
timesleepCOMMON

Function 00902F60, Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 383
COMMON

Function 009295C5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Function 00921B30, Relevance: 15.1, APIs: 10, Instructions: 90
COMMON

Function 008FB670, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 199
COMMON

Function 0091F870, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110
COMMON

Function 008F3760, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101
memoryCOMMON

Function 008F4AA0, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 267
COMMON

Function 008FADC0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
COMMON

Function 00902D90, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126
COMMON

Function 008F81D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 115
COMMON

Function 008F5A50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93
COMMON

Function 008F5BB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93
COMMON

Function 008F8510, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
COMMON

Function 008F9010, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 81
COMMON

Function 00922CE0, Relevance: 9.1, APIs: 6, Instructions: 115
COMMON

Function 009288F0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
COMMON

Function 00948F40, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104
libraryloaderCOMMON

Function 008F9CB0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92
COMMON

Function 008F2C80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87
memoryCOMMON

Function 0091A220, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
COMMON

Function 00962C0C, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Function 00901E50, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Function 0091B800, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Function 0097A910, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Function 0090EED0, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Function 009706D5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Function 00902890, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
libraryloaderCOMMON

Function 00901410, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
libraryloaderCOMMON

Function 0097BF10, Relevance: 6.5, APIs: 4, Instructions: 462
COMMON

Function 009717C9, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Function 009616CC, Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Function 008F64D0, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Function 00924A10, Relevance: 6.0, APIs: 4, Instructions: 48
networkCOMMON

Function 008FC360, Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Function 00918F10, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103
COMMON

Function 008F2BB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Function 0094EEB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON