Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mirrorto_setup.exe

Overview

General Information

Sample name:mirrorto_setup.exe
Analysis ID:1467121
MD5:d75d8acc3266e89d6c66fe0e0df367f4
SHA1:c0992c765155d911407745ed8304361b829ea2df
SHA256:6aeca8fb7a286e161a6cb63e73de78775d2bf6d031b3d1db883bf73f6c1e54b0
Infos:

Detection

Score:6
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • mirrorto_setup.exe (PID: 3536 cmdline: "C:\Users\user\Desktop\mirrorto_setup.exe" MD5: D75D8ACC3266E89D6C66FE0E0DF367F4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003FEC60 CreateFileW,CryptAcquireContextW,CryptCreateHash,ReadFile,ReadFile,CryptHashData,ReadFile,CryptGetHashParam,_Smanip,CryptDestroyHash,CryptReleaseContext,CloseHandle,std::ios_base::_Ios_base_dtor,CryptDestroyHash,CryptReleaseContext,CloseHandle,0_2_003FEC60
Source: mirrorto_setup.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: mirrorto_setup.exeStatic PE information: certificate valid
Source: mirrorto_setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Jenkins\workspace\MF_Downloader\output\Release\MFDownloader.pdb# source: mirrorto_setup.exe
Source: Binary string: D:\Jenkins\workspace\MF_Downloader\output\Release\MFDownloader.pdb source: mirrorto_setup.exe
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003E5070 InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetOpenW,__CxxThrowException@8,InternetConnectA,__CxxThrowException@8,HttpOpenRequestA,__CxxThrowException@8,HttpAddRequestHeadersA,HttpSendRequestA,__CxxThrowException@8,__CxxThrowException@8,_memset,InternetReadFile,InternetReadFile,__CxxThrowException@8,GetLastError,0_2_003E5070
Source: mirrorto_setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mirrorto_setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mirrorto_setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mirrorto_setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mirrorto_setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mirrorto_setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mirrorto_setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mirrorto_setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mirrorto_setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: mirrorto_setup.exeString found in binary or memory: http://ocsp.digicert.com0
Source: mirrorto_setup.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: mirrorto_setup.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: mirrorto_setup.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: mirrorto_setup.exe, 00000000.00000003.2055912540.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055946392.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055946392.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2056347486.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2056450567.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2056114628.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, home.xml, home_rtl.xmlString found in binary or memory: http://www.baidu.com
Source: mirrorto_setup.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: mirrorto_setup.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: mirrorto_setup.exeString found in binary or memory: https://apipdm.imyfone.club/downloader/carousel?
Source: mirrorto_setup.exeString found in binary or memory: https://apipdm.imyfone.club/downloader/carousel?pid=STR_PID&lang=STR_DIR1_NAMESTR_DIR2_NAMESTR_EXE_N
Source: mirrorto_setup.exe, 00000000.00000003.2054358014.0000000001298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/productu
Source: mirrorto_setup.exe, 00000000.00000003.2053609311.0000000001296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/producturl?key
Source: UrlInfo.ini5.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Chinese
Source: mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini6.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=ChineseTW
Source: mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Chineseu3
Source: mirrorto_setup.exe, 00000000.00000003.2052077952.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini7.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Dutch
Source: mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Dutchb3?
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052323899.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055595981.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, UrlInfo.ini8.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=English
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=English;/c
Source: mirrorto_setup.exe, 00000000.00000003.2052483855.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=French
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052619697.0000000001295000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini0.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=German
Source: mirrorto_setup.exe, 00000000.00000003.2052767009.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini1.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Indonesian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052996980.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini2.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Italian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053404413.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini3.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Japanese
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053575057.0000000001297000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini9.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Korean
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053907085.0000000001297000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini10.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Malaysian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054121921.0000000001298000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini11.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Polish
Source: UrlInfo.ini12.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Portuguese
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Portuguese43
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054910219.0000000001299000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini13.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Russian
Source: mirrorto_setup.exe, 00000000.00000003.2055061787.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini14.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Spanish
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Spanishzv
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055235176.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini15.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Swedish
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055397073.000000000129B000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini16.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Thai
Source: mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini4.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=arabic
Source: mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini5.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Chinese
Source: mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini6.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=ChineseTW
Source: mirrorto_setup.exe, 00000000.00000003.2052077952.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini7.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Dutch
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052323899.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055595981.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, UrlInfo.ini8.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=English
Source: mirrorto_setup.exe, 00000000.00000003.2052483855.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=French
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052619697.0000000001295000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini0.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=German
Source: mirrorto_setup.exe, 00000000.00000003.2052767009.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini1.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Indonesian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052996980.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini2.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Italian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053404413.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini3.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Japanese
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini9.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Korean
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053907085.0000000001297000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini10.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Malaysian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054121921.0000000001298000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini11.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Polish
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054358014.0000000001298000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini12.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Portuguese
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054910219.0000000001299000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini13.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Russian
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055061787.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini14.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Spanish
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055235176.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini15.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Swedish
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055397073.000000000129B000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini16.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Thai
Source: mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini4.0.drString found in binary or memory: https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=arabic
Source: mirrorto_setup.exe, 00000000.00000003.2053158307.0000000001295000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.imyfone.com/mirrorto/mi
Source: UrlInfo.ini14.0.drString found in binary or memory: https://download.imyfone.com/mirrorto/mirrorto_setup.exe
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.imyfone.com/mirrorto/mirrorto_setup.exe%
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.imyfone.com/mirrorto/mirrorto_setup.exe6)
Source: mirrorto_setup.exeString found in binary or memory: https://www.google-analytics.com/mp/collect?measurement_id=G-5K7RY5G7V4&api_secret=T0joKD2MSiCE0gC58
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0040A7B5 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0040A7B5
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004A4720: CloseHandle,CreateFileW,GetLastError,DeviceIoControl,0_2_004A4720
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0042944B0_2_0042944B
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004195A20_2_004195A2
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0042D5BB0_2_0042D5BB
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005926400_2_00592640
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0040A8010_2_0040A801
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004149DE0_2_004149DE
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0041CB200_2_0041CB20
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003FD0300_2_003FD030
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0042E1780_2_0042E178
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004921A00_2_004921A0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0057C3C80_2_0057C3C8
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0059B4410_2_0059B441
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005A74A70_2_005A74A7
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0058A5DC0_2_0058A5DC
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0041D5EB0_2_0041D5EB
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004145F60_2_004145F6
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0041F83E0_2_0041F83E
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003F79100_2_003F7910
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0042EA4A0_2_0042EA4A
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003F9A000_2_003F9A00
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0058BAD40_2_0058BAD4
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00579B000_2_00579B00
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00428B9D0_2_00428B9D
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00427BBD0_2_00427BBD
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00593C020_2_00593C02
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003FACF00_2_003FACF0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00405CA00_2_00405CA0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00590DDD0_2_00590DDD
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003F8D800_2_003F8D80
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00420DB50_2_00420DB5
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0059EE690_2_0059EE69
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003F2FB00_2_003F2FB0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0041DFF80_2_0041DFF8
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00589F980_2_00589F98
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005A7F8B0_2_005A7F8B
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 004B4980 appears 44 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 004ED050 appears 31 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 0058B2A0 appears 31 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 0057A04F appears 40 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 0057B37E appears 57 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 004F02B0 appears 47 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 0042A10C appears 38 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 0057B788 appears 115 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 0057B51E appears 134 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 00562707 appears 65 times
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: String function: 00409D16 appears 37 times
Source: mirrorto_setup.exeStatic PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: mirrorto_setup.exeStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=store
Source: mirrorto_setup.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: clean6.winEXE@1/39@0/0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003EE140 GetDiskFreeSpaceExW,0_2_003EE140
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003EDAB0 _memset,lstrcpyW,_memset,CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,CloseHandle,_wprintf,0_2_003EDAB0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003EF4A0 ImageList_Create,CoInitialize,CoCreateInstance,0_2_003EF4A0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004195A2 __EH_prolog3_GS,CreateFileW,GetFileSize,CloseHandle,ReadFile,CloseHandle,_wcscmp,FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,_memmove,FreeResource,CreateFileW,GetFileSize,CloseHandle,ReadFile,CloseHandle,_wcscmp,_memset,CreateDIBSection,_wcscmp,CharNextW,_wcscmp,0_2_004195A2
Source: C:\Users\user\Desktop\mirrorto_setup.exeFile created: C:\Program Files (x86)\imyfone_downJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeMutant created: \Sessions\1\BaseNamedObjects\imyfone-mirrorto_setup.exe
Source: mirrorto_setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mirrorto_setup.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: mirrorto_setup.exeString found in binary or memory: set-addPolicy
Source: mirrorto_setup.exeString found in binary or memory: .\crypto\buffer\buffer.c.\crypto\buffer\buf_str.cStack part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\stack\stack.c.\crypto\comp\comp_lib.cbuffer.\crypto\bio\bf_buff.c.\crypto\rsa\rsa_crpt.cDiffie-Hellman part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\dh\dh_lib.clhash part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\lhash\lhash.csetct-CredReqTBSXsetct-CredResDatasetct-CredRevReqTBSsetct-CredRevReqTBSXsetct-CredRevResDatasetct-PCertReqDatasetct-PCertResTBSsetct-BatchAdminReqDatasetct-BatchAdminResDatasetct-CardCInitResTBSsetct-MeAqCInitResTBSsetct-RegFormResTBSsetct-CertReqDatasetct-CertReqTBSsetct-CertResDatasetct-CertInqReqTBSsetct-ErrorTBSsetct-PIDualSignedTBEsetct-PIUnsignedTBEsetct-AuthReqTBEsetct-AuthResTBEsetct-AuthResTBEXsetct-AuthTokenTBEsetct-CapTokenTBEsetct-CapTokenTBEXsetct-AcqCardCodeMsgTBEsetct-AuthRevReqTBEsetct-AuthRevResTBEsetct-AuthRevResTBEBsetct-CapReqTBEsetct-CapReqTBEXsetct-CapResTBEsetct-CapRevReqTBEsetct-CapRevReqTBEXsetct-CapRevResTBEsetct-CredReqTBEsetct-CredReqTBEXsetct-CredResTBEsetct-CredRevReqTBEsetct-CredRevReqTBEXsetct-CredRevResTBEsetct-BatchAdminReqTBEsetct-BatchAdminResTBEsetct-RegFormReqTBEsetct-CertReqTBEsetct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionsha256sha384SHA512sha512SHA224sha224identified-organizationc
Source: mirrorto_setup.exeString found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\mirrorto_setup.exeFile written: C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Arabic\text.iniJump to behavior
Source: mirrorto_setup.exeStatic PE information: certificate valid
Source: mirrorto_setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: mirrorto_setup.exeStatic file information: File size 2891216 > 1048576
Source: mirrorto_setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x204c00
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: mirrorto_setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: mirrorto_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Jenkins\workspace\MF_Downloader\output\Release\MFDownloader.pdb# source: mirrorto_setup.exe
Source: Binary string: D:\Jenkins\workspace\MF_Downloader\output\Release\MFDownloader.pdb source: mirrorto_setup.exe
Source: mirrorto_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mirrorto_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mirrorto_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mirrorto_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mirrorto_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005A29E0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005A29E0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0058B2E5 push ecx; ret 0_2_0058B2F8
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0057B4EC push ecx; ret 0_2_0057B4FF
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0040A801 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,_memset,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,_memmove,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,0_2_0040A801
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0040A801 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,_memset,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,_memmove,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,0_2_0040A801
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0040A801 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,_memset,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,_memmove,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,0_2_0040A801
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004074F5 GetWindowRect,GetParent,GetWindow,MonitorFromWindow,GetMonitorInfoW,IsIconic,GetWindowRect,SetWindowPos,0_2_004074F5
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00411979 IsIconic,0_2_00411979
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00411BDE IsIconic,GetWindowRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,0_2_00411BDE
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_004A9810 GetSystemInfo,SetFilePointerEx,SetFilePointerEx,GetLastError,SetFilePointerEx,GetLastError,ReadFile,GetLastError,CreateEventW,ReadFileScatter,GetLastError,GetLastError,GetLastError,CloseHandle,GetOverlappedResult,CloseHandle,0_2_004A9810
Source: mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\3>c
Source: mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: C:\Users\user\Desktop\mirrorto_setup.exeAPI call chain: ExitProcess graph end nodegraph_0-60330
Source: C:\Users\user\Desktop\mirrorto_setup.exeAPI call chain: ExitProcess graph end nodegraph_0-62987
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005A727E EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_005A727E
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005A727E EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_005A727E
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005A29E0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005A29E0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003FE3B0 GetProcessHeap,HeapAlloc,_memmove,GetFileAttributesW,HeapFree,GetLastError,0_2_003FE3B0
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00585180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00585180
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_003C1000 cpuid 0_2_003C1000
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: GetLocaleInfoEx,GetLocaleInfoW,0_2_0058B0B9
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_005A6300
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: EnumSystemLocalesW,0_2_0058B033
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: EnumSystemLocalesW,0_2_005A6574
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_005A65B4
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_005A6631
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_005A69D3
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_005A6B54
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005635CB GetSystemTimeAsFileTime,0_2_005635CB
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_0059E7F2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0059E7F2
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_00598E12 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_00598E12
Source: C:\Users\user\Desktop\mirrorto_setup.exeCode function: 0_2_005ABE20 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_005ABE20

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		1
Input Capture		2
System Time Discovery		Remote Services1
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory31
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials25
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mirrorto_setup.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.openssl.org/support/faq.html0%URL Reputationsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Korean0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Polish0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Dutch0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Korean0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Thai0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=French0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Italian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Malaysian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Japanese0%Avira URL Cloudsafe
https://download.imyfone.com/mirrorto/mirrorto_setup.exe%0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=English0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=English0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Polish0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Thai0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=French0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Chinese0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=ChineseTW0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Indonesian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Japanese0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=German0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Swedish0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=German0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=arabic0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Russian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Portuguese430%Avira URL Cloudsafe
https://download.imyfone.com/mirrorto/mirrorto_setup.exe0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=arabic0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Dutch0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=English;/c0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Chineseu30%Avira URL Cloudsafe
https://apipdm.imyfone.club/downloader/carousel?pid=STR_PID&lang=STR_DIR1_NAMESTR_DIR2_NAMESTR_EXE_N0%Avira URL Cloudsafe
http://www.baidu.com0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=ChineseTW0%Avira URL Cloudsafe
https://download.imyfone.com/mirrorto/mi0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Russian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/downloader/carousel?0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Swedish0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Spanishzv0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Portuguese0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Spanish0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Indonesian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Spanish0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Malaysian0%Avira URL Cloudsafe
https://download.imyfone.com/mirrorto/mirrorto_setup.exe6)0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Italian0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Dutchb3?0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Chinese0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Portuguese0%Avira URL Cloudsafe
https://apipdm.imyfone.club/productu0%Avira URL Cloudsafe
https://apipdm.imyfone.club/producturl?key0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Koreanmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053575057.0000000001297000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini9.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Koreanmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini9.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Italianmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052996980.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini2.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Malaysianmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053907085.0000000001297000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini10.0.drfalse
  • Avira URL Cloud: safe
unknown
https://download.imyfone.com/mirrorto/mirrorto_setup.exe%mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Japanesemirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053404413.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini3.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Dutchmirrorto_setup.exe, 00000000.00000003.2052077952.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini7.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Frenchmirrorto_setup.exe, 00000000.00000003.2052483855.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Polishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054121921.0000000001298000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini11.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Thaimirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055397073.000000000129B000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini16.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=ChineseUrlInfo.ini5.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Frenchmirrorto_setup.exe, 00000000.00000003.2052483855.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Polishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054121921.0000000001298000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini11.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Indonesianmirrorto_setup.exe, 00000000.00000003.2052767009.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini1.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Englishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052323899.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055595981.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, UrlInfo.ini8.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=ChineseTWmirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini6.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Thaimirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055397073.000000000129B000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini16.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Japanesemirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053404413.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini3.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Englishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052323899.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055595981.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, UrlInfo.ini8.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.openssl.org/support/faq.htmlmirrorto_setup.exefalse
  • URL Reputation: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Germanmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052619697.0000000001295000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini0.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Swedishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055235176.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini15.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Russianmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054910219.0000000001299000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini13.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Germanmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052619697.0000000001295000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini0.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Portuguese43mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=arabicmirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini4.0.drfalse
  • Avira URL Cloud: safe
unknown
https://download.imyfone.com/mirrorto/mirrorto_setup.exeUrlInfo.ini14.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=arabicmirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini4.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=English;/cmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Dutchmirrorto_setup.exe, 00000000.00000003.2052077952.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini7.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Chineseu3mirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/downloader/carousel?pid=STR_PID&lang=STR_DIR1_NAMESTR_DIR2_NAMESTR_EXE_Nmirrorto_setup.exefalse
  • Avira URL Cloud: safe
unknown
http://www.baidu.commirrorto_setup.exe, 00000000.00000003.2055912540.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055946392.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055946392.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2056347486.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2056450567.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2056114628.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, home.xml, home_rtl.xmlfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Russianmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054910219.0000000001299000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini13.0.drfalse
  • Avira URL Cloud: safe
unknown
https://download.imyfone.com/mirrorto/mimirrorto_setup.exe, 00000000.00000003.2053158307.0000000001295000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/downloader/carousel?mirrorto_setup.exefalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=ChineseTWmirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini6.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Swedishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055235176.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini15.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Spanishzvmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Spanishmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2055061787.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini14.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Portuguesemirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2054358014.0000000001298000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini12.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Indonesianmirrorto_setup.exe, 00000000.00000003.2052767009.0000000001295000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini1.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Malaysianmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2053907085.0000000001297000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini10.0.drfalse
  • Avira URL Cloud: safe
unknown
https://download.imyfone.com/mirrorto/mirrorto_setup.exe6)mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Spanishmirrorto_setup.exe, 00000000.00000003.2055061787.000000000129A000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini14.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=license_agreement&pid=370&lang=Chinesemirrorto_setup.exe, 00000000.00000003.2051727460.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052437466.0000000001281000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052355500.0000000001282000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini5.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Italianmirrorto_setup.exe, 00000000.00000002.3293685103.000000000123E000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052996980.0000000001296000.00000004.00000020.00020000.00000000.sdmp, UrlInfo.ini2.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=Dutchb3?mirrorto_setup.exe, 00000000.00000003.2052269461.0000000001282000.00000004.00000020.00020000.00000000.sdmp, mirrorto_setup.exe, 00000000.00000003.2052160938.0000000001282000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?key=installed&pid=370&lang=PortugueseUrlInfo.ini12.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/productumirrorto_setup.exe, 00000000.00000003.2054358014.0000000001298000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://apipdm.imyfone.club/producturl?keymirrorto_setup.exe, 00000000.00000003.2053609311.0000000001296000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467121
Start date and time:2024-07-03 17:59:34 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 21s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:mirrorto_setup.exe
Detection:CLEAN
Classification:clean6.winEXE@1/39@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 89%
  • Number of executed functions: 74
  • Number of non-executed functions: 255
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • VT rate limit hit for: mirrorto_setup.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\imyfone_down\mirrorto_setup\Log\imyfone_down.log

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:ASCII text, with CRLF, CR line terminators
Category:dropped
Size (bytes):453
Entropy (8bit):4.873891165045113
Encrypted:false
SSDEEP:12:nfIlYbwKsloY7dwBp8IVcy1lBPntFxvsv2KXFO5:wmbmRZQSaBPfMg5
MD5:ED20CE266786BCE495F993F77C075276
SHA1:A1A9C6CDD1C13CDF398E6ADED89827BE2E7CA887
SHA-256:CAD83F9936D8F54C6D9623C7B98314A15FCFCBAB4FA023FD08E639262C580BD7
SHA-512:464E806C58A21424A7EAAEEB00D64736A9368F6BEABDC24D6F88ACD90E39CBCC61BE7769C937D9D211C3985E6F3A4D9034C0F8885252F902AA77B7C14B4B964F
Malicious:false
Reputation:low
Preview:2024-07-03 12:00:26,873 LoadResZipFile.. 2024-07-03 12:00:27,373 Language Code:2057.. 2024-07-03 12:00:27,544 LoadDomainFile.. 2024-07-03 12:00:27,544 Domain:com_english..... 2024-07-03 12:00:27,544 UpdateWindowSate:kWindow_Init.. 2024-07-03 12:00:27,544 Windows Version:Windows 10 Pro.. 2024-07-03 12:00:27,544 Windows Bit:x64.. 2024-07-03 12:00:27,544 downloader version:4.3.0.1.. 2024-07-03 12:00:27,544 DownloadRatio:90 ==== ReadFileTimeout:1500..

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Arabic\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):680
Entropy (8bit):3.6356964741559157
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvheZ6aIDP+fRlTMKhed:Q+e2fIUMZqfIUMwaID4DTYvOhtaID4Di
MD5:1477D7A1B6D71E9CA299EFAD16EC62EF
SHA1:D289D64AC49C4E89763D73295FF1DD2AA77F6579
SHA-256:0C64B754F13CDA4288055D8D87BACFF19057F478ED0AC88EF3721F9B25F456FC
SHA-512:1F4C969486540D9B568FF3E0C9F46D94F9AC23E917D2AC68D4F82EC9E24C5119B8A27E8EA7A97C7320349F711630156E15300C6153F2A81CBCDA7CB972AB1872
Malicious:false
Reputation:low
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.a.r.a.b.i.c.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.a.r.a.b.i.c.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Arabic\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1806
Entropy (8bit):4.095701503143259
Encrypted:false
SSDEEP:24:Q+k+RyPInlrblMekrjHtekkH6xnellFdX68xxt/9kkSqtj388dHuCJnevLWcGfob:rtKIlflSNeQxn+FnV6EtrlFJG3Gfrlw
MD5:18F0A45B8FEE05F2AD547D483ACF16A6
SHA1:4CEE35F5357F7912991B04B5F0B3C646C5985E25
SHA-256:BC4A609A31234A066B449B780B9E0EB2F0B29AA08651191E5DAD98378FCB148C
SHA-512:F59E1D5F47D32B95A26D1F443A1D107FE9AA37FA3C26FB3EC70DB27F1F86468FC491A69A4B78D94CB462CBADB96649FFCC0E768248E6770CB4273AA4C213DDB5
Malicious:false
Reputation:low
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.*.+.(.J.*.....S.T.R._.B.R.O.W.S.E.=.*.5.A.-.....S.T.R._.L.I.S.E.N.C.E.=. .{.c. .C.O.L.O.R.}.B.R.A.N.D. .'.*.A.'.B.J.). .*.1...J.5. .{./.c.}. .D.B./. .B.1.#.*. .H.H.'.A.B.*. .9.D.I.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.*...5.J.5. .'.D.*.+.(.J.*.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.E.3.'.1. .'.D.*.+.(.J.*.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.-././. .E.H.B.9.K.'. .D.*.+.(.J.*. .'.D.(.1.F.'.E.,.....S.T.R._.S.T.O.R.A.G.E.=.E.3.'.-.). .*...2.J.F. .:.J.1. .C.'.A.J.)... .E.3.'.-.). .'.D.*...2.J.F. .'.D.E.7.D.H.(.).:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=...E.3.'.1. .'.D.*.+.(.J.*. .:.J.1. .5.'.D.-.....S.T.R._.I.N.S.T.A.L.L.I.N.G.=....... .,.'.1.M. .'.D.*.+.(.J.*.....S.T.R._.H.I.D.E.=.%...A.'.!.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.*.F.5.J.(. .P.R.O.D.U.C.T.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=...7.#. .A.J. .'.D.4.(.C.)... .J.1.,.I. .'.D.*.-.B.B. .E.F. .%.9./.'./.'.*. .'.D.4.(.C.). .'.D...'.5.). .(.C.......S.T.R._.O.P.E.R.A.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\ChineseTW\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):692
Entropy (8bit):3.6397930000418564
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvh7g6aIDP+fRlTMKh7c:Q+e2fIUMZqfIUMwaID4DTYvOh73aID4E
MD5:13F247A6A657BAB6C9B7BEA6EC94C2CD
SHA1:5012D4065E96673DCF4D75878DD4B65EBA6B1F16
SHA-256:E2DEEC4387878ADDA59DD536924218ECB3A862561C1D9F0808798AFCABDC19EA
SHA-512:3E3006AB6B079AAEAF3D2D3DC31F2218E49F3C448C313B28B2F282D870E87B74FC2E36A3BECDC8215463B4D1C9E4D92C2DFC6CFCB029881B94810E70226DC326
Malicious:false
Reputation:low
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.C.h.i.n.e.s.e.T.W.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.C.h.i.n.e.s.e.T.W.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\ChineseTW\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1004
Entropy (8bit):4.951504763956174
Encrypted:false
SSDEEP:24:Q+k+2kXGgfSlibwev+Hl7d28DxpSqnQ/V/4qvAw:rtnnqliEeA7d2shwV/4qvAw
MD5:AADF9863AC84C555821DA2E30B7363D5
SHA1:43922BC5DDB87A277FDACC696942088255B4E1D7
SHA-256:E1544073037A407D0E83DFDC96730FF4B774DC5A7E3E5E75D370BB27934BC68E
SHA-512:098ED0E723280CE1931096212EC525360D818C24631A79FF7836EEDD386392EE2CF5BBFFCE59C8A7812E282D7063E3BEFC09756601CBDB8239F64C29D135F5D1
Malicious:false
Reputation:low
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=..[.....S.T.R._.B.R.O.W.S.E.=..p......S.T.R._.L.I.S.E.N.C.E.=..b.]....&N.T.a{.c. .C.O.L.O.R.}.B.R.A.N.D.(u6bTSp.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=..[...S.[.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=..[.._....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=..x..d.[.._....S.T.R._.S.T.O.R.A.G.E.=..xzz...N...0..Blzz........S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=..[.._!qHe....S.T.R._.I.N.S.T.A.L.L.I.N.G.=.ck(W.[.................S.T.R._.H.I.D.E.=........S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=..}./....0..j.g.`.v.}.-..[.0....S.T.R._.O.P.E.R.A.T.E._.T.I.P.=...d.0\Pbk.0.N.S.m.[.....d.0.f..0&N.Q!k.Vf.....d.0euN..0&N..N..p..hV.N...0....S.T.R._.S.O.F.T._.R.U.N.=.P.R.O.D.U.C.T.ck(WK.L..0|~.~.[..\.g7_6R...Qdk.z._.0.`.x.[..|~.~.[..U......S.T.R._.C.L.O.S.E._.T.I.P.1.=..`.x.[.....Q.U......S.T.R._.C.L.O.S.E._.T.I.P.2.=..[..N*g.[.b.0.`.x.[.....Q.U......S.T.R._.S.T.A.R.T.=.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Chinese\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):684
Entropy (8bit):3.6334590543766643
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvh7R6aIDP+fRlTMKh7l:Q+e2fIUMZqfIUMwaID4DTYvOh7saID4t
MD5:FAB7B7FCAE3F385AEB2A04C4D3A5FD49
SHA1:8A522406471153C87CEF4DA972EADA66789995E6
SHA-256:8279F83E222BC42C86EC3977F806722BDCA66EAC25A2A4ECE9FCC121D34CA5D3
SHA-512:FF3D272718CA233A5637BA255B71CC3A4254151EB0E61E6B5129F43328C30A1EE39E99C71C32660DB0B1BF87B5E736690CE4B67F402715A8A038B7F7EC7CA5F3
Malicious:false
Reputation:low
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.C.h.i.n.e.s.e.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.C.h.i.n.e.s.e.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Chinese\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):996
Entropy (8bit):4.929648285962981
Encrypted:false
SSDEEP:24:Q+k+28XH2lCLVejBl71hEDxOSqbzd0SSubYAuZfn:rtPH2lCe/71hU+fiSSubYAuZfn
MD5:4C26C9F59C97D5AED8A3610E4A4772FA
SHA1:9BD5655A94F87AAEF2FDCA423F55B3312B5E2B6D
SHA-256:DEAA80415D0B4BC1EA3EA245D2BA0DA6E883542F9B2B087F90B1017E10B610DD
SHA-512:00BCED223D31054EFA881C5280452AB73AAA1AE294237E22093B830583D398BB53ACA21AE0C252418D58702CB49C090A6A56B8D89C38429D8CD15898A07A0EF6
Malicious:false
Reputation:low
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=..[.....S.T.R._.B.R.O.W.S.E.=.Om.....S.T.R._.L.I.S.E.N.C.E.=..b.]....v^.T.a{.c. .C.O.L.O.R.}.B.R.A.N.D.(u7bOS..{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=..[IN.[.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=..[.._....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=......b.[.._....S.T.R._.S.T.O.R.A.G.E.=..x.vzz...N...0@b..zz........S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=..[.._.eHe....S.T.R._.I.N.S.T.A.L.L.I.N.G.=.ck(W.[.................S.T.R._.H.I.D.E.=........S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=.Q..~....0...h.g.`.vQ..~..n..0....S.T.R._.O.P.E.R.A.T.E._.T.I.P.=..p.Q. -Nbk. .S.m.[....p.Q. ... .N...[....b.p.Q. ._eu. ...Om.hV.N}..0....S.T.R._.S.O.F.T._.R.U.N.=.P.R.O.D.U.C.T.ck(W.L..0.~.~.[..\...QS_MR.z.^...`...~.~.[..T......S.T.R._.C.L.O.S.E._.T.I.P.1.=..`nx.[.....Q.T......S.T.R._.C.L.O.S.E._.T.I.P.2.=..[..\*g.[.b...`nx.[.....Q.T......S.T.R._.S.T.A.R.T.=.._.Y

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Dutch\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):676
Entropy (8bit):3.6411254101377373
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhHy6aIDP+fRlTMKhm:Q+e2fIUMZqfIUMwaID4DTYvOhHxaID4y
MD5:44F12BE424D73AED01CC21F0260B64A9
SHA1:25167FFED38CA563C592EF07A0D07F609A6EE115
SHA-256:424F010BBC877D24B08484281CAC1F19B91F6B2840C179FF7E06202FB0F1E61A
SHA-512:101805EC1EEDA21EBF4892CDFEEBAE59986A794FA58E3A8002969101BDEEFC683E3EB56D089C25B19D1DB16D3A58EEF8A2E039D9FBBF271159B19B8283A38BE2
Malicious:false
Reputation:low
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.D.u.t.c.h.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.D.u.t.c.h.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Dutch\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):2056
Entropy (8bit):3.579938831140077
Encrypted:false
SSDEEP:48:rt8BYrZlHeq6S5D5YeqQ9dDWLtyHdkqKIWMO6sZ:rt8+NlJCbYDKG1O6sZ
MD5:EB91B75E9502088C6A6C15D453ABD834
SHA1:E5A419282C55AEE89298E939E86B3C3ECBF95519
SHA-256:D2F992FB399C47C04A85152BEB3C347FA0921A0985A63DBA886CA49D7CE20AAF
SHA-512:05E827D89D70D0D8D8EF9DE2E6E492B273575621A6AFDA5CE69310A53EA4FC14FD2D56911E77DEBF9DB8B1512FD021E3509373A1703B4DC7A5DDB56DAE6FB986
Malicious:false
Reputation:low
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.e.r.e.n.....S.T.R._.B.R.O.W.S.E.=.B.r.o.w.s.e.n.....S.T.R._.L.I.S.E.N.C.E.=.I.k. .h.e.b. .d.e. .{.c. .C.O.L.O.R.}.B.R.A.N.D.-.l.i.c.e.n.t.i.e.o.v.e.r.e.e.n.k.o.m.s.t.{./.c.}. .g.e.l.e.z.e.n. .e.n. .i.k. .g.a. .e.r.m.e.e. .a.k.k.o.o.r.d.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.a.t.i.e. .a.a.n.p.a.s.s.e.n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.I.n.s.t.a.l.l.a.t.i.e.p.a.d.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.S.e.l.e.c.t.e.e.r. .e.e.n. .l.o.c.a.t.i.e. .o.m. .h.e.t. .p.r.o.g.r.a.m.m.a. .t.e. .i.n.s.t.a.l.l.e.r.e.n.....S.T.R._.S.T.O.R.A.G.E.=.O.n.v.o.l.d.o.e.n.d.e. .o.p.s.l.a.g... .O.p.s.l.a.g. .v.e.r.e.i.s.t.:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.H.e.t. .i.n.g.e.v.o.e.r.d.e. .p.a.d. .i.s. .o.n.g.e.l.d.i.g.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.B.e.z.i.g. .m.e.t. .h.e.t. .i.n.s.t.a.l.l.e.r.e.n...........S.T.R._.H.I.D.E.=.V.e.r.b.e.r.g.e.n.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\English\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):684
Entropy (8bit):3.642438767945321
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhuivy6aIDP+fRlTMKhu1:Q+e2fIUMZqfIUMwaID4DTYvOhuoxaIDv
MD5:A7AF9EF96697343DE86553F865358464
SHA1:EE4CFA06EE5D86574A217F6A58019C0D9B5A40F5
SHA-256:06DEAD4353E1F7B8C22271997FA211E1E388322181459C2805DE5953605C203A
SHA-512:169CDCC59FB086C4AFEEE09A427A39B77635C6462B208DCA1AA40BCF7BA94342EADFD0AF9FE267A9C22211754BA994B04E27755D4CCA551E2BC178CC0CE8ABD8
Malicious:false
Reputation:low
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.E.n.g.l.i.s.h.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.E.n.g.l.i.s.h.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\English\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1774
Entropy (8bit):3.610909624822216
Encrypted:false
SSDEEP:48:rt4LtCli454eqGVjQZiySDze5M/ObBFatetRntOnktCQt:rt4LklxrQZhg1gkdQt
MD5:6D4B954917B8555ACA6E1F581F6F7FDA
SHA1:307FD8BC0D0A1CD9359EC1B9B36C4006D53E7196
SHA-256:368275E355DC8FCFDD1A23E8126FB67A2C88FEF86C8F924C3778FB9783F7E4D5
SHA-512:091045C84D5EBB179DFCAE5BB4ED1D971453795F7D31009893983A0D0DECAE4D46F3D9FF20593C4D4101AA7D4644BA6251A4653A64F7496786937235A4A2483A
Malicious:false
Reputation:low
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.....S.T.R._.B.R.O.W.S.E.=.B.r.o.w.s.e.....S.T.R._.L.I.S.E.N.C.E.=.I.'.v.e. .r.e.a.d. .a.n.d. .a.g.r.e.e.d. .t.o. .{.c. .C.O.L.O.R.}.B.R.A.N.D. .L.i.c.e.n.s.e. .A.g.r.e.e.m.e.n.t.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.C.u.s.t.o.m.i.z.e. .I.n.s.t.a.l.l.a.t.i.o.n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.I.n.s.t.a.l.l.a.t.i.o.n. .P.a.t.h.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.S.e.l.e.c.t. .a. .l.o.c.a.t.i.o.n. .t.o. .i.n.s.t.a.l.l. .t.h.e. .p.r.o.g.r.a.m.....S.T.R._.S.T.O.R.A.G.E.=.I.n.s.u.f.i.c.i.e.n.t. .s.t.o.r.a.g.e... .S.t.o.r.a.g.e. .r.e.q.u.i.r.e.d.:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.T.h.e. .i.n.s.t.a.l.l.a.t.i.o.n. .p.a.t.h. .i.s. .i.n.v.a.l.i.d.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.l.i.n.g...........S.T.R._.H.I.D.E.=.H.i.d.e.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=.N.e.t.w.o.r.k. .e.r.r.o.r... .P.l.e.a.s.e. .c.h.e.c.k. .y.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\French\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):680
Entropy (8bit):3.6427184237043146
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhtlgoy6aIDP+fRlTMKhtlg1:Q+e2fIUMZqfIUMwaID4DTYvOhXgoxaIV
MD5:168BF2F99E169A748037430BA4701541
SHA1:2E102E3D126851782C3A84B1AD675DBDE8F63606
SHA-256:855DAD90753D9D6E01892352B327944BB52E67C80E6505D9BB35F3C55288AA79
SHA-512:37F8A41F02F7FF6AB637D00E543A4580E4A5490E33DF7974B0A4758C288F85F4B7A0D55B67283774EEF044EEBA5118C4C021B3138CA38E47ADF8FE938C5D93CA
Malicious:false
Reputation:low
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.F.r.e.n.c.h.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.F.r.e.n.c.h.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\French\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1940
Entropy (8bit):3.639128149179361
Encrypted:false
SSDEEP:48:rt96jkENVOlOmeGDoO4O1VMLmlWFbA7DCc1c8sW:rt96xvOlxDoW1OLJb5W
MD5:6CE3DAE135C6B7A02AFED123577B2B5B
SHA1:A5DF5ACB362DDAC411398811A6E9EC0EB0E3EDF4
SHA-256:FFCA8E2FA72A7437BE33BCFD53AB85C4BC57A2DF841EC2C0BA5F831F52BEB50C
SHA-512:6A86FD1DA07D6013603C518725F72CF3915A5D13120A527E7D09D55248FFE10A0AB6784064F95526AA28823BF12DABD994AF90DC6E298DB1740D40ED8423B1AC
Malicious:false
Reputation:low
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.e.r.....S.T.R._.B.R.O.W.S.E.=.P.a.r.c.o.u.r.i.r.....S.T.R._.L.I.S.E.N.C.E.=.J.'.a.i. .l.u. .e.t. .a.c.c.e.p.t... .l.e. .{.c. .C.O.L.O.R.}.C.o.n.t.r.a.t. .d.e. .L.i.c.e.n.c.e. .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.P.e.r.s.o.n.n.a.l.i.s.e.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.C.h.e.m.i.n. .d.'.i.n.s.t.a.l.l.a.t.i.o.n.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.S...l.e.c.t.i.o.n.n.e.r. .u.n. .d.o.s.s.i.e.r.....S.T.R._.S.T.O.R.A.G.E.=.S.t.o.c.k.a.g.e. .i.n.s.u.f.f.i.s.a.n.t... .S.t.o.c.k.a.g.e. .r.e.q.u.i.s. .:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.L.e. .c.h.e.m.i.n. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .n.'.e.s.t. .p.a.s. .v.a.l.i.d.e.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.l.a.t.i.o.n...........S.T.R._.H.I.D.E.=.C.a.c.h.e.r.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=.E.r.r.e.u.r. .d.e. .r...s.e.a.u... .

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\German\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):680
Entropy (8bit):3.637822382550987
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhJc6aIDP+fRlTMKhJg:Q+e2fIUMZqfIUMwaID4DTYvOh9aID4Di
MD5:E59BA73C4A223A4BF896C844AEAC9816
SHA1:3D2501DF64B7C8DB877C9D8598B6CF4EA2F3A90C
SHA-256:0D78400EE3FB94C414637DF6B275CB35C9D82BD3FDA365A25A6874D09315ADBC
SHA-512:67A386E9854B44B936C9DB1D1D707945F9C068C1650A15D0C14D1663EE1D0460BB0DB2E27DDC3D6D2FFE2D7E95504ECDC3E623D9EEF156E23B85D4AEC3BC4C16
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.G.e.r.m.a.n.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.G.e.r.m.a.n.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\German\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):2154
Entropy (8bit):3.597375869372787
Encrypted:false
SSDEEP:48:rtds49uHl+GeTaIKt3DnSehrmome9gwRnxCzpDwNQ+23MXEka9/kmQcD:rtds4sHl+jwtznSSmepxGdOlXDmQW
MD5:216B30F0111A85A8580139064E90E94B
SHA1:A3BCFBDF6A066B52F1DAD981B40DDFB7E23F4E17
SHA-256:2F59EB3FBF9EF009CD7C000B4BD3A21C50C8FEF68EDF3FAAFB73EC80842F03C5
SHA-512:5DD4910B7776B882172583D31F0D963855E8691C2135043EA94CAFE9B0B2780341E03FF2F5581EC02C863339FBE15D706411B07CCC70AFC5D866242448F01D6E
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.i.e.r.e.n.....S.T.R._.B.R.O.W.S.E.=.D.u.r.c.h.s.u.c.h.e.....S.T.R._.L.I.S.E.N.C.E.=.I.c.h. .h.a.b.e. .d.i.e. .{.c. .C.O.L.O.R.}.B.R.A.N.D.-.L.i.z.e.n.z.v.e.r.e.i.n.b.a.r.u.n.g.{./.c.}. .g.e.l.e.s.e.n. .u.n.d. .a.k.z.e.p.t.i.e.r.t.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.A.n.p.a.s.s.e.n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.I.n.s.t.a.l.l.a.t.i.o.n.s.p.f.a.d.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.W...h.l.e.n. .S.i.e. .e.i.n.e.n. .S.p.e.i.c.h.e.r.o.r.t. .a.u.s.,. .u.m. .d.a.s. .P.r.o.g.r.a.m.m. .z.u. .i.n.s.t.a.l.l.i.e.r.e.n.....S.T.R._.S.T.O.R.A.G.E.=.U.n.z.u.r.e.i.c.h.e.n.d.e.r. .S.p.e.i.c.h.e.r... .E.r.f.o.r.d.e.r.l.i.c.h.e.r. .S.p.e.i.c.h.e.r.p.l.a.t.z.:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.D.e.r. .I.n.s.t.a.l.l.a.t.i.o.n.s.p.f.a.d. .i.s.t. .u.n.g...l.t.i.g.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.l.i.e.r.e.n...........S.T.R._.H.I.D.E.=.A.u.s.b.l.e.n.d.e.n.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Indonesian\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):696
Entropy (8bit):3.6255851589571737
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhIEtq6aIDP+fRlTMKhIEg:Q+e2fIUMZqfIUMwaID4DTYvOhIW5aID3
MD5:200BA93C62FCC0558E56BD287DC59190
SHA1:A9CCF3F723907DC84D8471421B35F78C914935D9
SHA-256:BA69A7CE13CD7096E555F0EE76A78A33F51DD382647F98BE9CBAAC7039DF1022
SHA-512:5738FED6CC9824B3214F558570A595214CF1062769ED0F4030A27810F7C5C5CBC52DFDA8FCE275B014A394CE603705AC49A33F35208929140274A9EB75AC52E1
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.I.n.d.o.n.e.s.i.a.n.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.I.n.d.o.n.e.s.i.a.n.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Indonesian\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):2050
Entropy (8bit):3.568207478021325
Encrypted:false
SSDEEP:48:rON4bImFw2eiVQ8QkAAq0GYI14LTr9VMfJBq:rycImdVQRkAAqWsBq
MD5:4C617C9439CE5EEA2F9CFB82A4C228FB
SHA1:F3A1B53E834CD99391997602980D255AA16FA303
SHA-256:76605E5B27790E2F4B6BB56DEEEA159A0532E94BAC7D8722E957DB22DB8F27DD
SHA-512:8738967000BD6FBCB9D4117E729AF3A998A0F70C5C6B5CAEDE139EFDE78B74482A019806BFDD3176E567E35DE0EE991E25FB5AB0603A1DAAF3DAAA58221B193B
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L. .=. .I.n.s.t.a.l.l.....S.T.R._.B.R.O.W.S.E. .=. .J.e.l.a.j.a.h.i.....S.T.R._.L.I.S.E.N.C.E. .=. .S.a.y.a. .t.e.l.a.h. .m.e.m.b.a.c.a. .d.a.n. .m.e.n.y.e.t.u.j.u.i. .{.c. .C.O.L.O.R.}.P.e.r.j.a.n.j.i.a.n. .L.i.s.e.n.s.i. .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L. .=. .S.e.s.u.a.i.k.a.n. .I.n.s.t.a.l.a.s.i.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H. .=. .J.a.l.u.r. .I.n.s.t.a.l.a.s.i.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R. .=. .P.i.l.i.h. .l.o.k.a.s.i. .u.n.t.u.k. .m.e.n.g.i.n.s.t.a.l. .p.r.o.g.r.a.m.....S.T.R._.S.T.O.R.A.G.E. .=. .T.i.d.a.k. .c.u.k.u.p. .r.u.a.n.g. .d.i.s.k... .R.u.a.n.g. .y.a.n.g. .d.i.p.e.r.l.u.k.a.n.:.....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D. .=. .J.a.l.u.r. .p.e.n.g.i.n.s.t.a.l.a.n. .t.i.d.a.k. .v.a.l.i.d.......S.T.R._.I.N.S.T.A.L.L.I.N.G. .=. .M.e.n.g.i.n.s.t.a.l...........S.T.R._.H.I.D.E. .=. .S.e.m.b.u.n.y.i.k.a.n.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E. .=. .P.e.n.g.a.t.u.r.a.n. .P.R.O.D.U.C.T.....S.T.R.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Italian\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):684
Entropy (8bit):3.632474363040401
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvh/q6aIDP+fRlTMKhG:Q+e2fIUMZqfIUMwaID4DTYvOh/5aID4S
MD5:0CF2CCC373EE312E59F142AB797FA39A
SHA1:84B23B204A50B22D37280B1986F41E495F44C117
SHA-256:E11FB2B902EC12890F100AE453E1DE4E25FD21DB7B8F8A92C2749E8F084CC1B6
SHA-512:8382E1403B2F7C3D15ADA52753915EF210165DC7C214AA1B819D8A65AB638F7E660C402D3DDE80CD9CD5124457B506071A880F5E48F9A79F94450A7AFE2CFA20
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.I.t.a.l.i.a.n.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.I.t.a.l.i.a.n.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Italian\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1990
Entropy (8bit):3.567521962953411
Encrypted:false
SSDEEP:48:rteJdb2lILPeqcFlBLozMRwIycr+7+5pMpjkUTDPCWf5U:rtG2lhlRnXETDq+U
MD5:0637DC8335D960B078C22D3FB93AA0C4
SHA1:F46D252DF350061590DB1C975A2CDE99D623854D
SHA-256:676E85576CB2BF9547891CDD42C851CFCF07C76B99662E55D1DB2BF79D52FE39
SHA-512:1617BAB0D97991377C94C273962261DE0DF13DD14F8D3961E319E5D86AE7FE120A7971DE4D4FF43925C456D0AF0117518C2C2C9BA00A08862E2A17EDEBB04D35
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.a.....S.T.R._.B.R.O.W.S.E.=.N.a.v.i.g.a.....S.T.R._.L.I.S.E.N.C.E.=.H.o. .l.e.t.t.o. .e. .a.c.c.e.t.t.o. .l.'.A.c.c.o.r.d.o. .d.i. .{.c. .C.O.L.O.R.}.L.i.c.e.n.z.a. .d.i. .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.P.e.r.s.o.n.a.l.i.z.z.a. .I.n.s.t.a.l.l.a.z.i.o.n.e.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.P.e.r.c.o.r.s.o. .d.i. .I.n.s.t.a.l.l.a.z.i.o.n.e.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.S.e.l.e.z.i.o.n.a. .u.n.a. .p.o.s.i.z.i.o.n.e. .p.e.r. .i.n.s.t.a.l.l.a.r.e. .i.l. .p.r.o.g.r.a.m.m.a.....S.T.R._.S.T.O.R.A.G.E.=.S.t.o.c.c.a.g.g.i.o. .i.n.s.u.f.f.i.c.i.e.n.t.e... .M.e.m.o.r.i.a. .r.i.c.h.i.e.s.t.a.:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.I.l. .p.e.r.c.o.r.s.o. .c.h.e. .h.a.i. .i.n.s.e.r.i.t.o. .n.o.n. ... .v.a.l.i.d.o.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.l.a.z.i.o.n.e...........S.T.R._.H.I.D.E.=.N.a.s.c.o.n.d.i.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Japanese\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):688
Entropy (8bit):3.635921741631349
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhthR6aIDP+fRlTMKhthl:Q+e2fIUMZqfIUMwaID4DTYvOhTsaID4V
MD5:B074498038B2FF3D0446B1D9B9F8CED9
SHA1:8347851E85EB78DB2C6088D3A228C55BC36F8AB1
SHA-256:56286F40261DDA0707B7A881DB25B13D2BF1F5F5584D4A38E63CA990A687C0B1
SHA-512:1AA45E13DF597706C981FAB839F0CD4D99F1D0AFD90CB35CA821EEE1488A1031AE8542E10985BDB77C5B8BEA09CA6CC55F341B92C02DD9AFAF4A495A8F766372
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.J.a.p.a.n.e.s.e.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.J.a.p.a.n.e.s.e.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Japanese\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1296
Entropy (8bit):4.874263587094267
Encrypted:false
SSDEEP:24:Q+k+XoW0+Nldqferl2UZLDxlr7Sq5OYeCYr5C+cIwOcPdnfyb:rt4wNldqex2CZRDkH4+8Oodn6b
MD5:0573819A748D56154C28015BBE029A63
SHA1:C5B2D9FC7463F85E456084A4AF50D9B277C24AE5
SHA-256:CA6D6BF82CEDEB6FCAA184FC7BD3E03A2A8730FC499FAA72037979071588377B
SHA-512:A33A6A6ECD891876B9E68C7EDE978491DA40FE0022E0F09C65B0251CF27ADE419BC3D1797555FB9B286434BFBFC053025D347CFBDC96B68F994640D62BD9B6C8
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=..0.0.0.0.0.0....S.T.R._.B.R.O.W.S.E.=..Sgq....S.T.R._.L.I.S.E.N.C.E.=..N...0.0.0.0.0.0.0{.c. .C.O.L.O.R.}.B.R.A.N.D..O(u.b..QY.}{./.c.}.n0.Q.[.0.x..W0.T.aW0~0Y0....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=..0.0.0.0.0.0.0.0.0.0....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=..0.0.0.0.0.0.0.0.0....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=..0.0.0.0.0.0Y0.0.0.0.0.0.0x..b....S.T.R._.S.T.O.R.A.G.E.=..0.0.0.0.0.N...0._..j0zzM0.[.......S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=..0.0.0.0.0.0.0.0.0L0!q.Rg0Y0.0....S.T.R._.I.N.S.T.A.L.L.I.N.G.=..0.0.0.0.0.0W0f0D0~0Y0..........S.T.R._.H.I.D.E.=...Y0....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=..0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.}.0.x..W0f0O0`0U0D0.0....S.T.R._.O.P.E.R.A.T.E._.T.I.P.=..0.0.0.0.0.0.0-NbkY0.04X.To0.0-Nbk.0.0.0.0.0.vY04X.To0.0.Qf.L..0.0.0.0.0.0.0L}1ug0.0.0.0.0.0.0Y0.04X.To0.0!q...0.0.0.0.0.0W0f0O0`0U0D0.0....S.T.R._.S.O.F.T._.R.U.N.=.P.R.O.D.U.C.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Korean\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):680
Entropy (8bit):3.636099895618664
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhwz6aIDP+fRlTMKhwn:Q+e2fIUMZqfIUMwaID4DTYvOhwmaID4c
MD5:82135B3F1107219D52E6BBF472D55280
SHA1:C41C9E1793D3B1AB95901F2F8645454F251EDC3B
SHA-256:76990117C618D61B11C71E6DC3974FA5F9FB8EF1878490A9773AB29883539E28
SHA-512:5B433A2B386D750EB179853C0CDE520CAE8E3C5F0349086908B9D6C68CE21AE5FD966E90734A6FBC5BD831A565AEA7C81802ECB37E52FAA8A5292DEF4FBD9A58
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.K.o.r.e.a.n.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.K.o.r.e.a.n.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Korean\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1246
Entropy (8bit):4.959255698719715
Encrypted:false
SSDEEP:24:Q+k+GKabHIlLGZqekmllgSF6nDxIaSqFDweZQ06rn6FbTEZe:rt2bHIlAqeZpYIqpweZQ5n6FbAZe
MD5:8EC1723CE3C403C18899F7B618DC432C
SHA1:C3305158BAE53B74BA08E0562884D90EB61E4049
SHA-256:A07B1589BE9DC223130B344A4CF950043E181D310F90EBD7DB2301968EBAD88A
SHA-512:6BB5BCB30F30950763BA54FA25B6BA6BB34942DF2CB473D1D263DDEBDB6E65AEE9FDBBD7E58D2A5CD0F78CBC9CFD02C89F296DB2E52CC2427E2694C3C6E43FDA
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.$.X.....S.T.R._.B.R.O.W.S.E.=.........S.T.R._.L.I.S.E.N.C.E.=.{.c. .C.O.L.O.R.}.B.R.A.N.D. .|.t. ... ..}.{./.c.}.D. .}.. ..X.i.......S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=..... ...X... .$.X.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.$.X. ...X.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.$.X. ...X.|. . ...X.8.......S.T.R._.S.T.O.R.A.G.E.=.... .....t. ...q.i..... .... .... .....:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.$.X. ...X... . ..X... .J.L.....S.T.R._.I.N.S.T.A.L.L.I.N.G.=.$.X. .............S.T.R._.H.I.D.E.=.(.0.0.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=.$.....l. .$.X. ............ .$.....l. .$...D. .U.x.X.8.........S.T.R._.O.P.E.R.A.T.E._.T.I.P.=.$.X.|. ....X.$.t. .'....'.D. .t..X.. ......X.$.t. .'.... ....'.|. .t..X.. ...|.....|. ...t. ...\..X.$.t. .'.4...'.|. .t..X.8.........S.T.R._.S.O.F.T._.R.U.N.=.P.R.O.D.U.C.T. .... ........ .... .$.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Malaysian\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):692
Entropy (8bit):3.6408844771127358
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvh0q6aIDP+fRlTMKhD:Q+e2fIUMZqfIUMwaID4DTYvOh05aID4P
MD5:81A57CE84E67CA7879D8F7B558105AC1
SHA1:FD66F4A5372F4D5DA12C07D6653E43FD7A764297
SHA-256:A53F8ECABA81CC1D3456D0E8B2F33C51A075E4E57449526763183623EB7126C6
SHA-512:FCD13C2717B9D2BC731394A2970F9C6B58CAB611D25A1E92283AD950EFFB30C5F3B1D5F3FEC194D933D83F9EEDFDA13E78CE9DE036FC6DC8DA4E28AE9489A7F8
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.M.a.l.a.y.s.i.a.n.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.M.a.l.a.y.s.i.a.n.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Malaysian\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1942
Entropy (8bit):3.5286500656143134
Encrypted:false
SSDEEP:48:rw1sVX66eiV7+9jgJaZnuqrhHOC72BdzSlNjcXSyXeuBV:risVLVmjDZrt9yYQBBV
MD5:ADB5608B9E7C301B816CA5D0E30D8433
SHA1:572F273593FCCEC17834F58F22112F4BC6146C42
SHA-256:3856EAA9EC718403A7308349C23BA307B9E547E49C78331544A9AB0940289C4A
SHA-512:B9DB5E6BA0FD96999EDF251F22263DCAAA87A4E97E7D5FBED79C6B712BE60C3CB5E52301CF776DE20AF0EC0A15C823FB0D398583E0D76C5FDF514FB01D7F29DF
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L. .=. .P.a.s.a.n.g.....S.T.R._.B.R.O.W.S.E. .=. .L.a.y.a.r.i.....S.T.R._.L.I.S.E.N.C.E. .=. .T.e.l.a.h. .m.e.m.b.a.c.a. .d.a.n. .s.e.t.u.j.u. .u.n.t.u.k. .{.c. .C.O.L.O.R.}.P.e.r.j.a.n.j.i.a.n. .L.e.s.e.n. .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L. .=. .U.b.a.h.s.u.a.i. .P.e.m.a.s.a.n.g.a.n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H. .=. .L.a.l.u.a.n. .P.e.m.a.s.a.n.g.a.n.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R. .=. .P.i.l.i.h. .l.o.k.a.s.i. .u.n.t.u.k. .m.e.m.a.s.a.n.g. .p.r.o.g.r.a.m.....S.T.R._.S.T.O.R.A.G.E. .=. .P.e.n.y.i.m.p.a.n.a.n. .t.i.d.a.k. .m.e.n.c.u.k.u.p.i... .P.e.n.y.i.m.p.a.n.a.n. .d.i.p.e.r.l.u.k.a.n.:.....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D. .=. .L.a.l.u.a.n. .p.e.m.a.s.a.n.g.a.n. .t.i.d.a.k. .s.a.h.......S.T.R._.I.N.S.T.A.L.L.I.N.G. .=. .M.e.m.a.s.a.n.g.& ....S.T.R._.H.I.D.E. .=. .S.e.m.b.u.n.y.i.k.a.n.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E. .=. .P.e.m.a.s.a.n.g. .P.R.O.D.U.C.T.....S.T.R._.N.E.T.W.O.R.K._.E.R.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Polish\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):680
Entropy (8bit):3.6425658665457776
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhwvy6aIDP+fRlTMKhv:Q+e2fIUMZqfIUMwaID4DTYvOhOxaID4D
MD5:2EABDD2C9FF70720D51AA23B6DEB7D4D
SHA1:81595937AA0BB11A831E5FB23E083E0FD9EFA863
SHA-256:E09BFE179D68344C4473DEFE133E433215C3F0C104DDC4BD4DBA6DB34E0E7A27
SHA-512:BCB466C8AA3943AD81B6299BD34C2E8AAC2180D647CD9C9DF8C3DAEA0C56942DD7558863487EFCDEA3C0832E41B3D37C9383D19A871640C03A85FC6645812ECD
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.P.o.l.i.s.h.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.P.o.l.i.s.h.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Polish\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1920
Entropy (8bit):3.818884983052577
Encrypted:false
SSDEEP:48:rtH6pplieENCWS7NKPVUpfn4ZLNoW2S41yBs4syB/4syLc:rtH6pplw0V7NS6gFiVf2ec
MD5:6A30E966288BB235E8441DD3C7FEF9B1
SHA1:CCAD1477D99094BFB07930A673DCB895E5272136
SHA-256:7E380942599245B16AD5D621427A2A2980AF9A0018186CD777B4DE4570939DED
SHA-512:5969CCFB4A5E69DC0F0ACA88ACA8624EB682BBB35528CDEEC16719100388C8429A42EBE0C58CA7D22011786714B31D409B18AA9C8A0D82FDE65140B60D77A68C
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.Z.a.i.n.s.t.a.l.o.w.a.......S.T.R._.B.R.O.W.S.E.=.P.r.z.e.g.l...d.a.j.....S.T.R._.L.I.S.E.N.C.E.=.P.r.z.e.c.z.y.t.a.B.e.m. .i. .z.g.a.d.z.a.m. .s.i... .z. .{.c. .C.O.L.O.R.}.U.m.o.w... .l.i.c.e.n.c.y.j.n... .m.a.r.k.i.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.a.c.j.a. .A.n.p.a.s.s.y.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.Z.c.i.e.|.k.a. .i.n.s.t.a.l.a.c.j.i.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.W.y.b.i.e.r.z. .l.o.k.a.l.i.z.a.c.j... .d.o. .z.a.i.n.s.t.a.l.o.w.a.n.i.a. .p.r.o.g.r.a.m.u.....S.T.R._.S.T.O.R.A.G.E.=.N.i.e.w.y.s.t.a.r.c.z.a.j...c.a. .p.a.m.i....... .W.y.m.a.g.a.n.e. .p.r.z.e.c.h.o.w.y.w.a.n.i.e.:.....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.Z.c.i.e.|.k.a. .i.n.s.t.a.l.a.c.j.i. .j.e.s.t. .n.i.e.p.r.a.w.i.d.B.o.w.a.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.i.n.s.t.a.l.o.w.a.n.i.e...........S.T.R._.H.I.D.E.=.U.k.r.y.......S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Portuguese\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):696
Entropy (8bit):3.633134725118062
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhItw6aIDP+fRlTMKhIts:Q+e2fIUMZqfIUMwaID4DTYvOhSaID4DD
MD5:2627CEA687A6E37FC7887FB851A4EEAF
SHA1:17DFDBE9EBB00404AC8AC64363F5D697C1736658
SHA-256:A4B89629BFFFCE176A797F15FDF8D7DE8CDD5042E9B3820867EC449319EA84D0
SHA-512:3805C777356F3B945A6EE274EBDDAB9BEAF602311FEFDFE140115B4C5E3A0CEEB81DC75CEACEA432939F1B313CA26F7C0804FCE75EC0F563FF52CF97647076D5
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.P.o.r.t.u.g.u.e.s.e.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.P.o.r.t.u.g.u.e.s.e.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Portuguese\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):2012
Entropy (8bit):3.6222731761816256
Encrypted:false
SSDEEP:48:rtFBNFlCUeqkCUDiHCa5Xm1/MLZ1YPgMCwFjgDKaWoeSmYKeun0:rtFBNFlwCgxaY1UL7YPgMCWj0fUb0
MD5:087FA4FFD19AAB0BBE70FDD406C50CD6
SHA1:EF30CD29D1BE2D59E9D509710AD8723DBD8ADC2A
SHA-256:06D3A9B805E5AF15B4BEFE82BD6CFD195889718CC1E14FFEF6177632D0F48CEC
SHA-512:E1D9B163CDC0695B98388F2CEDFA9A0084D42B67A1BFF6102B6B3B3CF8ADF2B2A511552FFE7735D8C83392101F936A4FD2E86D07F086BFD5905E36D113501EA7
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.a.r.....S.T.R._.B.R.O.W.S.E.=.N.a.v.e.g.a.r.....S.T.R._.L.I.S.E.N.C.E.=.E.u. .l.i. .e. .c.o.n.c.o.r.d.o. .c.o.m. .o. .{.c. .C.O.L.O.R.}.A.c.o.r.d.o. .d.e. .L.i.c.e.n...a. .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.a.....o. .P.e.r.s.o.n.a.l.i.z.a.d.a.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.C.a.m.i.n.h.o. .d.e. .i.n.s.t.a.l.a.....o.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.S.e.l.e.c.i.o.n.e. .u.m. .l.o.c.a.l. .p.a.r.a. .i.n.s.t.a.l.a.r. .o. .p.r.o.g.r.a.m.a.....S.T.R._.S.T.O.R.A.G.E.=.A.r.m.a.z.e.n.a.m.e.n.t.o. .i.n.s.u.f.i.c.i.e.n.t.e... .A.r.m.a.z.e.n.a.m.e.n.t.o. .n.e.c.e.s.s...r.i.o.:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.O. .c.a.m.i.n.h.o. .d.e. .i.n.s.t.a.l.a.....o. ... .i.n.v...l.i.d.o.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.a.n.d.o. ...........S.T.R._.H.I.D.E.=.E.s.c.o.n.d.e.r.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Russian\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):684
Entropy (8bit):3.6316978947843084
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhbM/q6aIDP+fRlTMKhbMG:Q+e2fIUMZqfIUMwaID4DTYvOhg5aID4z
MD5:3947B7BC9071DA58A78DA74CADF80A7A
SHA1:0F2750FDA6732949C8D136BAF62E375EDCE91526
SHA-256:243E2F87A1EABBCFD51E39C269322978F13198689B1DDA8FCEF3C659E378E464
SHA-512:A18B08399E4053608B4A876EEFB1BF74121DFAE51120D62FD03D30B6167E19EF7E4BB193EF37291094B0D9A68B3AF8BB7F6225D83D38AB9C85829CC69714255D
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.R.u.s.s.i.a.n.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.R.u.s.s.i.a.n.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Russian\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1924
Entropy (8bit):4.108621395277506
Encrypted:false
SSDEEP:48:rth51W/YelFexaBbPvxnK9tWB4Qw9FZRWa1:rthTW/Yel3bHkEdwnWa1
MD5:AA72C1A7D7879CEA4CA808CBAF73E865
SHA1:874AED66BC7B121646964AECEE809FE8EC647F8A
SHA-256:173A73264840644662FD9DD88EC79E6901D3FBC747593DC181FB70B4DBCDD037
SHA-512:74242F74855140ECCF20F420F9612A0CBB3B65150F19D713115F12D539D7D3B67D04990591E4A368629E985F1DB348828A1CB8923E1AFA497A68143A0BF27C93
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.#.A.B.0.=.>.2.8.B.L.....S.T.R._.B.R.O.W.S.E.=...@.>.A.<.>.B.@.5.B.L.....S.T.R._.L.I.S.E.N.C.E.=./. .?.@.>.G.8.B.0.;. .8. .A.>.3.;.0.A.5.=. .A. .{.c. .C.O.L.O.R.}...8.F.5.=.7.8.>.=.=.>.5. .A.>.3.;.0.H.5.=.8.5. .B.R.A.N.D.{./.c.}.......S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=...0.A.B.@.>.8.B.L. .C.A.B.0.=.>.2.:.C.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.?.C.B.L. .C.A.B.0.=.>.2.:.8.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=...>.6.0.;.C.9.A.B.0.,. .2.K.1.5.@.8.B.5. .?.C.B.L. .C.A.B.0.=.>.2.:.8.....S.T.R._.S.T.O.R.A.G.E.=...5.4.>.A.B.0.B.>.G.=.>. .<.5.A.B.0. .=.0. .4.8.A.:.5... .".@.5.1.C.5.<.>.5. .?.@.>.A.B.@.0.=.A.B.2.>.:.....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=...C.B.L. .C.A.B.0.=.>.2.:.8. .=.5.2.5.@.5.=.....S.T.R._.I.N.S.T.A.L.L.I.N.G.=.#.A.B.0.=.>.2.:.0.................S.T.R._.H.I.D.E.=.A.:.@.K.2.0.B.L.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=...0.A.B.@.>.9.:.0. .P.R.O.D.U.C.T.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=...>.7.=.8.:.;.0. .>.H.8.1.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Spanish\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):684
Entropy (8bit):3.635053629762666
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhemvy6aIDP+fRlTMKheJ:Q+e2fIUMZqfIUMwaID4DTYvOheUxaIDL
MD5:7504DB2B856B5058AB3B1487F367B951
SHA1:A711E9D09A1A583EFCCB1284D70906D2C73FFDC9
SHA-256:9AB32C707C28D60965FC6FE0723FBAAF1CD970C8867A8C000B325E39BECA4280
SHA-512:5118DF69C6637CB4C13E3E22E1E888B06BA525E4CF7955F212B5842B083663E2B8DAF882456E4D72FB368DF7D0A32F3204E85C7624DFA34DAD104141C8167489
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.S.p.a.n.i.s.h.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.S.p.a.n.i.s.h.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Spanish\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):2004
Entropy (8bit):3.577424347314005
Encrypted:false
SSDEEP:48:rtFB6UlE8Yeqyq3D/Ih2m1Nh8giSwqHFnoODM0uDQfj/DQlp:rtFB6UlE8CTghx1NGlSwMnoqMTU7/Ulp
MD5:24327D13C0300A3B5CF937DA54D2A8BA
SHA1:2DE35D7AF3660B164AF25F4E5AE314C0796F682F
SHA-256:9651E8730D984D2A2B965E41720ACD003A0A3811ACCE232AF0CFDD57EF42BB86
SHA-512:F240F0D1DA1DFA0D53A510B41EA641E4AFCE9C004246B2DE15FCFFB81F3D5788C6D92364B6180EE96898C27153EAB0E84BCECCC0FBF9A71256B444CC36D2E7AB
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.a.r.....S.T.R._.B.R.O.W.S.E.=.N.a.v.e.g.a.r.....S.T.R._.L.I.S.E.N.C.E.=.H.e. .l.e...d.o. .y. .a.c.e.p.t.o. .e.l. .{.c. .C.O.L.O.R.}.A.c.u.e.r.d.o. .d.e. .L.i.c.e.n.c.i.a. .d.e. .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.P.e.r.s.o.n.a.l.i.z.a.r. .l.a. .i.n.s.t.a.l.a.c.i...n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.R.u.t.a. .d.e. .i.n.s.t.a.l.a.c.i...n.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.S.e.l.e.c.c.i.o.n.a.r. .u.n.a. .u.b.i.c.a.c.i...n. .p.a.r.a. .i.n.s.t.a.l.a.r. .e.l. .p.r.o.g.r.a.m.a.....S.T.R._.S.T.O.R.A.G.E.=.E.s.p.a.c.i.o. .d.e. .a.l.m.a.c.e.n.a.m.i.e.n.t.o. .i.n.s.u.f.i.c.i.e.n.t.e... .E.s.p.a.c.i.o. .r.e.q.u.e.r.i.d.o.:. .....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.L.a. .r.u.t.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .n.o. .e.s. .v...l.i.d.a.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.a.n.d.o...........S.T.R._.H.I.D.E.=.E.s.c.o.n.d.e.r.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Swedish\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):684
Entropy (8bit):3.6387618171431955
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhuvy6aIDP+fRlTMKhx:Q+e2fIUMZqfIUMwaID4DTYvOh8xaID49
MD5:CD23B1FB995DD84E27CE8528196DE579
SHA1:0C3FFEA6B634943C02E1AF4A681A7A5EE2101214
SHA-256:5D8E946AA9EBFE30D1F99ECD3086BDEB78CF4E24B7021EBDD9380FF8D515926B
SHA-512:15596A2A0A0A089E957B1ECF5C7CD181460F00590AC6BA001181AAB665F9EA866A78B5EAFEB2D70EEC662DF244642188787BA59FFCFD398BE486CE14ECBA90B2
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.S.w.e.d.i.s.h.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.S.w.e.d.i.s.h.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Swedish\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1896
Entropy (8bit):3.6525600235857465
Encrypted:false
SSDEEP:48:rtPtCl+te9oN1DfphP8RfZKY2CcHk/LhMIu:rtPkl+x1DfPPWZ4C9/Lu
MD5:63984FB4AB8A41E6B9F5A4A3F15AAF3D
SHA1:C4653A8AFFE7DC2053BCA9E812285B9488FDEE94
SHA-256:5D188291C4BB5C6DEC808C5925C3601A9AD4755644FD783C32AA15D4B2187164
SHA-512:FB6973E887DD8C39B2F721626F146345A1CF200D8A1D1FDF4D22EF493120721FDBEEDC81E855ED40BE294B44407393D8F947FB87A3F221B6BCA0AFA8057F0CC1
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=.I.n.s.t.a.l.l.e.r.a.....S.T.R._.B.R.O.W.S.E.=.B.l...d.d.r.a.....S.T.R._.L.I.S.E.N.C.E.=.J.a.g. .h.a.r. .l...s.t. .o.c.h. .s.a.m.t.y.c.k.t. .t.i.l.l. .{.c. .C.O.L.O.R.}.B.R.A.N.D. .L.i.c.e.n.s.e. .A.g.r.e.e.m.e.n.t.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=.A.n.p.a.s.s.a. .i.n.s.t.a.l.l.a.t.i.o.n.e.n.....S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.I.n.s.t.a.l.l.a.t.i.o.n.s.v...g.....S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.V...l.j. .e.n. .p.l.a.t.s. .f...r. .a.t.t. .i.n.s.t.a.l.l.e.r.a. .p.r.o.g.r.a.m.m.e.t.....S.T.R._.S.T.O.R.A.G.E.=.O.t.i.l.l.r...c.k.l.i.g. .f...r.v.a.r.i.n.g... .F...r.v.a.r.i.n.g. .k.r...v.s.:.....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.I.n.s.t.a.l.l.a.t.i.o.n.s.s...k.v...g.e.n. ...r. .o.g.i.l.t.i.g.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=.I.n.s.t.a.l.l.e.r.a.r...........S.T.R._.H.I.D.E.=.D...l.j.....S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=.P.R.O.D.U.C.T. .S.e.t.u.p.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=.N...t.v.e.r.k.s.f.e.l... .K.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Thai\UrlInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):672
Entropy (8bit):3.6387388161615313
Encrypted:false
SSDEEP:12:Q+e2fI4VWMMZqfI4VWMMfIFaIDP+fRlTYYKHuvhwElM2s6aIDP+fRlTMKhwElMl:Q+e2fIUMZqfIUMwaID4DTYvOhwsaID48
MD5:9DF69EB56BA9C7BC4B5682A4396E9D3D
SHA1:BD4DCA6D4A2D3F8943134E453A9CFEDF05C3D32E
SHA-256:205EBD5D98E594D7568DFC8C1C2BAA6946108C54C61CD80A2B4C2F05E8BC8004
SHA-512:5CFBB5699A7831FAB43C584466B1B963CADC3B22803FDE66E0E16647B8BF27AA6216C1C4B71C332BB32EB80ED2B52AF93E4A74532C6694F584A6E67D9E930718
Malicious:false
Preview:..[.U.R.L.].....S.T.R._.D.O.W.N._.U.R.L.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.D.O.W.N._.U.R.L._.X.6.4.=.h.t.t.p.s.:././.d.o.w.n.l.o.a.d...i.m.y.f.o.n.e...c.o.m./.m.i.r.r.o.r.t.o./.m.i.r.r.o.r.t.o._.s.e.t.u.p...e.x.e.....S.T.R._.L.I.C.E.N.C.E._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.l.i.c.e.n.s.e._.a.g.r.e.e.m.e.n.t.&.p.i.d.=.3.7.0.&.l.a.n.g.=.T.h.a.i.....S.T.R._.I.N.S.T.A.L.L._.U.R.L.=.h.t.t.p.s.:././.a.p.i.p.d.m...i.m.y.f.o.n.e...c.l.u.b./.p.r.o.d.u.c.t.u.r.l.?.k.e.y.=.i.n.s.t.a.l.l.e.d.&.p.i.d.=.3.7.0.&.l.a.n.g.=.T.h.a.i.

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\Thai\text.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):1742
Entropy (8bit):4.272614718218967
Encrypted:false
SSDEEP:48:rtlFIhlLsB1ejv4BMZKPuhsBkJNWBs8IwEvYNTNXNiMIkcwfnJ8Jl8:rt/IhlATBPPuG04wGo8
MD5:3159276DB70D5DDF4DE3B7B3A4AE5790
SHA1:9D80FCEC3ADCBC125C3215C70F17625FF321C5AB
SHA-256:98FEFFCBB4182201E78361CB3E26E524508CBBD393ADC200ABF24DF7EE29537D
SHA-512:B50262191EDBA6062AF48EEE85CA5AB570590B3DBF17BC9D9D7B22540C68DD515A3152A075009D3BEC4AC8B2245D5D1D06E450D60E027311BC46AB41A80CBF0E
Malicious:false
Preview:..[.L.A.N.S.T.R.].....S.T.R._.I.N.S.T.A.L.L.=...4.....1.I.......S.T.R._.B.R.O.W.S.E.=.@.#.5.".....9.....S.T.R._.L.I.S.E.N.C.E.=...1...D...I.-.H.2...A.%.0.".-.!.#.1... .{.c. .C.O.L.O.R.}...I.-.....%...C...-...8...2... .B.R.A.N.D.{./.c.}.....S.T.R._.C.U.S.T.O.M.I.Z.E._.I.N.S.T.A.L.L.=...#.1...A...H.....2.#...4.....1.I.......S.T.R._.I.N.S.T.A.L.L._.P.A.T.H.=.@.*.I.....2.....2.#...4.....1.I.......S.T.R._.S.E.L.E.C.T._.F.O.L.D.E.R.=.@.%.7.-.....3.A.+...H.....5.H...0...4.....1.I...B...#.A...#.!.....S.T.R._.S.T.O.R.A.G.E.=...5.H...1...@...G...D.!.H.@...5.".....-. ...7.I.....5.H.@...G.....I.-.!.9.%...5.H...I.-.....2.#.:.....S.T.R._.P.A.T.H._.I.N.V.A.L.I.D.=.@.*.I.....2.....2.#...4.....1.I...D.!.H...9.....I.-.......S.T.R._.I.N.S.T.A.L.L.I.N.G.=...3.%.1.....4.....1.I.............S.T.R._.H.I.D.E.=...H.-.......S.T.R._.M.E.S.S.A.G.E.B.O.X._.T.I.T.L.E.=...2.#...4.....1.I... .P.R.O.D.U.C.T.....S.T.R._.N.E.T.W.O.R.K._.E.R.R.O.R.=.@...#.7.-...H.2."...4.....%.2... .B...#.....#.'...*.-.....2.#...1.I.....

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\language.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):263
Entropy (8bit):4.900043304984272
Encrypted:false
SSDEEP:6:SE47bN5/9kjD5n1hyMyTSTFmx27uvM/oUAn4jLn:SDs93yMyTHx/A
MD5:EFD95F925E8D6F780641287E01EA3746
SHA1:AA6B1F26F7703432D11320EA7188F8F3A4957276
SHA-256:6471D06E400B74C860278B57BA94BE3941573D3DF2840EEBAD5D38E45D4E26A4
SHA-512:37B3124DF4AD88229C029B3AE729140ABE1DA1A0D28CCCE8DB6C2D74D18290DA7638EE766FA6B3B35C77798AE7C06304609E38FABCC14F154AA6DE884053AFC4
Malicious:false
Preview:[Language]..1033=English..2052=Chinese..1028=ChineseTW..1043=Dutch..1036=French..1031=German..1040=Italian..1041=Japanese..3082=Spanish..2070=Portuguese..1042=Korean..1025=Arabic..1054=Thai..1057=Indonesian..1086=Malaysian..1053=Swedish..1045=Polish..1049=Russian

C:\Program Files (x86)\imyfone_down\mirrorto_setup\language\productInfo.ini

Download File
Process:C:\Users\user\Desktop\mirrorto_setup.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):484
Entropy (8bit):3.436022239196749
Encrypted:false
SSDEEP:12:Q+WmzRUOfmLaUOf4EaUOGfaUOf3fH9SViqWOSaUOQMYP:Q+b5P5w/5GS5fEVp55MP
MD5:87DCCC032D825B7226DDF5979BFA0733
SHA1:69860AAE4FDB02BCA3B765B62E0CDF16DD41ED17
SHA-256:ABD44D8BFAACB0D3DA2B9BCE9013D4642514E319583A561C2A724221846DB17A
SHA-512:45CE88286E64BC731EE16040E8F1D7A143B39755650553664C767B8204D74D1862C7D4E413651B88CDA39F48A29F8B78C2DA1D7C38519F48D2FF144F91796FA6
Malicious:false
Preview:..[.P.R.O.D.U.C.T.].....S.T.R._.G.A._.T.T.T.L.E.=.i.M.y.F.o.n.e. .M.i.r.r.o.r.T.o.....S.T.R._.P.R.O.D.U.C.T._.N.A.M.E.=.i.M.y.F.o.n.e. .M.i.r.r.o.r.T.o.....S.T.R._.D.I.R.1._.N.A.M.E.=.i.M.y.F.o.n.e.....S.T.R._.D.I.R.2._.N.A.M.E.=.i.M.y.F.o.n.e. .M.i.r.r.o.r.T.o.....S.T.R._.E.X.E._.N.A.M.E.=.M.i.r.r.o.r.T.o...e.x.e.....S.T.R._.L.I.S.E.N.C.E._.C.O.L.O.R.=.#.3.3.7.B.D.D.....S.T.R._.B.R.A.N.D._.N.A.M.E.=.i.M.y.F.o.n.e.....S.T.R._.R.U.N._.A.S._.A.D.M.I.N.=.1.....S.T.R._.P.I.D.=.3.7.0.

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.707089667356964
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.81%
  • Windows ActiveX control (116523/4) 1.15%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:mirrorto_setup.exe
File size:2'891'216 bytes
MD5:d75d8acc3266e89d6c66fe0e0df367f4
SHA1:c0992c765155d911407745ed8304361b829ea2df
SHA256:6aeca8fb7a286e161a6cb63e73de78775d2bf6d031b3d1db883bf73f6c1e54b0
SHA512:4109ea0c95be78d4db8c65aff14e52d1ef23957710cb0c26451838d4f504bd2274312635dc9bfd54d5b40f17dbfc99010ee691f067040885bcd68063b75e96fd
SSDEEP:49152:zdhmwgAxRbnl4Jp9DJn7CWya3Nn9PxYPZaaC6m5TmfPvWz:zdcwgAxRqhJ7CWya3VXa+
TLSH:83D5BF12B782C172E69302B19A7AA77E453DFA20173895C7D3C81E1D4D706D36B3A3A7
File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........7<..VR..VR..VR.{....VR......VR......VR.....hVR......WR......VR......VR..VS..WR..VR..VR.P....VR.P...0WR.P....VR......VR..V...VR

File Icon

Icon Hash:7069ccc4ec6cf030

Static PE Info

General

Entrypoint:0x5bb374
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x65F16D1F [Wed Mar 13 09:08:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:9be665f8de63fff514b64bd6a1b0cc9f

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 28/08/2023 02:00:00 04/08/2026 01:59:59
Subject Chain
  • CN="Shenzhen iMyFone Technology Co., Ltd", O="Shenzhen iMyFone Technology Co., Ltd", L=\u6df1\u5733\u5e02, S=\u5e7f\u4e1c\u7701, C=CN, SERIALNUMBER=914403003425095958, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=\u5357\u5c71\u533a, OID.1.3.6.1.4.1.311.60.2.1.2=\u5e7f\u4e1c\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Version:3
Thumbprint MD5:022D55F584EFD4C8CF04677B426F9DB6
Thumbprint SHA-1:EDD8199F09F517C3BDF6816AE2771C0D4FD8C37E
Thumbprint SHA-256:E25B244008014FEE68B956C9AF98F3855CE698FB83BB19BCFB77C3241F6A0B08
Serial:0875BD87D01F1AB9E654EC765BED6F16

Entrypoint Preview

Instruction
call 00007F21E08CFA1Bh
jmp 00007F21E08B75A4h
push ebp
mov ebp, esp
cmp dword ptr [00694368h], 00000000h
jne 00007F21E08B7797h
mov edx, dword ptr [ebp+08h]
test edx, edx
jne 00007F21E08B7739h
call 00007F21E08BD454h
mov dword ptr [eax], 00000016h
call 00007F21E08CAD2Ch
mov eax, 7FFFFFFFh
pop ebp
ret
mov ecx, dword ptr [ebp+0Ch]
test ecx, ecx
je 00007F21E08B7704h
push ebx
push esi
push edi
push 00000041h
pop edi
push 0000005Ah
sub edx, ecx
pop ebx
movzx eax, word ptr [edx+ecx]
cmp ax, di
jc 00007F21E08B772Fh
cmp ax, bx
jnbe 00007F21E08B772Ah
add eax, 20h
movzx esi, ax
jmp 00007F21E08B7724h
mov esi, eax
movzx eax, word ptr [ecx]
cmp ax, di
jc 00007F21E08B772Dh
cmp ax, bx
jnbe 00007F21E08B7728h
add eax, 20h
movzx eax, ax
add ecx, 02h
test si, si
je 00007F21E08B7727h
cmp si, ax
je 00007F21E08B76EAh
movzx ecx, ax
pop edi
movzx eax, si
pop esi
sub eax, ecx
pop ebx
pop ebp
ret
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F21E08B772Ah
add esp, 0Ch
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 10h
lea ecx, dword ptr [ebp-10h]
push ebx
push esi
push dword ptr [ebp+10h]
call 00007F21E08B4C37h
mov ebx, dword ptr [ebp+08h]
test ebx, ebx
je 00007F21E08B7729h
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F21E08B773Ch
call 00007F21E08BD3B3h
mov dword ptr [eax], 00000016h

Rich Headers

Programming Language:
  • [ASM] VS2013 build 21005
  • [C++] VS2008 SP1 build 30729
  • [C++] VS2013 build 21005
  • [ C ] VS2013 build 21005
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [ C ] VS2013 UPD5 build 40629
  • [C++] VS2013 UPD5 build 40629
  • [RES] VS2013 build 21005
  • [LNK] VS2013 UPD5 build 40629

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x27a5540x140.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2970000x163b8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x2bf4000x29d0.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2ae0000x1b620.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x2069f00x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x25bab00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2060000x790.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x204be70x204c002d34679132df88c07af876069e2c5292unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x2060000x76f240x77000573a56caa2b75820bfcffda20407a9d8False0.39223755908613445data5.447473281898606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x27d0000x1906c0x11800ada1b51003b7861862bee3585c29b484False0.3357003348214286data5.416203983855918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x2970000x163b80x16400c6b9ef69277b336e1e8362350e5445f8False0.7815901509831461data7.440773962822966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x2ae0000x1b6200x1b800bc35b1cfbda7f197d383e0a74e42e7feFalse0.5458629261363637GLS_BINARY_LSB_FIRST6.580516099056448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
ZIPRES0x299f400xcfdfZip archive data, at least v2.0 to extract, compression method=deflateChineseChina0.9114723292304802
RT_ICON0x2972000x2d28Device independent bitmap graphic, 48 x 96 x 32, image size 11520ChineseChina0.2514705882352941
RT_RCDATA0x2a6f200x5f86Zip archive data, at least v2.0 to extract, compression method=storeChineseChina0.7634742782366893
RT_RCDATA0x2acea80xdASCII text, with CRLF line terminatorsChineseChina1.6153846153846154
RT_GROUP_ICON0x299f280x14dataChineseChina1.1
RT_VERSION0x2aceb80x26cdataChineseChina0.5096774193548387
RT_MANIFEST0x2ad1280x28bXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5529953917050692

Imports

DLLImport
KERNEL32.dllLocalFree, PostQueuedCompletionStatus, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, FormatMessageW, TlsAlloc, TlsFree, CreateEventA, VerSetConditionMask, InterlockedCompareExchange, TerminateThread, GetOverlappedResult, CreateIoCompletionPort, GetQueuedCompletionStatus, QueueUserAPC, ReleaseSemaphore, WaitForMultipleObjects, DeviceIoControl, SetEndOfFile, SetFilePointerEx, GetSystemTimeAsFileTime, GetSystemInfo, lstrcmpiA, TlsGetValue, TlsSetValue, SleepEx, WaitForSingleObjectEx, ReadFileScatter, WriteFileGather, CreateEventW, CreateWaitableTimerW, SetWaitableTimer, VerifyVersionInfoW, InitializeCriticalSection, OutputDebugStringA, GetModuleFileNameA, GetModuleHandleExA, OutputDebugStringW, GetSystemTime, GetStdHandle, FindClose, QueryPerformanceCounter, GetCurrentProcessId, FreeLibrary, GlobalMemoryStatus, FlushConsoleInputBuffer, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, RemoveDirectoryW, MoveFileExW, AreFileApisANSI, PeekNamedPipe, FileTimeToLocalFileTime, SetEnvironmentVariableA, WriteConsoleW, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetDriveTypeW, InterlockedExchangeAdd, SetStdHandle, FlushFileBuffers, UnregisterWaitEx, InitializeSListHead, FreeLibraryAndExitThread, GetThreadTimes, VirtualProtect, VirtualFree, VirtualAlloc, GetVersionExW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetConsoleCP, ReadConsoleW, GetOEMCP, IsValidCodePage, HeapSize, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, CreateTimerQueue, CreateSemaphoreW, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCPInfo, SetConsoleMode, ReadConsoleInputA, GetConsoleMode, GetModuleHandleExW, GetTimeZoneInformation, LoadLibraryExW, ExitThread, SetConsoleCtrlHandler, IsProcessorFeaturePresent, IsDebuggerPresent, GetCommandLineW, HeapReAlloc, RtlUnwind, RaiseException, DecodePointer, EncodePointer, GetStringTypeW, GetCurrentThread, InterlockedExchange, FormatMessageA, GetCurrentThreadId, GlobalUnlock, GetModuleHandleA, GlobalLock, GlobalAlloc, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, GetLocalTime, DosDateTimeToFileTime, SystemTimeToFileTime, DuplicateHandle, SetFileTime, SetFilePointer, GetFileType, GetCurrentProcess, MulDiv, GetFileSize, WriteFile, ExitProcess, FreeResource, GetCurrentDirectoryW, LoadLibraryW, GetTickCount, GetACP, CreateMutexW, DeleteFileW, GetFileAttributesW, CreateFileW, CreateDirectoryW, FindResourceW, ReadFile, SizeofResource, LoadResource, Sleep, SetLastError, CreateThread, GetProcessHeap, GetProcAddress, HeapFree, HeapAlloc, LockResource, WideCharToMultiByte, MultiByteToWideChar, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetUserDefaultUILanguage, GetDiskFreeSpaceExW, GetPrivateProfileSectionW, GetPrivateProfileStringW, CreateProcessW, GetModuleHandleW, GetModuleFileNameW, LoadLibraryA, lstrcpyW, lstrcmpW, CloseHandle, WaitForSingleObject, ResumeThread, GetLastError, TerminateProcess, OpenProcess, FindFirstFileExW
USER32.dllFindWindowW, GetMessageW, TranslateMessage, DispatchMessageW, SendMessageW, PostMessageW, DefWindowProcW, CallWindowProcW, RegisterClassW, RegisterClassExW, GetClassInfoExW, CreateWindowExW, IsWindow, SetWindowPos, IsIconic, SetFocus, EnableWindow, GetSystemMetrics, GetMenu, SetPropW, GetPropW, GetClientRect, GetWindowRect, AdjustWindowRectEx, GetWindowLongW, SetWindowLongW, GetParent, GetWindow, LoadCursorW, LoadImageW, MonitorFromWindow, GetMonitorInfoW, wvsprintfW, SetCursor, UnionRect, SetForegroundWindow, DestroyWindow, CharNextW, GetActiveWindow, GetFocus, BeginPaint, EndPaint, GetUpdateRect, InvalidateRect, ShowWindow, MessageBoxW, KillTimer, MessageBoxA, GetUserObjectInformationW, GetProcessWindowStation, GetGUIThreadInfo, InvalidateRgn, CreateAcceleratorTableW, MoveWindow, GetCursorPos, ScreenToClient, MapWindowPoints, IntersectRect, IsRectEmpty, PtInRect, IsZoomed, SetWindowRgn, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, GetCaretBlinkTime, GetCaretPos, ReleaseDC, CharPrevW, DrawTextW, FillRect, SetRect, CreateCaret, HideCaret, ShowCaret, SetCaretPos, ClientToScreen, GetSysColor, ReleaseCapture, SetCapture, SetTimer, CharLowerA, IsWindowVisible, PostQuitMessage, wsprintfW, OffsetRect, GetDC, GetKeyState
GDI32.dllGetDeviceCaps, GdiFlush, ExtTextOutW, TextOutW, MoveToEx, SetStretchBltMode, StretchBlt, SetBkColor, ExtSelectClipRgn, SelectClipRgn, GetObjectA, LineTo, GetTextExtentPoint32W, GetClipBox, GetCharABCWidthsW, CreateRectRgnIndirect, CreatePenIndirect, CombineRgn, SetTextColor, SetBkMode, CreateSolidBrush, CreatePatternBrush, CreateRoundRectRgn, SetWindowOrgEx, GetObjectW, GetTextMetricsW, SelectObject, SaveDC, RestoreDC, Rectangle, GetStockObject, DeleteObject, DeleteDC, CreatePen, CreateFontIndirectW, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt, RoundRect, CreateDIBSection
SHELL32.dllShellExecuteExW, SHGetSpecialFolderLocation, SHCreateDirectoryExW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteW
ole32.dllCoInitialize, CoCreateInstance, CoCreateGuid, CoTaskMemFree, CoUninitialize, CLSIDFromString, CLSIDFromProgID, OleLockRunning, CreateStreamOnHGlobal
OLEAUT32.dllSysFreeString, VariantInit, VariantClear, SysAllocString
ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, CryptAcquireContextW, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, DeregisterEventSource, RegisterEventSourceA, ReportEventA
gdiplus.dllGdipAlloc, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipImageSelectActiveFrame, GdipImageGetFrameCount, GdipImageGetFrameDimensionsList, GdipImageGetFrameDimensionsCount, GdipGetImageHeight, GdipGetImageWidth, GdipLoadImageFromStreamICM, GdipLoadImageFromStream, GdipSetStringFormatLineAlign, GdipSetStringFormatAlign, GdipDeleteStringFormat, GdipCreateStringFormat, GdipDrawString, GdipGetFamily, GdipDeleteFont, GdipCreateFontFromLogfontA, GdipCreateFontFromDC, GdipDeleteFontFamily, GdipDrawImageRectI, GdipDrawImage, GdipGraphicsClear, GdipSetInterpolationMode, GdipSetTextRenderingHint, GdipSetPixelOffsetMode, GdipSetSmoothingMode, GdipSetCompositingQuality, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateBitmapFromScan0, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdipCreateLineBrushI, GdipDeleteBrush, GdipCloneBrush, GdiplusShutdown, GdiplusStartup, GdipFree
VERSION.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
COMCTL32.dllImageList_Create, _TrackMouseEvent
IMM32.dllImmGetContext, ImmSetCompositionFontW, ImmSetCompositionWindow, ImmReleaseContext
WINHTTP.dllWinHttpOpen, WinHttpConnect, WinHttpSetOption, WinHttpOpenRequest, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpQueryHeaders, WinHttpReadData, WinHttpAddRequestHeaders, WinHttpSetTimeouts, WinHttpQueryDataAvailable, WinHttpCloseHandle
WS2_32.dllntohl, ntohs, htons, htonl, getsockopt, getsockname, ioctlsocket, connect, closesocket, bind, accept, __WSAFDIsSet, WSACleanup, setsockopt, WSASetLastError, WSAGetLastError, WSAIoctl, listen, shutdown, recv, gethostbyname, inet_addr, socket, freeaddrinfo, WSARecv, getaddrinfo, WSASocketW, select, WSASend, WSAStartup, send
WININET.dllHttpAddRequestHeadersA, HttpSendRequestA, InternetReadFile, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, HttpQueryInfoA, HttpQueryInfoW, InternetCloseHandle, InternetQueryOptionW, InternetSetOptionW, InternetOpenW, InternetConnectA, HttpOpenRequestA, InternetGetConnectedState
SHLWAPI.dllPathFileExistsW, PathFindFileNameW, PathFindFileNameA, StrToIntW

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 3, 2024 18:01:16.206842899 CEST5362488162.159.36.2192.168.2.5
Jul 3, 2024 18:01:16.733079910 CEST53599621.1.1.1192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:12:00:26
Start date:03/07/2024
Path:C:\Users\user\Desktop\mirrorto_setup.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\mirrorto_setup.exe"
Imagebase:0x3c0000
File size:2'891'216 bytes
MD5 hash:D75D8ACC3266E89D6C66FE0E0DF367F4
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:31.2%
    Total number of Nodes:1614
    Total number of Limit Nodes:41
    execution_graph 63037 3ff830 63048 3f3490 63037->63048 63039 3ff861 63055 3ec0e0 133 API calls __fltin2 63039->63055 63041 3ff872 63042 3e3820 133 API calls 63041->63042 63043 3ff89c 63042->63043 63044 3ea8e0 133 API calls 63043->63044 63045 3ff8bd 63044->63045 63046 577dc4 __fltin2 6 API calls 63045->63046 63047 3ff92a 63046->63047 63049 3f34bc 63048->63049 63051 3f34ef 63048->63051 63050 5775e3 Concurrency::details::_Condition_variable::wait_for 133 API calls 63049->63050 63052 3f34c3 63050->63052 63051->63039 63052->63051 63056 3f1a00 63052->63056 63055->63041 63057 3e3820 133 API calls 63056->63057 63058 3f1a4e 63057->63058 63059 3e3820 133 API calls 63058->63059 63060 3f1a76 63059->63060 63067 3f2b10 63060->63067 63064 3f1aa7 63065 577dc4 __fltin2 6 API calls 63064->63065 63066 3f1b27 63065->63066 63066->63039 63068 3e3820 133 API calls 63067->63068 63069 3f2b7b RegCreateKeyExW RegCreateKeyExW 63068->63069 63070 3f2bef RegOpenKeyExW 63069->63070 63074 3f2ccf _memset 63069->63074 63072 3f2c22 _memset 63070->63072 63073 3f2c11 63070->63073 63071 3f2efe RegCloseKey 63071->63073 63076 3f2c3d RegQueryValueExW 63072->63076 63079 577dc4 __fltin2 6 API calls 63073->63079 63074->63071 63075 3f2d4a CoCreateGuid 63074->63075 63098 3f0b70 63075->63098 63076->63074 63078 3f2c75 63076->63078 63107 3e80b0 133 API calls 63078->63107 63081 3f1a99 63079->63081 63097 3fa180 139 API calls __fltin2 63081->63097 63082 3f2c87 63108 3f17b0 169 API calls std::locale::_Init 63082->63108 63085 3e1120 collate 133 API calls 63087 3f2e09 63085->63087 63086 3f2c99 63109 3fa180 139 API calls __fltin2 63086->63109 63088 3e0f90 std::system_error::system_error 133 API calls 63087->63088 63090 3f2e33 63088->63090 63101 3fa210 MultiByteToWideChar 63090->63101 63091 3f2cb8 63110 3f0c40 166 API calls 63091->63110 63097->63064 63111 579e50 63098->63111 63156 562805 63101->63156 63107->63082 63108->63086 63109->63091 63110->63074 63114 579e6e 63111->63114 63115 579e90 63114->63115 63116 579e78 63114->63116 63119 579ea1 63115->63119 63122 579ec4 63115->63122 63144 5810c5 133 API calls __getptd_noexit 63116->63144 63118 579e7d 63145 58e9a8 9 API calls __beginthreadex 63118->63145 63123 3f0b87 63119->63123 63154 5810c5 133 API calls __getptd_noexit 63119->63154 63146 5810c5 133 API calls __getptd_noexit 63122->63146 63123->63085 63124 579f4c 63155 58e9a8 9 API calls __beginthreadex 63124->63155 63126 579ec9 63128 579ed6 63126->63128 63129 579f02 63126->63129 63147 579d86 133 API calls 2 library calls 63128->63147 63150 579d86 133 API calls 2 library calls 63129->63150 63132 579f13 63135 579f3b 63132->63135 63137 579f25 63132->63137 63133 579ee7 63134 579eef 63133->63134 63133->63135 63148 5810c5 133 API calls __getptd_noexit 63134->63148 63135->63123 63153 5810c5 133 API calls __getptd_noexit 63135->63153 63151 5810c5 133 API calls __getptd_noexit 63137->63151 63138 579ef4 63138->63123 63149 5810c5 133 API calls __getptd_noexit 63138->63149 63141 579f2a 63141->63123 63152 5810c5 133 API calls __getptd_noexit 63141->63152 63144->63118 63145->63123 63146->63126 63147->63133 63148->63138 63149->63123 63150->63132 63151->63141 63152->63123 63153->63124 63154->63124 63155->63123 62609 426e50 62610 426eb1 62609->62610 62611 426e64 62609->62611 62622 43f8fe 62610->62622 62613 426e75 62611->62613 62652 40f0e1 62611->62652 62615 40f0e1 222 API calls 62613->62615 62616 426eac 62613->62616 62617 426e88 62615->62617 62618 40f0e1 222 API calls 62616->62618 62617->62610 62617->62616 62620 426e96 62617->62620 62619 426ee1 62618->62619 62655 4144e6 49 API calls __fltin2 62620->62655 62623 43f90d 62622->62623 62624 43f95b 62623->62624 62625 43f999 62623->62625 62628 43f94c 62623->62628 62626 40f0e1 222 API calls 62624->62626 62625->62628 62632 43f9a1 62625->62632 62629 43f96a 62626->62629 62627 40f0e1 222 API calls 62630 43fa5f 62627->62630 62628->62627 62628->62630 62631 43f97d 62629->62631 62634 40f0e1 222 API calls 62629->62634 62640 43f98c 62630->62640 62641 43fa94 62630->62641 62647 40f0e1 222 API calls 62630->62647 62635 40f0e1 222 API calls 62631->62635 62636 43f9f0 62632->62636 62637 43f9ae 62632->62637 62633 40f0e1 222 API calls 62638 43fa47 62633->62638 62634->62631 62635->62640 62639 40f0e1 222 API calls 62636->62639 62643 40f0e1 222 API calls 62637->62643 62644 43f9b8 62637->62644 62638->62616 62639->62644 62640->62633 62640->62638 62642 40f0e1 222 API calls 62641->62642 62642->62640 62643->62644 62645 43fa10 62644->62645 62646 40f0e1 222 API calls 62644->62646 62648 40f0e1 222 API calls 62645->62648 62646->62645 62647->62641 62649 43fa1f 62648->62649 62649->62638 62649->62640 62650 43fa31 62649->62650 62656 4144e6 49 API calls __fltin2 62650->62656 62653 4184c3 222 API calls 62652->62653 62654 40f100 62653->62654 62654->62613 62655->62616 62656->62638 63157 3ff400 63158 3ee000 135 API calls 63157->63158 63159 3ff477 63158->63159 63160 407f1d 133 API calls 63159->63160 63161 3ff497 63160->63161 63162 40804b 133 API calls 63161->63162 63163 3ff4a7 63162->63163 63164 407fe0 Mailbox 133 API calls 63163->63164 63165 3ff4b6 63164->63165 63166 400990 265 API calls 63165->63166 63167 3ff4db 63166->63167 63199 4006b0 63167->63199 63171 3ff4e9 Mailbox 63284 402cc0 63171->63284 63173 3ff537 63309 3ee700 63173->63309 63176 4b4d10 220 API calls 63177 3ff57a 63176->63177 63321 3ee9a0 GetModuleHandleW GetProcAddress 63177->63321 63180 3e3820 133 API calls 63181 3ff5dc 63180->63181 63182 4b4d10 220 API calls 63181->63182 63183 3ff610 GetModuleFileNameW 63182->63183 63184 3ff64d 63183->63184 63184->63184 63185 3e3820 133 API calls 63184->63185 63186 3ff682 63185->63186 63324 3ee1a0 GetFileVersionInfoSizeW 63186->63324 63188 3ff6b9 63189 4b4d10 220 API calls 63188->63189 63190 3ff6ed 63189->63190 63191 40804b 133 API calls 63190->63191 63192 3ff702 63191->63192 63193 408275 133 API calls 63192->63193 63194 3ff712 63193->63194 63195 4b4980 218 API calls 63194->63195 63196 3ff756 63195->63196 63197 577dc4 __fltin2 6 API calls 63196->63197 63198 3ff823 63197->63198 63200 4b4980 218 API calls 63199->63200 63201 4006ff GetModuleHandleW FindResourceW LoadResource LockResource SizeofResource 63200->63201 63202 40074e _memset _memmove 63201->63202 63203 3e1120 collate 133 API calls 63202->63203 63204 40079d 63203->63204 63332 3eedb0 63204->63332 63206 4007a9 63207 3e3820 133 API calls 63206->63207 63208 40080c 63207->63208 63209 3e3820 133 API calls 63208->63209 63210 40086c 63209->63210 63211 3e3820 133 API calls 63210->63211 63212 40089f 63211->63212 63213 4b4980 218 API calls 63212->63213 63214 400951 63213->63214 63215 577dc4 __fltin2 6 API calls 63214->63215 63216 3ff4e2 63215->63216 63217 3ff930 63216->63217 63218 3ff96d Mailbox 63217->63218 63219 3e3820 133 API calls 63218->63219 63223 3ff9b4 Mailbox 63218->63223 63220 3ff99a 63219->63220 63221 3ec640 133 API calls 63220->63221 63221->63223 63222 3e3820 133 API calls 63224 3ffa41 63222->63224 63223->63222 63227 3ffa5b Mailbox 63223->63227 63225 3ec640 133 API calls 63224->63225 63225->63227 63226 3e3820 133 API calls 63228 3ffae8 63226->63228 63227->63226 63231 3ffb02 Mailbox 63227->63231 63229 3ec640 133 API calls 63228->63229 63229->63231 63230 3e3820 133 API calls 63232 3ffb8f 63230->63232 63231->63230 63235 3ffba9 Mailbox 63231->63235 63233 3ec640 133 API calls 63232->63233 63233->63235 63234 3e3820 133 API calls 63236 3ffc36 63234->63236 63235->63234 63239 3ffc50 Mailbox 63235->63239 63238 3ec640 133 API calls 63236->63238 63237 3ffdf6 Mailbox 63243 3ffe31 Mailbox 63237->63243 63245 3ffe07 Mailbox 63237->63245 63238->63239 63239->63237 63240 407f1d 133 API calls 63239->63240 63241 3ffcea 63240->63241 63242 4080f1 133 API calls 63241->63242 63244 3ffd07 63242->63244 63246 3e3820 133 API calls 63243->63246 63253 3ffe85 Mailbox 63243->63253 63724 4080c6 63244->63724 63760 4139db 10 API calls Mailbox 63245->63760 63249 3ffe6b 63246->63249 63250 3ec640 133 API calls 63249->63250 63250->63253 63252 3e3820 133 API calls 63255 3fff12 63252->63255 63253->63252 63260 3fff2c Mailbox 63253->63260 63254 4080f1 133 API calls 63256 3ffd31 63254->63256 63257 3ec640 133 API calls 63255->63257 63258 407fe0 Mailbox 133 API calls 63256->63258 63257->63260 63261 3ffd40 63258->63261 63259 3e3820 133 API calls 63262 3fffb9 63259->63262 63260->63259 63266 3fffd3 Mailbox 63260->63266 63263 407fe0 Mailbox 133 API calls 63261->63263 63264 3ec640 133 API calls 63262->63264 63265 3ffd4f 63263->63265 63264->63266 63267 407fe0 Mailbox 133 API calls 63265->63267 63268 3e3820 133 API calls 63266->63268 63278 40009c 63266->63278 63270 3ffd5e Mailbox 63267->63270 63271 400082 63268->63271 63729 3eea10 63270->63729 63273 3ec640 133 API calls 63271->63273 63273->63278 63274 40806a 133 API calls 63275 400124 63274->63275 63277 577dc4 __fltin2 6 API calls 63275->63277 63279 40014d 63277->63279 63736 3eb760 63278->63736 63279->63171 63280 3ffde4 63281 407fe0 Mailbox 133 API calls 63280->63281 63281->63237 63282 3ffda5 Mailbox 63282->63280 63750 41080a 63282->63750 63285 402e00 63284->63285 63286 402cd6 Mailbox 63284->63286 63285->63173 63286->63285 63287 402dd0 63286->63287 63288 402da4 63286->63288 63289 402d09 63286->63289 63307 402d32 Mailbox 63286->63307 63293 4b4980 218 API calls 63287->63293 63292 4b4980 218 API calls 63288->63292 63291 4b4980 218 API calls 63289->63291 63290 4b4980 218 API calls 63294 402d77 63290->63294 63295 402d24 63291->63295 63296 402dbf 63292->63296 63297 402deb 63293->63297 63853 412380 143 API calls Mailbox 63294->63853 63852 412380 143 API calls Mailbox 63295->63852 63855 402260 349 API calls 6 library calls 63296->63855 63856 412380 143 API calls Mailbox 63297->63856 63301 402df9 63857 400360 240 API calls 2 library calls 63301->63857 63302 402dc9 63302->63173 63305 402d94 63854 402bc0 139 API calls 2 library calls 63305->63854 63307->63285 63307->63290 63308 402d9d 63308->63173 63310 3e3820 133 API calls 63309->63310 63311 3ee767 RegOpenKeyExW 63310->63311 63312 3ee79a RegCloseKey 63311->63312 63313 3ee7b7 _memset 63311->63313 63317 3ee7b2 63312->63317 63314 3ee7d2 RegQueryValueExW 63313->63314 63315 3ee842 RegCloseKey 63314->63315 63319 3ee806 63314->63319 63315->63317 63316 577dc4 __fltin2 6 API calls 63318 3ee88b 63316->63318 63317->63316 63318->63176 63320 3e3820 133 API calls 63319->63320 63320->63315 63322 3ee9e8 GetNativeSystemInfo 63321->63322 63323 3ee9f8 63321->63323 63322->63323 63323->63180 63325 3ee21a Concurrency::details::ResourceManager::DetermineTopology 63324->63325 63328 3ee2b1 63324->63328 63326 3ee230 GetFileVersionInfoW 63325->63326 63327 3ee24e VerQueryValueW 63326->63327 63326->63328 63327->63328 63329 3ee265 VerQueryValueW 63327->63329 63328->63188 63329->63328 63330 3ee283 wsprintfW 63329->63330 63858 3e80b0 133 API calls 63330->63858 63339 579780 63332->63339 63334 3eedf9 Concurrency::details::ResourceManager::DetermineTopology 63366 578fdc 63334->63366 63337 3e3820 133 API calls 63338 3eee78 63337->63338 63338->63206 63340 57978c __close 63339->63340 63346 5797ab 63340->63346 63400 579004 137 API calls __mbstowcs_s_l 63340->63400 63343 583d19 __calloc_crt 133 API calls 63343->63346 63344 579a30 _free 133 API calls 63344->63346 63345 58e9b8 __invoke_watson 8 API calls 63345->63346 63346->63343 63346->63344 63346->63345 63348 58c111 __beginthreadex 133 API calls 63346->63348 63349 5797d8 __close 63346->63349 63351 57987c 63346->63351 63352 57980c 63346->63352 63370 58df2e 63346->63370 63401 579004 137 API calls __mbstowcs_s_l 63346->63401 63402 579289 138 API calls 2 library calls 63346->63402 63348->63346 63349->63334 63351->63349 63403 583d61 133 API calls 2 library calls 63351->63403 63354 579a30 _free 133 API calls 63352->63354 63354->63349 63355 579890 63355->63349 63404 579289 138 API calls 2 library calls 63355->63404 63357 5798b7 63357->63352 63358 5798dc 63357->63358 63359 5835ed __lock 133 API calls 63358->63359 63360 5798e6 63359->63360 63362 579a30 _free 133 API calls 63360->63362 63364 579906 63360->63364 63361 579931 63405 57995b LeaveCriticalSection _doexit 63361->63405 63362->63364 63364->63361 63365 579a30 _free 133 API calls 63364->63365 63365->63361 63367 578fe8 63366->63367 63696 578d9d 63367->63696 63369 3eee36 63369->63337 63371 58df3a __close 63370->63371 63372 58df5c 63371->63372 63373 58df45 63371->63373 63375 58c111 __beginthreadex 133 API calls 63372->63375 63445 5810c5 133 API calls __getptd_noexit 63373->63445 63377 58df61 63375->63377 63376 58df4a 63446 58e9a8 9 API calls __beginthreadex 63376->63446 63406 58d110 63377->63406 63380 58df6b 63381 583d19 __calloc_crt 133 API calls 63380->63381 63382 58df7e 63381->63382 63383 58df55 __close __wsetlocale 63382->63383 63384 5835ed __lock 133 API calls 63382->63384 63383->63346 63385 58df94 __copytlocinfo_nolock 63384->63385 63421 58e064 63385->63421 63390 58e07e ___removelocaleref 63450 58cf16 133 API calls 4 library calls 63390->63450 63391 58dfcc _wcscmp 63392 5835ed __lock 133 API calls 63391->63392 63393 58dff6 63392->63393 63447 58d190 133 API calls 3 library calls 63393->63447 63396 58e02d 63449 58e073 LeaveCriticalSection _doexit 63396->63449 63397 58e008 ___removelocaleref 63397->63396 63448 58d190 133 API calls 3 library calls 63397->63448 63400->63346 63401->63346 63402->63346 63403->63355 63404->63357 63405->63349 63407 58d11c __close 63406->63407 63408 58c111 __beginthreadex 133 API calls 63407->63408 63409 58d125 63408->63409 63410 58d154 63409->63410 63412 58d138 63409->63412 63411 5835ed __lock 133 API calls 63410->63411 63413 58d15b 63411->63413 63414 58c111 __beginthreadex 133 API calls 63412->63414 63452 58d190 133 API calls 3 library calls 63413->63452 63416 58d13d 63414->63416 63420 58d14b __close 63416->63420 63451 58149d 133 API calls 4 library calls 63416->63451 63417 58d16f 63453 58d187 LeaveCriticalSection _doexit 63417->63453 63420->63380 63454 583757 LeaveCriticalSection 63421->63454 63423 58dfb0 63424 58e218 63423->63424 63425 58e241 63424->63425 63431 58e260 63424->63431 63426 58e24d 63425->63426 63455 58e4a1 63425->63455 63433 577dc4 __fltin2 6 API calls 63426->63433 63427 58e3d0 63427->63426 63537 58e0ab 155 API calls 13 library calls 63427->63537 63429 58e3e4 63493 58dbf8 63429->63493 63431->63427 63431->63429 63438 58e29c _GetLocaleNameFromDefault _wcscspn _wcspbrk __wopenfile 63431->63438 63434 58dfbc 63433->63434 63434->63390 63434->63391 63435 58e400 _wcscmp 63435->63426 63435->63427 63436 58e4a1 __wsetlocale_set_cat 155 API calls 63435->63436 63436->63435 63438->63426 63438->63427 63439 58e494 63438->63439 63440 58e48f 63438->63440 63442 58e4a1 __wsetlocale_set_cat 155 API calls 63438->63442 63484 5a5ce3 63438->63484 63441 58e9b8 __invoke_watson 8 API calls 63439->63441 63443 57dc78 __wsetlocale_nolock 6 API calls 63440->63443 63444 58e4a0 63441->63444 63442->63438 63443->63439 63445->63376 63446->63383 63447->63397 63448->63396 63449->63383 63450->63383 63451->63420 63452->63417 63453->63416 63454->63423 63456 58c111 __beginthreadex 133 API calls 63455->63456 63457 58e4cb 63456->63457 63458 58dbf8 __expandlocale 155 API calls 63457->63458 63462 58e4f8 _GetLocaleNameFromDefault _wcscmp 63458->63462 63459 577dc4 __fltin2 6 API calls 63460 58e50e 63459->63460 63460->63426 63461 58e4ff 63461->63459 63462->63461 63538 583d61 133 API calls 2 library calls 63462->63538 63464 58e553 63464->63461 63539 578d41 133 API calls __beginthreadex 63464->63539 63466 58e59c 63470 58e5c6 63466->63470 63475 58e817 63466->63475 63540 58d9ce 133 API calls 4 library calls 63466->63540 63467 58e9b8 __invoke_watson 8 API calls 63468 58e84a 63467->63468 63481 58e6c1 _memcmp 63470->63481 63541 5a259c 133 API calls 2 library calls 63470->63541 63471 58e7df 63471->63475 63478 579a30 _free 133 API calls 63471->63478 63472 58e7a0 63474 579a30 _free 133 API calls 63472->63474 63476 58e7b6 63474->63476 63475->63467 63477 579a30 _free 133 API calls 63476->63477 63477->63461 63479 58e7fc 63478->63479 63480 579a30 _free 133 API calls 63479->63480 63482 58e805 63480->63482 63481->63471 63481->63472 63483 579a30 _free 133 API calls 63482->63483 63483->63475 63488 5a5cf1 63484->63488 63485 5a5cf5 63487 5a5cfa 63485->63487 63542 5810c5 133 API calls __getptd_noexit 63485->63542 63487->63438 63488->63485 63488->63487 63489 5a5d34 63488->63489 63489->63487 63544 5810c5 133 API calls __getptd_noexit 63489->63544 63492 5a5d25 63543 58e9a8 9 API calls __beginthreadex 63492->63543 63494 58c111 __beginthreadex 133 API calls 63493->63494 63495 58dc2b 63494->63495 63496 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63495->63496 63507 58dc5b 63495->63507 63498 58dc85 63496->63498 63497 577dc4 __fltin2 6 API calls 63499 58dc6a 63497->63499 63500 58dd9f 63498->63500 63502 58dc9c 63498->63502 63509 58dcc5 _GetLocaleNameFromDefault _wcscmp 63498->63509 63499->63435 63501 58e9b8 __invoke_watson 8 API calls 63500->63501 63503 58deee 63501->63503 63643 578d41 133 API calls __beginthreadex 63502->63643 63505 58dcb0 63505->63500 63505->63507 63507->63497 63510 58de68 _memmove 63509->63510 63545 58daa0 63509->63545 63510->63500 63650 578d41 133 API calls __beginthreadex 63510->63650 63511 58dda4 63645 58b148 IsValidLocale ___get_qualified_locale 63511->63645 63512 58dd40 63555 5a6b54 63512->63555 63513 58dd47 63595 5a6300 63513->63595 63518 58dd45 63518->63511 63520 58dd53 63518->63520 63519 58ddb0 63522 58deb2 _GetLocaleNameFromDefault 63519->63522 63646 58b0b9 63519->63646 63644 58da32 155 API calls 3 library calls 63520->63644 63522->63500 63526 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63522->63526 63524 58ddcd 63525 58ddde GetACP 63524->63525 63528 58ddea 63524->63528 63525->63528 63526->63500 63527 58dd94 63527->63500 63527->63510 63531 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63527->63531 63529 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63528->63529 63532 58de08 63529->63532 63530 58dd6b _GetLocaleNameFromDefault 63530->63527 63533 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63530->63533 63531->63510 63532->63500 63534 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63532->63534 63533->63527 63535 58de1e 63534->63535 63535->63500 63536 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63535->63536 63536->63527 63537->63426 63538->63464 63539->63466 63540->63470 63541->63481 63542->63492 63543->63487 63544->63492 63546 58dab8 _memset 63545->63546 63547 58dadd 63546->63547 63549 58dac6 63546->63549 63552 58db02 _wcscspn 63546->63552 63548 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63547->63548 63554 58daee 63548->63554 63549->63511 63549->63512 63549->63513 63550 58e9b8 __invoke_watson 8 API calls 63551 58dbcb 63550->63551 63552->63549 63553 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63552->63553 63552->63554 63553->63552 63554->63549 63554->63550 63556 58c111 __beginthreadex 133 API calls 63555->63556 63557 5a6b7b _memset 63556->63557 63558 58c111 __beginthreadex 133 API calls 63557->63558 63562 5a6b97 63558->63562 63559 5a6ba4 GetUserDefaultLCID 63574 5a6c42 63559->63574 63561 5a6bda 63563 5a6c4f 63561->63563 63565 5a6bed 63561->63565 63562->63559 63562->63561 63651 5a6aea 134 API calls ___get_qualified_locale 63562->63651 63563->63559 63568 5a6c5a 63563->63568 63567 5a6c03 63565->63567 63572 5a6bf8 63565->63572 63653 5a6631 134 API calls 3 library calls 63567->63653 63657 5a6574 134 API calls 2 library calls 63568->63657 63571 577dc4 __fltin2 6 API calls 63576 5a6d6c 63571->63576 63652 5a65b4 134 API calls 3 library calls 63572->63652 63573 5a6c01 63573->63574 63654 5a6aea 134 API calls ___get_qualified_locale 63573->63654 63589 5a6d55 63574->63589 63658 5a69d3 137 API calls 2 library calls 63574->63658 63575 5a6c99 63579 5a6cbd IsValidCodePage 63575->63579 63575->63589 63576->63518 63581 5a6ccf IsValidLocale 63579->63581 63579->63589 63580 5a6c25 63580->63574 63583 5a6c44 63580->63583 63584 5a6c39 63580->63584 63582 5a6cde 63581->63582 63581->63589 63659 58af79 133 API calls 4 library calls 63582->63659 63656 5a6631 134 API calls 3 library calls 63583->63656 63655 5a65b4 134 API calls 3 library calls 63584->63655 63587 5a6cf8 63587->63589 63660 58af79 133 API calls 4 library calls 63587->63660 63589->63571 63591 5a6d13 GetLocaleInfoW 63591->63589 63592 5a6d2d GetLocaleInfoW 63591->63592 63592->63589 63593 5a6d44 63592->63593 63661 5af824 133 API calls _xtow_s@20 63593->63661 63596 58c111 __beginthreadex 133 API calls 63595->63596 63597 5a630c 63596->63597 63598 5a6345 63597->63598 63674 5a6aea 134 API calls ___get_qualified_locale 63597->63674 63600 5a6398 63598->63600 63601 5a6352 63598->63601 63680 5a5de3 134 API calls 3 library calls 63600->63680 63602 5a6359 63601->63602 63603 5a6360 63601->63603 63675 5a5e5c EnumSystemLocalesW _GetLocaleNameFromDefault _GetLocaleNameFromLanguage 63602->63675 63676 5a5ed0 EnumSystemLocalesW _GetLocaleNameFromDefault _GetLocaleNameFromLanguage 63603->63676 63606 5a638f 63642 5a64a6 63606->63642 63662 5a621f 63606->63662 63608 5a635e 63608->63606 63677 5a6aea 134 API calls ___get_qualified_locale 63608->63677 63612 5a6379 63612->63606 63613 5a638a 63612->63613 63614 5a6391 63612->63614 63678 5a5e5c EnumSystemLocalesW _GetLocaleNameFromDefault _GetLocaleNameFromLanguage 63613->63678 63679 5a5ed0 EnumSystemLocalesW _GetLocaleNameFromDefault _GetLocaleNameFromLanguage 63614->63679 63617 5a63da IsValidCodePage 63618 5a63ec _GetLocaleNameFromDefault 63617->63618 63617->63642 63619 5a5ce3 _GetLocaleNameFromDefault 133 API calls 63618->63619 63618->63642 63620 5a6420 63619->63620 63621 5a642b 63620->63621 63622 5a64b7 63620->63622 63623 58b0b9 ___get_qualified_locale 2 API calls 63621->63623 63624 58e9b8 __invoke_watson 8 API calls 63622->63624 63625 5a6439 63623->63625 63626 5a64c3 63624->63626 63629 58b0b9 ___get_qualified_locale 2 API calls 63625->63629 63625->63642 63627 58c111 __beginthreadex 133 API calls 63626->63627 63628 5a64e2 63627->63628 63630 58c111 __beginthreadex 133 API calls 63628->63630 63632 5a645a _wcschr 63629->63632 63631 5a64e9 _LcidFromHexString 63630->63631 63633 5a64f5 GetLocaleInfoW 63631->63633 63635 58b0b9 ___get_qualified_locale 2 API calls 63632->63635 63638 5a648e 63632->63638 63632->63642 63634 5a652b 63633->63634 63639 5a6526 ___get_qualified_locale 63633->63639 63682 57b37e 63634->63682 63635->63638 63637 577dc4 __fltin2 6 API calls 63640 5a656e 63637->63640 63638->63642 63681 5af824 133 API calls _xtow_s@20 63638->63681 63639->63637 63640->63518 63642->63518 63643->63505 63644->63530 63645->63519 63647 58b0d9 ___get_qualified_locale 63646->63647 63648 58b0d5 GetLocaleInfoEx 63646->63648 63649 58b0de GetLocaleInfoW 63647->63649 63648->63524 63649->63524 63650->63522 63651->63561 63652->63573 63653->63573 63654->63580 63655->63574 63656->63574 63657->63574 63658->63575 63659->63587 63660->63591 63661->63589 63663 5a622a _wcscmp 63662->63663 63664 5a6281 63662->63664 63663->63664 63669 5a6241 _wcscmp 63663->63669 63665 58b0b9 ___get_qualified_locale 2 API calls 63664->63665 63666 5a629a 63665->63666 63667 5a626b 63666->63667 63668 5a62ac GetACP 63666->63668 63667->63617 63667->63642 63670 5a6278 63669->63670 63671 5a6252 63669->63671 63692 57a3f0 134 API calls ___get_qualified_locale_downlevel 63670->63692 63673 58b0b9 ___get_qualified_locale 2 API calls 63671->63673 63673->63667 63674->63598 63675->63608 63676->63608 63677->63612 63678->63606 63679->63606 63680->63606 63681->63642 63683 57b3ff 63682->63683 63684 57b38a 63682->63684 63695 57b411 134 API calls 3 library calls 63683->63695 63691 57b3af 63684->63691 63693 5810c5 133 API calls __getptd_noexit 63684->63693 63687 57b40c 63687->63639 63688 57b396 63694 58e9a8 9 API calls __beginthreadex 63688->63694 63690 57b3a1 63690->63639 63691->63639 63692->63667 63693->63688 63694->63690 63695->63687 63697 578db1 63696->63697 63698 578dc6 63697->63698 63699 578dde 63697->63699 63708 578dd6 _strlen 63697->63708 63718 5810c5 133 API calls __getptd_noexit 63698->63718 63720 578936 133 API calls 2 library calls 63699->63720 63702 578dcb 63719 58e9a8 9 API calls __beginthreadex 63702->63719 63703 578de9 63705 578df4 63703->63705 63706 578eaf 63703->63706 63707 578e24 MultiByteToWideChar 63705->63707 63705->63708 63706->63708 63709 578ec2 MultiByteToWideChar 63706->63709 63707->63708 63710 578e40 GetLastError 63707->63710 63708->63369 63709->63708 63711 578ed8 63709->63711 63712 578e9d 63710->63712 63716 578e4b 63710->63716 63723 5810c5 133 API calls __getptd_noexit 63711->63723 63722 5810c5 133 API calls __getptd_noexit 63712->63722 63715 578e83 MultiByteToWideChar 63715->63708 63715->63712 63716->63712 63716->63715 63721 57e2a4 133 API calls _LocaleUpdate::_LocaleUpdate 63716->63721 63718->63702 63719->63708 63720->63703 63721->63716 63722->63708 63723->63708 63725 407ef8 133 API calls 63724->63725 63726 4080d7 Mailbox 63725->63726 63727 408275 133 API calls 63726->63727 63728 3ffd1a 63727->63728 63728->63254 63730 3eea1c 63729->63730 63761 57949e 63730->63761 63733 3eea3d 63733->63282 63735 3eea36 63735->63282 63737 3e3820 133 API calls 63736->63737 63738 3eb7c0 63737->63738 63739 3ee9a0 3 API calls 63738->63739 63740 3eb7d3 63739->63740 63741 3eb7e8 63740->63741 63742 3eb803 63740->63742 63743 3e3820 133 API calls 63741->63743 63744 3e3820 133 API calls 63742->63744 63745 3eb7fa 63743->63745 63744->63745 63835 3ec560 63745->63835 63747 3eb82b 63748 577dc4 __fltin2 6 API calls 63747->63748 63749 3eb8a7 63748->63749 63749->63274 63751 410822 Mailbox 63750->63751 63752 410885 63751->63752 63753 409ce7 133 API calls 63751->63753 63752->63280 63754 410837 63753->63754 63755 40806a 133 API calls 63754->63755 63756 410841 63755->63756 63757 40f0e1 222 API calls 63756->63757 63758 41084a 63757->63758 63851 40f594 9 API calls __fltin2 63758->63851 63760->63243 63765 5794f8 63761->63765 63763 3eea29 63763->63733 63764 579633 138 API calls 4 library calls 63763->63764 63764->63735 63768 579504 __close 63765->63768 63766 579517 63814 5810c5 133 API calls __getptd_noexit 63766->63814 63768->63766 63770 579548 63768->63770 63769 57951c 63815 58e9a8 9 API calls __beginthreadex 63769->63815 63784 58f7af 63770->63784 63773 57954d 63774 579556 63773->63774 63775 579563 63773->63775 63816 5810c5 133 API calls __getptd_noexit 63774->63816 63777 57958d 63775->63777 63778 57956d 63775->63778 63799 58f8ce 63777->63799 63817 5810c5 133 API calls __getptd_noexit 63778->63817 63781 579527 __close @_EH4_CallFilterFunc@8 63781->63763 63785 58f7bb __close 63784->63785 63786 5835ed __lock 133 API calls 63785->63786 63797 58f7c9 63786->63797 63787 58f83d 63819 58f8c5 63787->63819 63788 58f844 63824 583d61 133 API calls 2 library calls 63788->63824 63791 58f84b 63791->63787 63825 584e19 InitializeCriticalSectionAndSpinCount 63791->63825 63792 58f8ba __close 63792->63773 63794 583675 __mtinitlocknum 133 API calls 63794->63797 63796 58f871 EnterCriticalSection 63796->63787 63797->63787 63797->63788 63797->63794 63822 5811f8 134 API calls __lock 63797->63822 63823 581262 LeaveCriticalSection LeaveCriticalSection _doexit 63797->63823 63800 58f8ee __wopenfile 63799->63800 63801 58f908 63800->63801 63813 58fac3 63800->63813 63832 5a6f90 134 API calls 2 library calls 63800->63832 63830 5810c5 133 API calls __getptd_noexit 63801->63830 63803 58f90d 63831 58e9a8 9 API calls __beginthreadex 63803->63831 63805 58fb26 63827 5a0d38 63805->63827 63807 579598 63818 5795ba LeaveCriticalSection LeaveCriticalSection _fgetc 63807->63818 63809 58fabc 63809->63813 63833 5a6f90 134 API calls 2 library calls 63809->63833 63811 58fadb 63811->63813 63834 5a6f90 134 API calls 2 library calls 63811->63834 63813->63801 63813->63805 63814->63769 63815->63781 63816->63781 63817->63781 63818->63781 63826 583757 LeaveCriticalSection 63819->63826 63821 58f8cc 63821->63792 63822->63797 63823->63797 63824->63791 63825->63796 63826->63821 63828 5a051c __wsopen_helper 164 API calls 63827->63828 63829 5a0d51 63828->63829 63829->63807 63830->63803 63831->63807 63832->63809 63833->63811 63834->63813 63848 3ed170 133 API calls 63835->63848 63837 3ec57c 63838 3ec59e 63837->63838 63839 3ed1c0 133 API calls 63837->63839 63840 3ec612 63838->63840 63849 3ed170 133 API calls 63838->63849 63839->63838 63840->63747 63842 3ec5bd 63843 3ec5df 63842->63843 63846 3ed1c0 133 API calls 63842->63846 63847 3ec5e3 63843->63847 63850 562735 133 API calls 2 library calls 63843->63850 63846->63843 63847->63747 63848->63837 63849->63842 63851->63752 63852->63307 63853->63305 63854->63308 63855->63302 63856->63301 63857->63285 63858->63328 62955 581611 62956 58161d __close 62955->62956 62957 5835ed __lock 126 API calls 62956->62957 62958 581624 62957->62958 62959 5816fd 62958->62959 62960 581652 DecodePointer 62958->62960 62968 5816ec 62958->62968 62985 58172b LeaveCriticalSection _doexit 62959->62985 62963 581669 DecodePointer 62960->62963 62964 5816dd 62960->62964 62962 5815a7 __initterm 126 API calls 62962->62959 62970 581679 62963->62970 62980 5815a7 62964->62980 62965 58170b 62967 581711 62965->62967 62969 58173a __close 62965->62969 62986 583757 LeaveCriticalSection 62967->62986 62968->62962 62970->62964 62972 581686 EncodePointer 62970->62972 62975 581696 DecodePointer EncodePointer 62970->62975 62972->62970 62973 581722 62987 581487 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 62973->62987 62978 5816a8 DecodePointer DecodePointer 62975->62978 62978->62970 62981 5815d8 62980->62981 62982 5815c8 62980->62982 62981->62968 62982->62981 62988 3dfe60 62982->62988 62993 3e0380 62982->62993 62985->62965 62986->62973 63000 449660 62988->63000 62990 3dfe6e _memmove 62991 577764 133 API calls 62990->62991 62992 3dfe8b 62991->62992 62992->62982 62994 577764 130 API calls 62993->62994 62995 3e039d InterlockedIncrement 62994->62995 62996 3e03cb 62995->62996 62997 3e03b0 WSAStartup InterlockedExchange 62995->62997 62998 577dc4 __fltin2 6 API calls 62996->62998 62997->62996 62999 3e03df 62998->62999 62999->62982 63001 449696 63000->63001 63003 4496f2 63000->63003 63002 5775e3 Concurrency::details::_Condition_variable::wait_for 133 API calls 63001->63002 63004 4496ac 63002->63004 63003->62990 63006 4496c1 63004->63006 63010 447d80 63004->63010 63023 446510 133 API calls Concurrency::details::_Condition_variable::wait_for 63006->63023 63008 4496e8 63009 577764 133 API calls 63008->63009 63009->63003 63024 4c2f80 133 API calls Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting 63010->63024 63012 447dcd 63025 4c2f70 133 API calls 63012->63025 63014 447dd2 63026 4ed700 133 API calls 63014->63026 63016 447dd7 63027 449c10 133 API calls 63016->63027 63018 447e95 63018->63006 63019 5775e3 Concurrency::details::_Condition_variable::wait_for 133 API calls 63022 447de4 63019->63022 63022->63018 63022->63019 63028 4481a0 133 API calls 63022->63028 63029 4465e0 133 API calls Concurrency::details::_Condition_variable::wait_for 63022->63029 63023->63008 63024->63012 63025->63014 63026->63016 63027->63022 63028->63022 63029->63022 62657 426ee7 62658 42704a 62657->62658 62662 426f12 Mailbox 62657->62662 62668 43fac4 62658->62668 62660 426ff7 62661 577dc4 __fltin2 6 API calls 62660->62661 62663 427070 62661->62663 62662->62660 62664 426ffc Mailbox 62662->62664 62665 426faf Mailbox 62662->62665 62825 418ed8 62664->62825 62677 4149de 62665->62677 62674 43fae6 Mailbox 62668->62674 62669 43fc3b 62670 577dc4 __fltin2 6 API calls 62669->62670 62671 43fc65 62670->62671 62671->62660 62672 43fc40 Mailbox 62676 418ed8 145 API calls 62672->62676 62673 43fc1d Mailbox 62675 4149de 307 API calls 62673->62675 62674->62669 62674->62672 62674->62673 62675->62669 62676->62669 62678 4149ed __EH_prolog3_GS 62677->62678 62679 4173ac 62678->62679 62680 414a45 IsRectEmpty 62678->62680 62681 57b500 collate 6 API calls 62679->62681 62680->62679 62683 414a54 62680->62683 62682 4173b1 62681->62682 62682->62660 62684 407e68 133 API calls 62683->62684 62685 414a76 62684->62685 62686 407e68 133 API calls 62685->62686 62687 414a8a 62686->62687 62688 407e68 133 API calls 62687->62688 62689 414a9a 62688->62689 62690 407e68 133 API calls 62689->62690 62691 414aaa GetClipBox CreateRectRgnIndirect CreateRectRgnIndirect 62690->62691 62692 414ae5 ExtSelectClipRgn 62691->62692 62693 414aef 62691->62693 62692->62693 62694 407f1d 133 API calls 62693->62694 62695 414b02 62694->62695 62696 40cd8b 134 API calls 62695->62696 62697 414b12 Mailbox 62696->62697 62838 40a04e 62697->62838 62700 40a04e 15 API calls 62701 414b4f SelectObject SetBkMode SetTextColor 62700->62701 62846 409ec4 62701->62846 62703 414b94 SetBkColor 62704 414bca 62703->62704 62705 4149de 236 API calls 62704->62705 62707 414c3b 62704->62707 62705->62707 62706 414d09 PtInRect 62706->62707 62707->62706 62708 40804b 133 API calls 62707->62708 62709 414d4a Mailbox 62707->62709 62708->62707 62710 407e68 133 API calls 62709->62710 62711 414ddc 62710->62711 62712 407e68 133 API calls 62711->62712 62713 414dee 62712->62713 62714 407e68 133 API calls 62713->62714 62715 414dfe 62714->62715 62716 407e68 133 API calls 62715->62716 62821 414e0e Mailbox _memmove _wcsstr 62716->62821 62717 41728b 62718 4172f0 DeleteObject DeleteObject SelectObject 62717->62718 62719 4172e3 SelectClipRgn 62717->62719 62856 407fd2 133 API calls _free 62718->62856 62719->62718 62721 417322 62857 407fd2 133 API calls _free 62721->62857 62723 416cda SetRect 62725 40804b 133 API calls 62723->62725 62724 417331 62858 407fd2 133 API calls _free 62724->62858 62725->62821 62727 417340 62859 407fd2 133 API calls _free 62727->62859 62728 416ae8 GetTextExtentPoint32W 62728->62821 62730 41734f 62731 407fe0 Mailbox 133 API calls 62730->62731 62734 41735e 62731->62734 62732 416947 CharNextW 62736 41698e GetTextExtentPoint32W 62732->62736 62732->62821 62733 41678d GetTextExtentPoint32W 62733->62821 62738 407fe0 Mailbox 133 API calls 62734->62738 62735 416564 GetTextExtentPoint32W 62735->62821 62736->62821 62737 4166a1 GetTextExtentPoint32W 62737->62821 62742 41736d 62738->62742 62739 4160be SetBkMode 62740 416318 SetRect 62740->62821 62741 416ba5 TextOutW 62741->62821 62860 407fd2 133 API calls _free 62742->62860 62743 415e1e CharNextW 62743->62821 62744 408228 133 API calls Mailbox 62744->62821 62745 416519 CharNextW 62745->62821 62747 415b80 CharNextW 62747->62821 62749 416106 CharNextW 62749->62821 62750 416451 SetBkMode 62750->62821 62751 416501 CharNextW 62751->62821 62752 41737c 62861 407fd2 133 API calls _free 62752->62861 62753 416a0a CharNextW 62753->62728 62753->62821 62754 415a3a CharNextW 62754->62821 62755 415f2e CharNextW 62755->62821 62756 407f1d 133 API calls 62756->62821 62758 415eeb CharNextW 62758->62821 62759 416a82 CharPrevW 62765 416a94 CharPrevW 62759->62765 62759->62821 62760 41738d 62862 407fd2 133 API calls _free 62760->62862 62761 415703 CharNextW 62761->62821 62762 415eb1 CharNextW 62762->62821 62763 416629 TextOutW 62763->62821 62765->62821 62766 416b6b TextOutW 62766->62821 62767 416c21 TextOutW 62767->62821 62768 416842 TextOutW 62768->62821 62770 416392 SetTextColor 62770->62821 62771 415c70 SetTextColor 62777 40a04e 15 API calls 62771->62777 62773 416766 TextOutW 62773->62821 62774 41739d 62863 407fd2 133 API calls _free 62774->62863 62775 4162d2 SetTextColor 62775->62821 62776 415be4 CharNextW 62776->62821 62777->62821 62778 415a83 SetTextColor 62778->62821 62779 408394 134 API calls 62779->62821 62780 40a04e 15 API calls 62780->62821 62781 416214 SelectObject 62781->62821 62782 414fc7 CharNextW 62782->62821 62784 415f6f CharNextW 62784->62821 62785 4161f1 GetCharABCWidthsW 62785->62781 62787 415753 SelectObject 62787->62821 62788 415008 CharNextW 62788->62821 62789 415805 CharNextW 62789->62821 62791 4157bd CharNextW 62791->62821 62792 41519d CharNextW 62792->62821 62793 408a71 133 API calls 62793->62821 62794 40a10c 9 API calls 62794->62821 62795 57bf6f 134 API calls ___get_qualified_locale_downlevel 62795->62821 62796 415850 CharNextW 62796->62821 62797 4151ea CharNextW 62797->62821 62800 415d5a SelectObject 62800->62821 62801 41587d CharNextW 62801->62821 62803 415125 SelectObject 62803->62821 62804 40a269 176 API calls 62804->62821 62806 4094e3 142 API calls 62806->62821 62807 4159a1 SelectObject 62808 407fe0 Mailbox 133 API calls 62807->62808 62808->62821 62809 4083c3 133 API calls 62809->62821 62810 4152fe CharNextW 62810->62821 62811 41531e CharNextW 62811->62821 62812 41536e CharNextW 62812->62821 62813 4155e7 62813->62821 62848 4173b2 45 API calls __fltin2 62813->62848 62814 407fe0 133 API calls Mailbox 62814->62821 62815 408205 133 API calls 62815->62821 62817 415392 CharNextW 62817->62821 62818 4170b5 SetTextColor 62818->62821 62819 4153bc CharNextW 62819->62821 62820 41710b SelectObject 62820->62821 62823 417129 SetBkMode 62820->62823 62821->62717 62821->62723 62821->62728 62821->62732 62821->62733 62821->62735 62821->62737 62821->62739 62821->62740 62821->62741 62821->62743 62821->62744 62821->62745 62821->62747 62821->62749 62821->62750 62821->62751 62821->62753 62821->62754 62821->62755 62821->62756 62821->62758 62821->62759 62821->62761 62821->62762 62821->62763 62821->62766 62821->62767 62821->62768 62821->62770 62821->62773 62821->62775 62821->62776 62821->62779 62821->62780 62821->62781 62821->62782 62821->62784 62821->62785 62821->62788 62821->62789 62821->62791 62821->62792 62821->62793 62821->62794 62821->62795 62821->62796 62821->62797 62821->62801 62821->62804 62821->62806 62821->62809 62821->62810 62821->62811 62821->62812 62821->62813 62821->62814 62821->62815 62821->62817 62821->62818 62821->62819 62821->62820 62822 40a04e 15 API calls 62821->62822 62824 40804b 133 API calls 62821->62824 62847 408228 133 API calls __recalloc 62821->62847 62849 408228 133 API calls __recalloc 62821->62849 62850 578c68 133 API calls __isdigit_l 62821->62850 62851 4087d9 133 API calls 62821->62851 62852 408228 133 API calls __recalloc 62821->62852 62853 408228 133 API calls __recalloc 62821->62853 62854 408228 133 API calls __recalloc 62821->62854 62855 408228 133 API calls __recalloc 62821->62855 62822->62820 62823->62821 62824->62821 62828 418ee7 __EH_prolog3_GS 62825->62828 62826 418fbf 62827 57b500 collate 6 API calls 62826->62827 62829 418fc4 62827->62829 62828->62826 62830 407f1d 133 API calls 62828->62830 62829->62660 62831 418f26 62830->62831 62832 40cd8b 134 API calls 62831->62832 62833 418f36 Mailbox 62832->62833 62834 418f42 SetBkMode SetTextColor 62833->62834 62865 409ed2 62834->62865 62837 407fe0 Mailbox 133 API calls 62837->62826 62843 40a072 _memset __itow Mailbox 62838->62843 62839 40a0b7 62840 40a0c2 SelectObject GetTextMetricsW SelectObject 62839->62840 62841 40a0f8 62839->62841 62840->62841 62842 577dc4 __fltin2 6 API calls 62841->62842 62844 40a106 62842->62844 62843->62839 62864 409e1d 6 API calls Mailbox 62843->62864 62844->62700 62846->62703 62847->62803 62848->62813 62849->62787 62850->62821 62851->62821 62852->62807 62853->62778 62854->62771 62855->62800 62856->62721 62857->62724 62858->62727 62859->62730 62860->62752 62861->62760 62862->62774 62863->62679 62864->62839 62869 409eeb _memset __itow Mailbox 62865->62869 62867 409f39 62868 577dc4 __fltin2 6 API calls 62867->62868 62870 409f46 SelectObject DrawTextW SelectObject 62868->62870 62869->62867 62871 409e1d 6 API calls Mailbox 62869->62871 62870->62837 62871->62867 63030 407afc GetSystemMetrics GetSystemMetrics 63035 40a2be 63030->63035 63032 407b34 LoadImageW SendMessageW GetSystemMetrics GetSystemMetrics 63036 40a2be 63032->63036 63034 407b73 LoadImageW SendMessageW 63035->63032 63036->63034 60289 400160 60290 400190 60289->60290 60291 4001d2 60289->60291 60297 5775e3 60290->60297 60294 4001b9 60306 3ef4e0 60294->60306 60300 5775eb 60297->60300 60299 4001a1 60299->60294 60305 3ef4a0 ImageList_Create CoInitialize CoCreateInstance 60299->60305 60300->60299 60302 577609 std::exception::exception 60300->60302 60309 579a68 60300->60309 60326 58b4df DecodePointer 60300->60326 60327 577dd3 RaiseException 60302->60327 60304 577633 60305->60294 60307 3ef4f6 CoCreateInstance 60306->60307 60308 3ef50b 60306->60308 60307->60308 60308->60291 60310 579ae3 60309->60310 60317 579a74 60309->60317 60334 58b4df DecodePointer 60310->60334 60312 579ae9 60335 5810c5 133 API calls __getptd_noexit 60312->60335 60315 579aa7 RtlAllocateHeap 60315->60317 60325 579adb 60315->60325 60317->60315 60318 579acf 60317->60318 60322 579acd 60317->60322 60323 579a7f 60317->60323 60331 58b4df DecodePointer 60317->60331 60332 5810c5 133 API calls __getptd_noexit 60318->60332 60333 5810c5 133 API calls __getptd_noexit 60322->60333 60323->60317 60328 590d80 133 API calls 2 library calls 60323->60328 60329 590ddd 133 API calls 19 library calls 60323->60329 60330 581487 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 60323->60330 60325->60300 60326->60300 60327->60304 60328->60323 60329->60323 60331->60317 60332->60322 60333->60325 60334->60312 60335->60325 62872 58997f 62873 589994 62872->62873 62874 589b7d 62872->62874 62873->62874 62875 589aaa 62873->62875 62891 5899a3 62873->62891 62876 589d77 62874->62876 62878 589d5b 62874->62878 62884 589be5 62874->62884 62874->62891 62883 589abd 62875->62883 62875->62891 62892 5899ec _W_store_num _W_store_str 62876->62892 62895 59e574 62876->62895 62878->62876 62878->62891 62880 589d49 62907 58e9a8 9 API calls __beginthreadex 62880->62907 62882 589d7f __tzset_nolock 62908 578efe 137 API calls 3 library calls 62882->62908 62883->62892 62903 589f98 143 API calls 7 library calls 62883->62903 62889 589c7e 62884->62889 62884->62891 62904 589f98 143 API calls 7 library calls 62884->62904 62889->62892 62905 589f98 143 API calls 7 library calls 62889->62905 62890 589daf 62890->62892 62893 58e9b8 __invoke_watson 8 API calls 62890->62893 62891->62892 62906 5810c5 133 API calls __getptd_noexit 62891->62906 62894 589ea4 62893->62894 62896 59e580 __close 62895->62896 62897 59e5b5 __close 62896->62897 62898 5835ed __lock 133 API calls 62896->62898 62897->62882 62900 59e590 62898->62900 62899 59e5a3 62938 59e5bb LeaveCriticalSection _doexit 62899->62938 62900->62899 62909 59e7f2 62900->62909 62903->62892 62904->62889 62905->62891 62906->62880 62907->62892 62908->62890 62910 59e7fe __close 62909->62910 62911 5835ed __lock 133 API calls 62910->62911 62912 59e81c __tzset_nolock 62911->62912 62939 59e54a 62912->62939 62914 59e831 62929 59e8d0 __tzset_nolock 62914->62929 62946 59e4f6 133 API calls __beginthreadex 62914->62946 62915 58e9b8 __invoke_watson 8 API calls 62915->62929 62917 59e843 62917->62929 62947 59e520 133 API calls __beginthreadex 62917->62947 62918 59e91c GetTimeZoneInformation 62918->62929 62919 579a30 _free 133 API calls 62919->62929 62921 59e855 62921->62929 62948 5831bb 133 API calls 2 library calls 62921->62948 62923 59e983 WideCharToMultiByte 62923->62929 62924 59e863 62949 581754 133 API calls 3 library calls 62924->62949 62926 59e9bb WideCharToMultiByte 62926->62929 62928 59e8b7 _strlen 62950 583d61 133 API calls 2 library calls 62928->62950 62929->62915 62929->62918 62929->62919 62929->62923 62929->62926 62930 59eb02 __tzset_nolock __close 62929->62930 62931 59cecb 133 API calls __tzset_nolock 62929->62931 62937 57a3d3 133 API calls __tzset_nolock 62929->62937 62952 59ea82 LeaveCriticalSection _doexit 62929->62952 62930->62899 62931->62929 62933 59e884 __tzset_nolock 62933->62928 62933->62929 62934 579a30 _free 133 API calls 62933->62934 62934->62928 62935 59e8c5 _strlen 62935->62929 62951 591b36 133 API calls __beginthreadex 62935->62951 62937->62929 62938->62897 62940 59e569 62939->62940 62941 59e554 62939->62941 62940->62914 62953 5810c5 133 API calls __getptd_noexit 62941->62953 62943 59e559 62954 58e9a8 9 API calls __beginthreadex 62943->62954 62945 59e564 62945->62914 62946->62917 62947->62921 62948->62924 62949->62933 62950->62935 62951->62929 62952->62929 62953->62943 62954->62945 62024 407d81 62025 407d95 SetWindowLongW 62024->62025 62026 407dbb GetWindowLongW 62024->62026 62027 407da7 62025->62027 62026->62027 62028 407dcf 62026->62028 62029 407e10 DefWindowProcW 62027->62029 62031 407dab 62027->62031 62028->62029 62030 407dd3 CallWindowProcW SetWindowLongW 62028->62030 62032 407db9 62029->62032 62030->62032 62033 407df9 62030->62033 62036 4111b9 62031->62036 62042 407ca4 IsWindow SetWindowLongW 62033->62042 62038 4111e4 62036->62038 62037 41141b 62037->62032 62038->62037 62043 40a801 62038->62043 62042->62032 62062 40a810 __EH_prolog3_GS Mailbox 62043->62062 62044 57b500 collate 6 API calls 62045 40cbb5 62044->62045 62045->62037 62286 4077b8 CallWindowProcW 62045->62286 62046 40a8b7 62047 40a99a 62046->62047 62060 40a8e1 IsIconic 62046->62060 62089 40a8f5 62046->62089 62048 40bd12 62047->62048 62049 40a9a7 62047->62049 62050 40c3b0 62048->62050 62051 40bd1f 62048->62051 62052 40bc8b 62049->62052 62058 40b9a3 62049->62058 62059 40a9b6 62049->62059 62056 40cad1 62050->62056 62057 40c3bc 62050->62057 62054 40bd25 62051->62054 62055 40c30c 62051->62055 62053 40bc99 SendMessageW 62052->62053 62052->62089 62053->62089 62063 40c1ae 62054->62063 62074 40bd44 62054->62074 62066 40c315 SetFocus 62055->62066 62084 40c321 62055->62084 62065 40cada SetFocus 62056->62065 62091 40cae6 62056->62091 62064 40c9b1 62057->62064 62067 40c3d1 62057->62067 62120 40c6d7 62057->62120 62058->62052 62070 40b9b5 62058->62070 62058->62089 62068 40a9c5 62059->62068 62069 40b8ec 62059->62069 62059->62089 62060->62058 62060->62089 62062->62046 62071 40a908 62062->62071 62062->62089 62073 40c1e4 IsRectEmpty 62063->62073 62063->62089 62142 40c228 Mailbox 62063->62142 62072 40c9be ScreenToClient 62064->62072 62064->62089 62065->62091 62066->62084 62077 40c5c3 62067->62077 62078 40c3d9 62067->62078 62079 40b845 62068->62079 62080 40a9ce 62068->62080 62075 40b8f6 GetTickCount 62069->62075 62076 40b96a 62069->62076 62081 40bbac 62070->62081 62082 40b9be 62070->62082 62083 40a92d ScreenToClient 62071->62083 62071->62089 62128 40ca0d 62072->62128 62085 40c1f5 IsIconic 62073->62085 62073->62142 62086 40bee7 62074->62086 62087 40bd4f 62074->62087 62367 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62075->62367 62076->62089 62368 40f7ad 9 API calls 62076->62368 62077->62089 62102 40c5e1 SendMessageW 62077->62102 62103 40c5f3 62077->62103 62090 40c4ea 62078->62090 62133 40c3e2 Mailbox 62078->62133 62079->62089 62094 40b852 GetFocus 62079->62094 62092 40ac01 62080->62092 62093 40a9d7 62080->62093 62081->62089 62123 40bbc8 ScreenToClient 62081->62123 62095 40bb05 62082->62095 62096 40b9ca 62082->62096 62083->62089 62084->62089 62129 40c368 62084->62129 62085->62089 62097 40c20f 62085->62097 62086->62089 62135 40bf25 62086->62135 62136 40bf2d SendMessageW 62086->62136 62157 40bf4f 62086->62157 62104 40be02 62087->62104 62105 40bd56 62087->62105 62089->62044 62090->62089 62101 40c4f7 GetClientRect SaveDC 62090->62101 62091->62089 62163 40c36f GetTickCount 62091->62163 62099 40ac68 GetClientRect 62092->62099 62100 40ac0b _memset 62092->62100 62108 40aaf6 62093->62108 62109 40a9de 62093->62109 62098 40b878 GetParent 62094->62098 62095->62089 62113 40bb20 62095->62113 62110 40b9d1 62096->62110 62111 40ba63 62096->62111 62114 40a801 259 API calls 62097->62114 62098->62089 62115 40b869 62098->62115 62116 40ac9b IsRectEmpty 62099->62116 62117 40ad2f GetUpdateRect 62099->62117 62124 40ac20 BeginPaint 62100->62124 62126 40c52f 62101->62126 62102->62103 62103->62089 62118 40c600 GetCursorPos GetWindowRect IsIconic 62103->62118 62119 40be0b SetFocus 62104->62119 62177 40be17 62104->62177 62105->62089 62132 40bd89 62105->62132 62106 40b94e 62106->62076 62297 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62108->62297 62109->62089 62178 40aa19 GetCursorPos ScreenToClient 62109->62178 62110->62089 62154 40b9f2 62110->62154 62111->62089 62137 40ba7e 62111->62137 62371 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62113->62371 62114->62089 62115->62098 62200 40b883 Mailbox 62115->62200 62125 40acbc _memset 62116->62125 62127 40acf4 _memset 62116->62127 62117->62089 62117->62127 62130 40c641 GetActiveWindow 62118->62130 62131 40c6ba 62118->62131 62119->62177 62120->62089 62134 40c727 GetTickCount 62120->62134 62183 40c7a1 Mailbox 62120->62183 62121 40ab27 GetTickCount 62140 40ab44 62121->62140 62123->62089 62143 40bc1c GetTickCount 62123->62143 62311 4144e6 49 API calls __fltin2 62124->62311 62159 40acd3 BeginPaint 62125->62159 62145 40c5b1 RestoreDC 62126->62145 62146 40c538 GetWindow 62126->62146 62147 40ad5b 62127->62147 62287 40df89 62127->62287 62128->62089 62148 40ca26 62128->62148 62378 40d8f5 SetCapture 62129->62378 62130->62131 62150 40c64f PtInRect 62130->62150 62151 40c6bc SendMessageW 62131->62151 62372 40cf55 ReleaseCapture 62132->62372 62133->62089 62170 40c4ab Mailbox 62133->62170 62379 409372 133 API calls 3 library calls 62133->62379 62381 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62134->62381 62138 40bf3b _TrackMouseEvent 62135->62138 62136->62138 62370 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62137->62370 62138->62157 62298 40dbbb GetFocus 62140->62298 62141 40bb73 GetTickCount 62169 40aae1 62141->62169 62142->62089 62171 40c28c GetTickCount 62142->62171 62143->62169 62145->62089 62146->62145 62160 40c54c 62146->62160 62182 40ad71 IsRectEmpty 62147->62182 62199 40af57 _memset 62147->62199 62393 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62148->62393 62150->62131 62164 40c669 SendMessageW 62150->62164 62151->62089 62369 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62154->62369 62155 40bad1 GetTickCount 62155->62169 62156 40bf92 GetTickCount 62374 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62156->62374 62157->62089 62157->62156 62158 40ac4d 62172 40ac56 EndPaint 62158->62172 62159->62172 62173 40c553 GetWindowRect MapWindowPoints SetWindowOrgEx SendMessageW GetWindow 62160->62173 62163->62169 62164->62131 62176 40c691 ScreenToClient 62164->62176 62165 40bd90 GetTickCount 62165->62089 62169->62089 62380 4083a7 133 API calls _free 62170->62380 62377 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62171->62377 62172->62089 62173->62145 62173->62173 62174 40ca81 GetTickCount 62187 40caa5 SendMessageW 62174->62187 62176->62151 62177->62089 62195 40be6b 62177->62195 62208 40aa58 62178->62208 62179 40ba45 GetTickCount 62179->62089 62188 40ad8d 62182->62188 62182->62199 62189 40c785 62183->62189 62190 40c7d7 62183->62190 62184 40abe0 62184->62089 62194 40abee DestroyWindow 62184->62194 62185 40aba7 GetWindow GetWindowLongW 62192 40abd5 62185->62192 62193 40abc7 GetParent 62185->62193 62187->62089 62206 40ada0 62188->62206 62207 40ae55 62188->62207 62189->62183 62196 407fe0 Mailbox 133 API calls 62189->62196 62382 40cd8b 62190->62382 62192->62184 62198 40abd9 SetFocus 62192->62198 62193->62192 62194->62089 62373 40d8f5 SetCapture 62195->62373 62196->62190 62197 40c7e8 _memset Mailbox 62232 40c860 CreateWindowExW SendMessageW 62197->62232 62233 40c8ef 62197->62233 62198->62184 62201 40b002 CreateCompatibleDC 62199->62201 62202 40b049 _memset 62199->62202 62200->62089 62227 40dbbb 139 API calls 62200->62227 62203 40b01d 62201->62203 62204 40b04e CreateCompatibleBitmap 62201->62204 62205 40b08f BeginPaint 62202->62205 62315 41447f CreateDIBSection Concurrency::details::ResourceManager::DetermineTopology 62203->62315 62204->62202 62211 40b0b2 SelectObject SaveDC 62205->62211 62212 40b7d4 SaveDC 62205->62212 62213 40adb7 DeleteDC 62206->62213 62214 40adbe 62206->62214 62312 4083a7 133 API calls _free 62207->62312 62208->62089 62217 40aa71 62208->62217 62231 40b0e6 62211->62231 62222 40b7fc RestoreDC 62212->62222 62213->62214 62218 40adc8 DeleteDC 62214->62218 62219 40adcf 62214->62219 62296 40a7b5 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 62217->62296 62218->62219 62223 40ade0 62219->62223 62224 40add9 DeleteObject 62219->62224 62220 40be82 GetTickCount 62220->62089 62226 40b809 EndPaint 62222->62226 62228 40adea DeleteObject 62223->62228 62265 40adf1 Mailbox 62223->62265 62224->62223 62225 40aabd GetTickCount 62225->62169 62229 40b825 62226->62229 62227->62089 62228->62265 62229->62089 62366 40a61e 9 API calls __fltin2 62229->62366 62230 40bfe7 Mailbox 62230->62089 62230->62169 62234 407e68 133 API calls 62230->62234 62293 40f7d9 62231->62293 62235 40c8b1 SendMessageW SendMessageW SendMessageW 62232->62235 62237 40c8ff 62233->62237 62241 40c949 SendMessageW 62233->62241 62242 40c90f 62233->62242 62238 40c065 Mailbox 62234->62238 62235->62233 62240 40c985 SendMessageW 62237->62240 62375 408a71 133 API calls 3 library calls 62238->62375 62239 40b3f2 RestoreDC 62244 40b411 GetWindowRect 62239->62244 62245 40b735 BitBlt 62239->62245 62240->62064 62257 40c95f SendMessageW SendMessageW 62241->62257 62242->62257 62266 40c927 SendMessageW 62242->62266 62248 40b494 62244->62248 62273 40b57b 62244->62273 62246 40b766 SelectObject 62245->62246 62246->62226 62250 40b787 62246->62250 62247 40af28 62247->62199 62258 40af42 62247->62258 62253 40b49c CreateCompatibleDC 62248->62253 62267 40b504 _memset 62248->62267 62249 40b184 IsWindow 62254 40b1b2 IsWindowVisible 62249->62254 62256 40b156 Mailbox 62249->62256 62250->62226 62255 40b790 SelectObject GetStockObject SelectObject Rectangle SelectObject 62250->62255 62318 41447f CreateDIBSection Concurrency::details::ResourceManager::DetermineTopology 62253->62318 62254->62256 62255->62226 62256->62249 62259 40b3b7 Mailbox 62256->62259 62316 40a44a GetWindowRect ScreenToClient ScreenToClient 62256->62316 62257->62240 62314 40a61e 9 API calls __fltin2 62258->62314 62259->62239 62263 40b4cd _memset 62269 40b4e9 SelectObject 62263->62269 62264 40b1d7 IntersectRect 62264->62256 62268 40b1fc CreateCompatibleDC 62264->62268 62265->62199 62313 40d871 135 API calls 3 library calls 62265->62313 62271 40c941 62266->62271 62267->62273 62319 4191d1 11 API calls __fltin2 62267->62319 62317 41447f CreateDIBSection Concurrency::details::ResourceManager::DetermineTopology 62268->62317 62269->62267 62271->62257 62273->62246 62274 40b551 62320 4184c3 62274->62320 62276 40b26e SelectObject SendMessageW 62278 40b357 BitBlt SelectObject DeleteObject DeleteDC 62276->62278 62280 40b23c _memset 62276->62280 62278->62256 62280->62276 62280->62278 62281 40c10b SendMessageW 62282 40c11f 62281->62282 62376 407fd2 133 API calls _free 62282->62376 62284 40c07f Mailbox _memmove 62284->62281 62284->62282 62286->62037 62288 40dfbc 62287->62288 62289 40df9f 62287->62289 62291 40dbbb 139 API calls 62288->62291 62292 40e030 62288->62292 62289->62288 62290 40dfa3 InvalidateRect 62289->62290 62290->62292 62291->62292 62292->62147 62294 40f7e8 IntersectRect 62293->62294 62295 40f7e4 Mailbox 62293->62295 62294->62295 62295->62256 62296->62225 62297->62121 62299 40dbd4 62298->62299 62300 40dbf6 62298->62300 62299->62300 62304 40dbef SetFocus 62299->62304 62301 40ab97 GetActiveWindow 62300->62301 62302 40dc57 62300->62302 62303 40dc09 GetTickCount 62300->62303 62301->62184 62301->62185 62302->62301 62308 40dc82 GetTickCount 62302->62308 62305 40dc38 62303->62305 62304->62300 62394 40d871 135 API calls 3 library calls 62305->62394 62307 40dc51 62307->62302 62309 40dcb7 62308->62309 62395 40d871 135 API calls 3 library calls 62309->62395 62311->62158 62312->62265 62313->62247 62314->62089 62315->62202 62316->62264 62317->62280 62318->62263 62319->62274 62324 4184d2 __EH_prolog3_GS Mailbox 62320->62324 62321 57b500 collate 6 API calls 62322 40b569 62321->62322 62365 413fb0 SelectClipRgn DeleteObject DeleteObject 62322->62365 62323 418c02 62326 418ca1 IntersectRect 62323->62326 62358 41851d 62323->62358 62324->62323 62325 407ef8 133 API calls 62324->62325 62324->62358 62363 41854a Mailbox _wcscmp 62325->62363 62327 418cb9 IntersectRect 62326->62327 62326->62358 62328 418cd1 62327->62328 62327->62358 62400 4173b2 45 API calls __fltin2 62328->62400 62330 418d1c 62330->62358 62331 418af3 62332 40804b 133 API calls 62331->62332 62334 418b0b Mailbox 62332->62334 62333 4083c3 133 API calls 62333->62363 62396 40a269 62334->62396 62336 4185c6 CharNextW 62336->62363 62337 418b43 62338 418b49 62337->62338 62339 418b8b 62337->62339 62342 407fe0 Mailbox 133 API calls 62338->62342 62343 407fe0 Mailbox 133 API calls 62339->62343 62340 418636 CharNextW 62340->62363 62341 4185ec CharNextW 62341->62363 62344 418b58 62342->62344 62345 418bd4 62343->62345 62346 407fe0 Mailbox 133 API calls 62344->62346 62349 407fe0 Mailbox 133 API calls 62345->62349 62347 418b67 62346->62347 62350 407fe0 Mailbox 133 API calls 62347->62350 62348 418660 CharNextW 62348->62363 62351 418be3 62349->62351 62352 418b77 62350->62352 62354 407fe0 Mailbox 133 API calls 62351->62354 62356 407fe0 Mailbox 133 API calls 62352->62356 62353 418690 CharNextW 62353->62363 62355 418bf3 62354->62355 62357 407fe0 Mailbox 133 API calls 62355->62357 62356->62358 62357->62323 62358->62321 62359 408205 133 API calls 62359->62363 62360 40804b 133 API calls 62360->62363 62361 40806a 133 API calls 62361->62363 62362 57bf6f 134 API calls ___get_qualified_locale_downlevel 62362->62363 62363->62331 62363->62333 62363->62336 62363->62340 62363->62341 62363->62348 62363->62353 62363->62359 62363->62360 62363->62361 62363->62362 62364 57bf87 134 API calls 62363->62364 62364->62363 62365->62273 62366->62089 62367->62106 62368->62089 62369->62179 62370->62155 62371->62141 62372->62165 62373->62220 62374->62230 62375->62284 62376->62169 62377->62169 62378->62163 62379->62133 62380->62089 62381->62189 62391 40cd9a __EH_prolog3_GS Mailbox 62382->62391 62383 40ce5a 62384 57b500 collate 6 API calls 62383->62384 62385 40ce5f 62384->62385 62385->62197 62391->62383 62392 407fe0 Mailbox 133 API calls 62391->62392 62604 578c68 133 API calls __isdigit_l 62391->62604 62605 57a3e7 134 API calls ___get_qualified_locale_downlevel 62391->62605 62606 40a3ef 6 API calls 4 library calls 62391->62606 62607 4087e2 133 API calls 62391->62607 62608 40892d 133 API calls 3 library calls 62391->62608 62392->62391 62393->62174 62394->62307 62395->62301 62397 40a278 62396->62397 62399 40a292 Mailbox 62397->62399 62401 409748 62397->62401 62399->62337 62400->62330 62402 40975d 62401->62402 62420 4098c7 62401->62420 62407 40978b 62402->62407 62402->62420 62488 578c68 133 API calls __isdigit_l 62402->62488 62404 409776 62404->62407 62489 57bf6f 62404->62489 62426 4195a2 62407->62426 62409 40806a 133 API calls 62410 4097d6 Concurrency::details::ResourceManager::DetermineTopology _memmove 62409->62410 62411 40988c Mailbox 62410->62411 62415 409855 Mailbox 62410->62415 62412 4098b0 62411->62412 62495 418fc5 134 API calls Mailbox 62411->62495 62497 408642 133 API calls 2 library calls 62412->62497 62416 40987b 62415->62416 62492 418fc5 134 API calls Mailbox 62415->62492 62494 408642 133 API calls 2 library calls 62416->62494 62419 4098a3 62496 4088a1 133 API calls Mailbox 62419->62496 62420->62399 62421 409871 62493 4088a1 133 API calls Mailbox 62421->62493 62424 409884 62424->62420 62498 418fc5 134 API calls Mailbox 62424->62498 62427 4195b1 __EH_prolog3_GS 62426->62427 62428 4195c9 62427->62428 62429 41978f _wcscmp 62427->62429 62430 407ef8 133 API calls 62428->62430 62431 4197b1 FindResourceW 62429->62431 62432 4197a0 _wcscmp 62429->62432 62436 4195da Mailbox 62430->62436 62433 4197c4 62431->62433 62434 419826 CreateFileW 62431->62434 62440 4198ed _memset 62432->62440 62511 430a63 62432->62511 62441 4197ca LoadResource 62433->62441 62437 419847 GetFileSize 62434->62437 62480 41985e 62434->62480 62442 4195f1 62436->62442 62443 4196a0 62436->62443 62438 419857 CloseHandle 62437->62438 62439 419866 Concurrency::details::ResourceManager::DetermineTopology 62437->62439 62438->62480 62449 419872 ReadFile CloseHandle 62439->62449 62450 41990e CreateDIBSection 62440->62450 62440->62480 62445 4197e4 62441->62445 62446 4197dc FreeResource 62441->62446 62517 4081ea 133 API calls 62442->62517 62499 408165 62443->62499 62444 57b500 collate 6 API calls 62448 4097b6 62444->62448 62452 4197e9 SizeofResource 62445->62452 62446->62434 62448->62409 62448->62410 62448->62420 62453 419896 62449->62453 62457 419979 _wcscmp 62450->62457 62450->62480 62451 4195ff Mailbox 62456 419619 CreateFileW 62451->62456 62452->62434 62455 4197f6 Concurrency::details::ResourceManager::DetermineTopology 62452->62455 62453->62432 62453->62480 62459 4197fc LockResource 62455->62459 62458 419641 GetFileSize 62456->62458 62473 41962d 62456->62473 62465 4199b8 CharNextW 62457->62465 62466 4199bf 62457->62466 62467 4199ce _wcscmp 62457->62467 62461 419658 Concurrency::details::ResourceManager::DetermineTopology 62458->62461 62462 41964f CloseHandle 62458->62462 62518 578230 62459->62518 62460 407fe0 Mailbox 133 API calls 62468 41963c 62460->62468 62472 419665 ReadFile CloseHandle 62461->62472 62462->62473 62464 419813 FreeResource 62470 41978a 62464->62470 62465->62466 62520 57bf87 134 API calls wcstoxl 62466->62520 62475 5775e3 Concurrency::details::_Condition_variable::wait_for 133 API calls 62467->62475 62468->62434 62469 4196b1 Mailbox 62476 41d0e5 145 API calls 62469->62476 62478 4196ba 62469->62478 62470->62432 62470->62434 62472->62473 62474 41977a 62472->62474 62473->62460 62477 407fe0 Mailbox 133 API calls 62474->62477 62475->62480 62476->62478 62477->62470 62478->62473 62503 41ca3d 62478->62503 62480->62444 62481 4196fe Concurrency::details::ResourceManager::DetermineTopology 62481->62473 62482 41d49a 145 API calls 62481->62482 62483 419734 62482->62483 62484 419766 62483->62484 62485 419742 62483->62485 62484->62474 62486 41c89f 134 API calls 62484->62486 62485->62473 62487 41c89f 134 API calls 62485->62487 62486->62474 62487->62473 62488->62404 62589 57bd8e 62489->62589 62492->62421 62493->62416 62494->62424 62495->62419 62496->62412 62497->62424 62498->62420 62500 408173 Mailbox 62499->62500 62501 408275 133 API calls 62500->62501 62502 40817b 62501->62502 62502->62469 62504 41ca70 62503->62504 62510 41ca61 62503->62510 62504->62510 62521 41c9b5 62504->62521 62506 577dc4 __fltin2 6 API calls 62508 41cb1c 62506->62508 62507 41ca91 62507->62510 62528 41cf56 MultiByteToWideChar _memset 62507->62528 62508->62481 62510->62506 62512 430a9e 62511->62512 62544 42c96c 62512->62544 62515 577dc4 __fltin2 6 API calls 62516 430ac3 62515->62516 62516->62440 62517->62451 62519 578248 62518->62519 62519->62464 62519->62519 62520->62467 62529 41fa88 62521->62529 62524 41c9d6 _memset 62524->62507 62525 41f959 133 API calls 62526 41ca0e 62525->62526 62526->62524 62527 41cb20 137 API calls 62526->62527 62527->62524 62528->62510 62530 41faa7 62529->62530 62532 41faaf _GetLocaleNameFromDefault 62529->62532 62531 577dc4 __fltin2 6 API calls 62530->62531 62533 41c9cf 62531->62533 62532->62530 62540 41cf29 WideCharToMultiByte _memset 62532->62540 62533->62524 62533->62525 62533->62526 62535 41facf _strlen 62535->62530 62541 41f9ea ReadFile SetFilePointer 62535->62541 62538 41fb12 62538->62530 62542 41f9c3 ReadFile SetFilePointer 62538->62542 62543 41fa29 ReadFile SetFilePointer 62538->62543 62540->62535 62541->62538 62542->62538 62543->62538 62547 42ca45 62544->62547 62546 42c98c 62546->62515 62573 42c915 62547->62573 62550 42ca71 62553 42ca90 62550->62553 62554 42ca7c 62550->62554 62551 42ca57 62582 42c864 133 API calls 2 library calls 62551->62582 62556 42ca9b 62553->62556 62557 42caaf 62553->62557 62579 42e671 62554->62579 62583 427bbd 133 API calls 2 library calls 62556->62583 62559 42caba 62557->62559 62560 42cace 62557->62560 62584 42a731 133 API calls 3 library calls 62559->62584 62562 42caf0 62560->62562 62563 42cad9 62560->62563 62565 42cb12 62562->62565 62566 42cafb 62562->62566 62585 42f706 133 API calls 62563->62585 62568 42cb1d 62565->62568 62570 42cb34 62565->62570 62586 42e05b 133 API calls 2 library calls 62566->62586 62587 42e8ae 133 API calls 62568->62587 62571 42ca69 62570->62571 62588 42ffd9 133 API calls 2 library calls 62570->62588 62571->62546 62574 42c922 __write_nolock 62573->62574 62575 429df0 133 API calls 62574->62575 62576 42c950 62575->62576 62577 577dc4 __fltin2 6 API calls 62576->62577 62578 42c968 62577->62578 62578->62550 62578->62551 62580 42a02e 133 API calls 62579->62580 62581 42e692 62580->62581 62581->62571 62582->62571 62583->62571 62584->62571 62585->62571 62586->62571 62587->62571 62588->62571 62590 57bd9e 62589->62590 62591 57bda4 62590->62591 62597 57bdcc 62590->62597 62600 5810c5 133 API calls __getptd_noexit 62591->62600 62593 57bda9 62601 58e9a8 9 API calls __beginthreadex 62593->62601 62596 57bdb4 62596->62407 62598 57bded wcstoxl 62597->62598 62602 5938d6 GetStringTypeW 62597->62602 62598->62596 62603 5810c5 133 API calls __getptd_noexit 62598->62603 62600->62593 62601->62596 62602->62597 62603->62596 62604->62391 62605->62391 62606->62391 62607->62391 62608->62391 60336 407190 60375 406c20 60336->60375 60504 406d10 60375->60504 60505 406d3e 60504->60505 60515 408c9d 60505->60515 60516 408ca9 __EH_prolog3_GS 60515->60516 60550 409027 60516->60550 60518 408d5f 60554 407e68 60518->60554 60521 407e68 133 API calls 60522 408d8b 60521->60522 60523 407e68 133 API calls 60522->60523 60524 408d9b 60523->60524 60525 407e68 133 API calls 60524->60525 60526 408dab 60525->60526 60527 407e68 133 API calls 60526->60527 60528 408dbb 60527->60528 60529 407e68 133 API calls 60528->60529 60530 408dcb 60529->60530 60531 407e68 133 API calls 60530->60531 60532 408ddb 60531->60532 60533 407e68 133 API calls 60532->60533 60534 408deb 60533->60534 60535 407e68 133 API calls 60534->60535 60536 408dfb 60535->60536 60537 407e68 133 API calls 60536->60537 60538 408e0b 60537->60538 60539 407e68 133 API calls 60538->60539 60540 408e1b 60539->60540 60541 407e68 133 API calls 60540->60541 60542 408e75 _memset Mailbox 60541->60542 60543 408f05 _memset 60542->60543 60545 408ecc GetStockObject GetObjectW CreateFontIndirectW 60542->60545 60544 408f7f CreatePen #17 LoadLibraryW 60543->60544 60547 408fa3 _memset 60543->60547 60544->60547 60561 40806a 60545->60561 60558 57b500 60547->60558 60551 409033 __EH_prolog3 60550->60551 60567 409ce7 60551->60567 60553 409057 Concurrency::details::_Condition_variable::wait_for 60553->60518 60555 407e7f 60554->60555 60557 407e88 60554->60557 60556 579a68 _malloc 133 API calls 60555->60556 60556->60557 60557->60521 60559 577dc4 __fltin2 6 API calls 60558->60559 60560 57b50a 60559->60560 60560->60560 60562 408082 60561->60562 60563 408076 60561->60563 60565 4083c3 133 API calls 60562->60565 60583 4082fa 60563->60583 60566 408080 60565->60566 60566->60543 60572 4083c3 60567->60572 60570 4083c3 133 API calls 60571 409cfa _memset 60570->60571 60571->60553 60573 4083d5 60572->60573 60574 4083ce 60572->60574 60573->60570 60576 579a30 60574->60576 60577 579a62 _free 60576->60577 60578 579a39 RtlFreeHeap 60576->60578 60577->60573 60578->60577 60579 579a4e 60578->60579 60582 5810c5 133 API calls __getptd_noexit 60579->60582 60581 579a54 GetLastError 60581->60577 60582->60581 60584 408316 _GetLocaleNameFromDefault 60583->60584 60585 408324 60584->60585 60587 408337 60584->60587 60586 579a30 _free 133 API calls 60585->60586 60588 408332 _wcsncpy 60585->60588 60586->60588 60587->60588 60590 579cdb 60587->60590 60588->60566 60591 579ce4 60590->60591 60592 579cef 60590->60592 60593 579a68 _malloc 130 API calls 60591->60593 60594 579cf7 60592->60594 60604 579d04 60592->60604 60595 579cec 60593->60595 60596 579a30 _free 130 API calls 60594->60596 60595->60588 60598 579cff _free 60596->60598 60597 579d3c 60612 58b4df DecodePointer 60597->60612 60598->60588 60600 579d0c HeapReAlloc 60600->60598 60600->60604 60601 579d42 60613 5810c5 133 API calls __getptd_noexit 60601->60613 60603 579d6c 60615 5810c5 133 API calls __getptd_noexit 60603->60615 60604->60597 60604->60600 60604->60603 60608 579d54 60604->60608 60611 58b4df DecodePointer 60604->60611 60607 579d71 GetLastError 60607->60598 60614 5810c5 133 API calls __getptd_noexit 60608->60614 60610 579d59 GetLastError 60610->60598 60611->60604 60612->60601 60613->60598 60614->60610 60615->60607

    Executed Functions

    Function 0040A801 Relevance: 210.5, APIs: 117, Strings: 2, Instructions: 2252windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0040A80B
    • IsIconic.USER32(?), ref: 0040A8E7
    • ScreenToClient.USER32(?,?), ref: 0040A955
    • GetCursorPos.USER32(?), ref: 0040AA2C
    • ScreenToClient.USER32(?,?), ref: 0040AA3F
    • GetTickCount.KERNEL32 ref: 0040AB2E
    • GetActiveWindow.USER32 ref: 0040AB9D
    • GetWindow.USER32(?,00000004), ref: 0040ABAA
    • GetWindowLongW.USER32(?,000000F0), ref: 0040ABBA
    • GetParent.USER32(?), ref: 0040ABCD
    • SetFocus.USER32(00000000), ref: 0040ABDA
    • DestroyWindow.USER32(?), ref: 0040ABEF
    • _memset.LIBCMT ref: 0040AC1B
    • BeginPaint.USER32(?,?), ref: 0040AC30
    • EndPaint.USER32(?,?), ref: 0040AC5D
    • GetClientRect.USER32(?,?), ref: 0040AC80
    • IsRectEmpty.USER32(?), ref: 0040ACB2
    • _memset.LIBCMT ref: 0040ACCE
    • BeginPaint.USER32(?,?), ref: 0040ACE3
    • _memset.LIBCMT ref: 0040AD25
    • GetUpdateRect.USER32(?,?,00000000), ref: 0040AD3B
    • IsRectEmpty.USER32(?), ref: 0040AD7F
    • DeleteDC.GDI32(?), ref: 0040ADB8
    • DeleteDC.GDI32(?), ref: 0040ADC9
    • DeleteObject.GDI32(?), ref: 0040ADDA
    • DeleteObject.GDI32(?), ref: 0040ADEB
    • _memset.LIBCMT ref: 0040AFA6
    • CreateCompatibleDC.GDI32(?), ref: 0040B008
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040B06E
    • _memset.LIBCMT ref: 0040B08A
    • BeginPaint.USER32(?,?), ref: 0040B09F
    • SelectObject.GDI32(?,?), ref: 0040B0BE
    • SaveDC.GDI32(?), ref: 0040B0D0
    • IsWindow.USER32(00000000), ref: 0040B187
    • IsWindowVisible.USER32(00000000), ref: 0040B1BA
    • IntersectRect.USER32(?,?,?), ref: 0040B1EE
    • CreateCompatibleDC.GDI32 ref: 0040B209
    • _memset.LIBCMT ref: 0040B269
    • SelectObject.GDI32(?,?), ref: 0040B27D
    • SendMessageW.USER32(00000000,00000317,?,00000035), ref: 0040B297
    • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0040B378
    • SelectObject.GDI32(?,?), ref: 0040B38B
    • DeleteObject.GDI32(?), ref: 0040B397
    • DeleteDC.GDI32(?), ref: 0040B39E
    • RestoreDC.GDI32(?,?), ref: 0040B3FE
    • GetWindowRect.USER32(?,?), ref: 0040B423
    • CreateCompatibleDC.GDI32(?), ref: 0040B4A2
    • _memset.LIBCMT ref: 0040B4E4
    • SelectObject.GDI32(?,?), ref: 0040B4F8
    • _memset.LIBCMT ref: 0040B524
    • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0040B760
    • SelectObject.GDI32(?,?), ref: 0040B778
    • SelectObject.GDI32(?), ref: 0040B79C
    • GetStockObject.GDI32(00000005), ref: 0040B7A2
    • SelectObject.GDI32(?,00000000), ref: 0040B7AF
    • Rectangle.GDI32(?,?,?,?,?), ref: 0040B7C3
    • SelectObject.GDI32(?,00000000), ref: 0040B7D0
    • SaveDC.GDI32(?), ref: 0040B7DA
    • RestoreDC.GDI32(?,00000000), ref: 0040B803
    • EndPaint.USER32(?,?), ref: 0040B816
    • GetFocus.USER32 ref: 0040B852
    • GetParent.USER32(00000000), ref: 0040B878
      • Part of subcall function 0040DBBB: GetFocus.USER32 ref: 0040DBC5
      • Part of subcall function 0040DBBB: SetFocus.USER32(?), ref: 0040DBF0
      • Part of subcall function 0040DBBB: GetTickCount.KERNEL32 ref: 0040DC1D
      • Part of subcall function 0040DBBB: GetTickCount.KERNEL32 ref: 0040DC9C
    • GetTickCount.KERNEL32 ref: 0040AAC4
      • Part of subcall function 0040A7B5: GetKeyState.USER32(00000011), ref: 0040A7C1
      • Part of subcall function 0040A7B5: GetKeyState.USER32(00000002), ref: 0040A7CE
      • Part of subcall function 0040A7B5: GetKeyState.USER32(00000001), ref: 0040A7DA
      • Part of subcall function 0040A7B5: GetKeyState.USER32(00000010), ref: 0040A7E6
      • Part of subcall function 0040A7B5: GetKeyState.USER32(00000012), ref: 0040A7F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Select_memset$Window$DeleteRect$PaintState$CompatibleCountCreateFocusTick$BeginClient$EmptyParentRestoreSaveScreen$ActiveBitmapCursorDestroyH_prolog3_IconicIntersectLongMessageRectangleSendStockUpdateVisible
    • String ID: tooltips_class32$windowinit
    • API String ID: 2470692799-1250824750
    • Opcode ID: 80ee8d5b2c5a835b950ebd999ff1f1afff70c761031506d913896855c6810c2a
    • Instruction ID: 546c93ed5657241e7f5343da2b0f9295d946e0684f76c1578ff1b1ca859df867
    • Opcode Fuzzy Hash: 80ee8d5b2c5a835b950ebd999ff1f1afff70c761031506d913896855c6810c2a
    • Instruction Fuzzy Hash: C1232671900229DFDF25DF24C884BEAB7B5BF48300F0441BAE909BB295DB359A84DF65
    Function 004149DE Relevance: 178.0, APIs: 82, Strings: 18, Instructions: 2980COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 004149E8
    • IsRectEmpty.USER32(00000000), ref: 00414A46
      • Part of subcall function 00407E68: _malloc.LIBCMT ref: 00407E83
    • GetClipBox.GDI32(0000270F,?), ref: 00414ABB
    • CreateRectRgnIndirect.GDI32(?), ref: 00414ACB
    • CreateRectRgnIndirect.GDI32(00000000), ref: 00414AD4
    • ExtSelectClipRgn.GDI32(0000270F,00000000,00000001), ref: 00414AE9
    • SelectObject.GDI32(0000270F,00000000), ref: 00414B52
    • SetBkMode.GDI32(0000270F,00000001), ref: 00414B61
    • SetTextColor.GDI32(0000270F), ref: 00414B87
    • SetBkColor.GDI32(0000270F), ref: 00414BB1
    • PtInRect.USER32(?,?,?), ref: 00414D16
    • CharNextW.USER32(?,?,000000FF), ref: 00414FC8
    • CharNextW.USER32(?,?,000000FF), ref: 00415009
    • SelectObject.GDI32(?,00000000), ref: 00415139
    • CharNextW.USER32(?,?,000000FF), ref: 0041519E
    • CharNextW.USER32(?), ref: 004151EB
    • _wcsstr.LIBCMT ref: 0041523E
    • _wcsstr.LIBCMT ref: 0041525A
    • CharNextW.USER32(00000000), ref: 004152FF
    • CharNextW.USER32(00000000), ref: 0041531F
    • CharNextW.USER32(00000000), ref: 0041536F
    • CharNextW.USER32(-00000002), ref: 00415393
    • CharNextW.USER32(-00000004), ref: 004153BD
    • CharNextW.USER32(?), ref: 00415704
    • CharNextW.USER32(?), ref: 004157BE
    • CharNextW.USER32(?), ref: 00415806
    • CharNextW.USER32(?), ref: 00415851
    • CharNextW.USER32(?), ref: 0041587E
    • SelectObject.GDI32(?,00000000), ref: 004159B5
    • CharNextW.USER32(?), ref: 00415A3B
    • SetTextColor.GDI32(?), ref: 00415AA5
      • Part of subcall function 004094E3: __EH_prolog3_GS.LIBCMT ref: 004094ED
      • Part of subcall function 004094E3: _memset.LIBCMT ref: 00409515
      • Part of subcall function 004094E3: GetStockObject.GDI32(00000011), ref: 00409528
      • Part of subcall function 004094E3: GetObjectW.GDI32(00000000), ref: 0040952F
      • Part of subcall function 004094E3: _wcsncpy.LIBCMT ref: 0040953C
      • Part of subcall function 004094E3: CreateFontIndirectW.GDI32(00000000), ref: 00409585
      • Part of subcall function 0040A10C: SelectObject.GDI32(?,00000000), ref: 0040A1D9
      • Part of subcall function 0040A10C: GetTextMetricsW.GDI32(?,00000090), ref: 0040A1ED
      • Part of subcall function 0040A10C: SelectObject.GDI32(?,00000000), ref: 0040A1FD
    • SelectObject.GDI32(?,00000000), ref: 00415767
      • Part of subcall function 004083C3: _free.LIBCMT ref: 004083D0
    • GetCharABCWidthsW.GDI32(?,00000020,00000020,?,-00000001,-00000001,00000001), ref: 00416200
    • SelectObject.GDI32(?,00000000), ref: 00416228
    • CharNextW.USER32(?,-00000001,-00000001,00000001), ref: 00416519
    • GetTextExtentPoint32W.GDI32(?,?,00000001,?), ref: 00416585
    • TextOutW.GDI32(?,?,?,?,00000001), ref: 00416633
    • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00416AFE
    • SetRect.USER32(?,?,?,0000270F,00000000), ref: 00416D08
    • _memmove.LIBCMT ref: 00416F73
    • _memmove.LIBCMT ref: 00416FB9
    • _memmove.LIBCMT ref: 00416FFF
    • _memmove.LIBCMT ref: 00417045
    • SetTextColor.GDI32(?), ref: 004170D8
    • SelectObject.GDI32(?,00000000), ref: 0041711A
    • SetBkMode.GDI32(?,00000002), ref: 0041712C
    • _memmove.LIBCMT ref: 0041717B
    • _memmove.LIBCMT ref: 004171C1
    • SelectClipRgn.GDI32(?,?), ref: 004172EA
    • DeleteObject.GDI32(?), ref: 004172F7
    • DeleteObject.GDI32(?), ref: 004172FF
    • SelectObject.GDI32(?,?), ref: 0041730D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Char$Next$Object$Select$Text$_memmove$Rect$Color$ClipCreateIndirect$DeleteExtentH_prolog3_ModePoint32_wcsstr$EmptyFontMetricsStockWidths_free_malloc_memset_wcsncpy
    • String ID: $...$<$>$a$bold$center$file$file='$italic$res$res='$restype$top$underline$z${$}
    • API String ID: 2469931650-2382009299
    • Opcode ID: b289b8803a6ca5a1c47ee882334a3df5cfc09556d1cb13b7b65d83d909c7a129
    • Instruction ID: 4c2c5c2ba09e0127b6332ca01412a0bb00eb82aecc83eed57b9ff079696517b4
    • Opcode Fuzzy Hash: b289b8803a6ca5a1c47ee882334a3df5cfc09556d1cb13b7b65d83d909c7a129
    • Instruction Fuzzy Hash: 59439E719006289EDF20DF24CC81BEAB7B6AF94304F0445DAE849B7281DB799ED5CF58
    Function 0042D5BB Relevance: 49.6, APIs: 2, Strings: 26, Instructions: 575COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: 0-pixel image$1/2/4/8-bit only$DNEI$ETLP$IBgC$RDHI$SNRt$TADI$XXXX PNG chunk not known$bad IHDR len$bad comp method$bad ctype$bad filter method$bad interlace method$bad tRNS len$first not IHDR$invalid PLTE$multiple IHDR$no IDAT$no PLTE$outofdata$outofmem$tRNS after IDAT$tRNS before PLTE$tRNS with alpha$too large
    • API String ID: 0-1966122649
    • Opcode ID: abda625ec2c8e30f2d3d281fc2def83739d837b9beffae98664b8269da201c6a
    • Instruction ID: 1dedab2ed277f95a59ce682a5d70e4b891322e36a95bb2e829c4f98714530b5a
    • Opcode Fuzzy Hash: abda625ec2c8e30f2d3d281fc2def83739d837b9beffae98664b8269da201c6a
    • Instruction Fuzzy Hash: 6522D470F04634DFCB258E25E8457AB7BE0AF45304FA4C4AFE18A96241D77899C5CB1E
    Function 004195A2 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 443fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2848 4195a2-4195c3 call 57b551 2851 4195c9-4195eb call 40a4bd call 407ef8 call 40a4c3 call 40875d 2848->2851 2852 41978f-41979e call 57b788 2848->2852 2885 4195f1-41962b call 4081ea call 408600 CreateFileW 2851->2885 2886 4196a0-4196b8 call 40a4c3 call 408165 call 40a685 2851->2886 2857 4197a0-4197a3 2852->2857 2858 4197a8-4197c2 call 40a4ae FindResourceW 2852->2858 2860 4198a6-4198bc 2857->2860 2869 4197c4-4197da call 40a4ae LoadResource 2858->2869 2870 419826-419845 CreateFileW 2858->2870 2863 4198cf-4198e8 call 430a63 2860->2863 2864 4198be-4198cd call 57b788 2860->2864 2877 4198ed-4198fa call 5795c2 2863->2877 2864->2863 2881 419900-419973 call 5799a0 CreateDIBSection 2864->2881 2888 4197e4-4197f4 call 40a4ae SizeofResource 2869->2888 2889 4197dc-4197e2 FreeResource 2869->2889 2873 419847-419855 GetFileSize 2870->2873 2874 41985e 2870->2874 2879 419857-419858 CloseHandle 2873->2879 2880 419866-419894 call 562805 ReadFile CloseHandle 2873->2880 2882 419860-419865 call 57b500 2874->2882 2877->2874 2877->2881 2879->2874 2902 419896-41989d call 5795c2 2880->2902 2903 41989f-4198a1 2880->2903 2881->2874 2904 419979-419996 2881->2904 2922 419641-41964d GetFileSize 2885->2922 2923 41962d-41963c call 407fe0 2885->2923 2944 4196c1-4196d5 call 408600 call 41d0e5 2886->2944 2945 4196ba-4196bf call 40a4c9 2886->2945 2888->2870 2908 4197f6-41981c call 562805 LockResource call 578230 FreeResource 2888->2908 2889->2870 2902->2903 2903->2874 2905 4198a3-4198a5 2903->2905 2910 419a03-419a14 2904->2910 2911 419998-4199a7 call 57b788 2904->2911 2905->2860 2949 419822-419824 2908->2949 2914 419b08-419b10 2910->2914 2915 419a1a-419a37 2910->2915 2929 419a01 2911->2929 2930 4199a9-4199b6 2911->2930 2919 419b23-419b24 call 577634 2914->2919 2920 419b12-419b21 call 57b788 2914->2920 2925 419a97-419ab5 2915->2925 2926 419a39-419a95 2915->2926 2942 419b29 2919->2942 2920->2919 2950 419b2a-419b42 call 5775e3 2920->2950 2935 419658-419691 call 562805 ReadFile CloseHandle 2922->2935 2936 41964f-419656 CloseHandle 2922->2936 2923->2870 2934 419ab9-419ac5 2925->2934 2926->2934 2929->2910 2940 4199b8-4199b9 CharNextW 2930->2940 2941 4199bf-4199fb call 57bf87 2930->2941 2946 419ac7-419aeb 2934->2946 2947 419aef-419aff 2934->2947 2956 419697-419698 call 5795c2 2935->2956 2957 41977b-41978a call 407fe0 2935->2957 2936->2923 2940->2941 2941->2929 2942->2950 2966 4196d8-4196e0 2944->2966 2945->2966 2946->2947 2947->2915 2954 419b05-419b07 2947->2954 2949->2870 2949->2905 2970 419b44-419b4c call 407f41 2950->2970 2971 419b4e-419b50 2950->2971 2954->2914 2968 41969d-41969e 2956->2968 2957->2949 2966->2923 2969 4196e6-419703 call 41ca3d 2966->2969 2968->2923 2969->2923 2978 419709-419711 2969->2978 2975 419b52-419b88 2970->2975 2971->2975 2975->2882 2978->2923 2979 419717-41972f call 562805 call 41d49a 2978->2979 2983 419734-419739 2979->2983 2984 419766-41976d call 40a685 2983->2984 2985 41973b-419740 2983->2985 2984->2957 2990 41976f-41977a call 41c89f 2984->2990 2985->2984 2987 419742-419750 call 5795c2 call 40a685 2985->2987 2987->2923 2996 419756-419761 call 41c89f 2987->2996 2990->2957 2996->2968
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 004195AC
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00402B77,00000000,00000310,004097B6,00402B77,?,00000000,?,?), ref: 0041961A
    • GetFileSize.KERNEL32(00000000,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000), ref: 00419643
    • CloseHandle.KERNEL32(00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000,?), ref: 00419650
    • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00419679
    • CloseHandle.KERNEL32(?), ref: 00419685
    • _wcscmp.LIBCMT ref: 00419795
    • FindResourceW.KERNEL32(00000000,00402B77,?,00000310,004097B6,00402B77,?,00000000,?,?,00000000,?,?,?,0040A292,00402B77), ref: 004197B2
    • LoadResource.KERNEL32(00000000,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000), ref: 004197CB
    • FreeResource.KERNEL32(00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000,?), ref: 004197DC
    • SizeofResource.KERNEL32(00000000,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000), ref: 004197EA
    • LockResource.KERNEL32(?,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000), ref: 00419806
    • _memmove.LIBCMT ref: 0041980E
    • FreeResource.KERNEL32(?,?,00402B77), ref: 0041981C
    • CreateFileW.KERNEL32(00402B77,80000000,00000001,00000000,00000003,00000080,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?), ref: 0041983A
    • GetFileSize.KERNEL32(00000000,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000), ref: 0041984B
    • CloseHandle.KERNEL32(00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000,?), ref: 00419858
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000), ref: 00419881
    • CloseHandle.KERNEL32(00000000,?,0040A292,00402B77,?,?,00000000,00000000,00402B77,?,00000000,?,00418B43,00000000,00000000,?), ref: 00419888
    • _wcscmp.LIBCMT ref: 004198C4
    • _memset.LIBCMT ref: 00419909
    • CreateDIBSection.GDI32(00000000,?), ref: 00419965
    • _wcscmp.LIBCMT ref: 0041999E
    • CharNextW.USER32(00402B77), ref: 004199B9
    • _wcscmp.LIBCMT ref: 00419B18
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileResource$CloseHandle_wcscmp$Create$FreeReadSize$CharFindH_prolog3_LoadLockNextSectionSizeof_memmove_memset
    • String ID: *COLOR*
    • API String ID: 33426505-1560073614
    • Opcode ID: c3c8227af5c844f1503a9f37b56c3e72004bc88d0c114d392d18f5cf0cf764b9
    • Instruction ID: 622ad5329e7349bd13b32d6d08846968f52aa2a3871f0cf0abc5de3e78d7e81c
    • Opcode Fuzzy Hash: c3c8227af5c844f1503a9f37b56c3e72004bc88d0c114d392d18f5cf0cf764b9
    • Instruction Fuzzy Hash: 9DF117318012669FCB259F25CC59FEABBB8AF55340F0441FAF449A3282DA349F85CF65
    Function 0042944B Relevance: 7.9, APIs: 1, Strings: 3, Instructions: 887COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid filter$not enough pixels$outofmem
    • API String ID: 4104443479-151463205
    • Opcode ID: 2183ee0b0f12f0297ce0632d57356ecb6421fbc996649bbf455b040612a55218
    • Instruction ID: 1e376f733d9777f6deceaa869985e16d3af2ec3e2806f342e009f89ffb9b7cca
    • Opcode Fuzzy Hash: 2183ee0b0f12f0297ce0632d57356ecb6421fbc996649bbf455b040612a55218
    • Instruction Fuzzy Hash: 3562AE31E042A59FCB15CF6DD4805EDBFB1EF9A310F68819BD894A7342D2399D42CB64
    Function 0041CB20 Relevance: 4.8, APIs: 3, Instructions: 291timeCOMMON
    Download Yara Rule
    APIs
    • _memmove.LIBCMT ref: 0041CB7A
      • Part of subcall function 0041F6D4: SetFilePointer.KERNEL32(?,00000000,00000000,00420415,?,00420415,00000000,00000000,00000002,0041FC9B,0041D0CF,?,00000000,00000000), ref: 0041F70D
    • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0041CD84
    • _memmove.LIBCMT ref: 0041CEFE
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileTime_memmove$DatePointer
    • String ID:
    • API String ID: 1871177402-0
    • Opcode ID: 543b7f7272d6f36d4d56651d42926ef29b37af918675025a09d4af275d35be21
    • Instruction ID: a5a99e76cd27ae63d5bb4f7c93043fd4135a7aa24d1049bb0572647444035eeb
    • Opcode Fuzzy Hash: 543b7f7272d6f36d4d56651d42926ef29b37af918675025a09d4af275d35be21
    • Instruction Fuzzy Hash: 0DC170B19446089FDB28CF28DC82ADABBF4BF09300F1045AEE599D7241D775AAC5CF94
    Function 003EF4A0 Relevance: 4.5, APIs: 3, Instructions: 21comCOMMON
    Download Yara Rule
    APIs
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000000,00000000,?,004001B9), ref: 003EF4AD
    • CoInitialize.OLE32(00000000), ref: 003EF4B7
    • CoCreateInstance.OLE32(0060DCF8,00000000,00000001,005C7808,00000004,?,004001B9), ref: 003EF4CF
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Create$ImageInitializeInstanceList_
    • String ID:
    • API String ID: 357254610-0
    • Opcode ID: 8f740c60ef24cd74563250c3486a2b0d907751778a51675bb2c79d8f87dce780
    • Instruction ID: d80255bfc8de59f15951ccca097588317b1cc0f6b43906ef1fde0b06c8ed5324
    • Opcode Fuzzy Hash: 8f740c60ef24cd74563250c3486a2b0d907751778a51675bb2c79d8f87dce780
    • Instruction Fuzzy Hash: 31E0E2713C0714BAE6301BA0AC0EF827AA4EB28F02F100825B781AE1D0C5E2A5849B94
    Function 0058B0B9 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoEx.KERNELBASE(?,20001004,?,0058DDCD,?,0058DDCD,?,20001004,?,00000002,?,00000004,?,00000000), ref: 0058B0D5
    • GetLocaleInfoW.KERNEL32(00000000,20001004,?,0058DDCD,?,0058DDCD,?,20001004,?,00000002,?,00000004,?,00000000), ref: 0058B0E0
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 1d4da6e10d283f339a8091e89523637226eb65e0870f4e7843c2a004f6d7c433
    • Instruction ID: 59762302420168ca8ad4396c32dc3fb4adae36b07e26ca516457f5d55939d140
    • Opcode Fuzzy Hash: 1d4da6e10d283f339a8091e89523637226eb65e0870f4e7843c2a004f6d7c433
    • Instruction Fuzzy Hash: ECD09E7A004249FF9F01AFD4FC09C7A3F6AFB49314B445405F91956161DB72A5609B61
    Function 0040FD0E Relevance: 142.5, APIs: 48, Strings: 33, Instructions: 798COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1580 40fd0e-40fd3a call 57b551 call 57b788 1585 40fd40-40fde1 call 57bf6f * 4 1580->1585 1586 40fde6-40fdf5 call 57b788 1580->1586 1626 410634-410639 call 57b500 1585->1626 1591 40fe98-40fea7 call 57b788 1586->1591 1592 40fdfb-40fe93 call 57bf6f * 4 1586->1592 1600 4105e3-4105e9 1591->1600 1601 40fead-40febc call 57b788 1591->1601 1592->1626 1604 410604-410608 1600->1604 1605 4105eb-4105ed 1600->1605 1601->1600 1617 40fec2-40fed1 call 57b788 1601->1617 1612 410613-41062f call 57bf87 call 4107ed 1604->1612 1613 41060a-410611 CharNextW 1604->1613 1610 4105ee-4105f1 1605->1610 1610->1604 1616 4105f3-410602 CharNextW 1610->1616 1612->1626 1613->1612 1616->1604 1616->1610 1628 40fed3-40fed9 1617->1628 1629 40ff29-40ff38 call 57b788 1617->1629 1633 40fef4-40fef8 1628->1633 1634 40fedb-40fedd 1628->1634 1643 40ff90-40ff9f call 57b788 1629->1643 1644 40ff3a-40ff40 1629->1644 1637 40ff03-40ff24 call 57bf87 call 4107b3 1633->1637 1638 40fefa-40ff01 CharNextW 1633->1638 1635 40fede-40fee1 1634->1635 1635->1633 1641 40fee3-40fef2 CharNextW 1635->1641 1637->1626 1638->1637 1641->1633 1641->1635 1656 40ffa1-40ffa5 1643->1656 1657 40ffd6-40ffe5 call 57b788 1643->1657 1647 40ff42-40ff44 1644->1647 1648 40ff5b-40ff5f 1644->1648 1653 40ff45-40ff48 1647->1653 1649 40ff61-40ff68 CharNextW 1648->1649 1650 40ff6a-40ff8b call 57bf87 call 4107d0 1648->1650 1649->1650 1650->1626 1653->1648 1658 40ff4a-40ff59 CharNextW 1653->1658 1661 40ffb0-40ffd1 call 57bf87 call 41088c 1656->1661 1662 40ffa7-40ffae CharNextW 1656->1662 1666 40ffe7-40ffeb 1657->1666 1667 41001c-41002b call 57b788 1657->1667 1658->1648 1658->1653 1661->1626 1662->1661 1670 40fff6-410017 call 57bf87 call 410a5e 1666->1670 1671 40ffed-40fff4 CharNextW 1666->1671 1678 410050-41005f call 57b788 1667->1678 1679 41002d-41004b call 57b788 call 410920 1667->1679 1670->1626 1671->1670 1687 410142-410151 call 57b788 1678->1687 1688 410065-410088 call 407f1d call 408443 1678->1688 1679->1626 1695 410153-410162 call 57a3e7 call 41090b 1687->1695 1696 410167-410176 call 57b788 1687->1696 1702 41008a-410099 call 57a3e7 call 4108c7 1688->1702 1703 41009e-410132 call 57bf6f * 4 call 4108ee 1688->1703 1695->1626 1706 4101c0-4101cf call 57b788 1696->1706 1707 410178-4101bb call 57bf6f * 2 call 4108a9 1696->1707 1723 410137-41013d 1702->1723 1703->1723 1718 4101d1-4101d4 call 41080a 1706->1718 1719 4101de-4101ed call 57b788 1706->1719 1707->1626 1728 4101d9 1718->1728 1733 410206-410215 call 57b788 1719->1733 1734 4101ef-410201 call 57a3e7 1719->1734 1731 41055a-410563 call 407fe0 1723->1731 1728->1626 1731->1626 1745 410217-410229 call 57a3e7 1733->1745 1746 41022e-41023d call 57b788 1733->1746 1734->1626 1745->1626 1752 410256-410265 call 57b788 1746->1752 1753 41023f-410251 call 57a3e7 1746->1753 1759 410267-410279 call 57a3e7 1752->1759 1760 41027e-41028d call 57b788 1752->1760 1753->1626 1759->1626 1766 4102a6-4102b5 call 57b788 1760->1766 1767 41028f-4102a1 call 57a3e7 1760->1767 1773 4102b7-4102c9 call 57a3e7 1766->1773 1774 4102ce-4102dd call 57b788 1766->1774 1767->1626 1773->1626 1780 4102ec-4102fb call 57b788 1774->1780 1781 4102df-4102e7 1774->1781 1786 41030a-410319 call 57b788 1780->1786 1787 4102fd-410305 1780->1787 1781->1626 1791 41032b-41033a call 57b788 1786->1791 1792 41031b-410326 1786->1792 1787->1626 1796 41034c-41035b call 57b788 1791->1796 1797 41033c-410347 1791->1797 1792->1626 1801 410374-410383 call 57b788 1796->1801 1802 41035d-41036f call 57a3e7 1796->1802 1797->1626 1807 410385-4103a6 call 57b788 1801->1807 1808 4103ab-4103ba call 57b788 1801->1808 1802->1626 1807->1626 1814 4103e2-4103f1 call 57b788 1808->1814 1815 4103bc-4103dd call 57b788 1808->1815 1821 4103f3-410414 call 57b788 1814->1821 1822 410419-410428 call 57b788 1814->1822 1815->1626 1821->1626 1828 410450-41045f call 57b788 1822->1828 1829 41042a-41044b call 57b788 1822->1829 1835 410465-41048c call 407f1d call 408443 1828->1835 1836 410568-410577 call 57b788 1828->1836 1829->1626 1849 4104b4-41054c call 57c3b3 * 4 1835->1849 1850 41048e-4104af call 57b788 1835->1850 1842 410579-410587 1836->1842 1843 41058c-41059b call 57b788 1836->1843 1842->1626 1852 4105c0-4105d2 call 57b788 1843->1852 1853 41059d-4105be call 57b788 1843->1853 1866 410554 1849->1866 1850->1866 1862 4105d4-4105d9 call 4110bc 1852->1862 1863 4105db-4105e1 call 40ee9b 1852->1863 1853->1626 1862->1626 1863->1626 1866->1731
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp$H_prolog3_wcstoxl
    • String ID: bkcolor$bkcolor1$bkcolor2$bkcolor3$bkimage$bordercolor$borderround$bordersize$borderstyle$colorhsl$enabled$float$focusbordercolor$height$keyboard$maxheight$maxwidth$menu$minheight$minwidth$mouse$name$padding$pos$shortcut$tag$text$tooltip$true$userdata$virtualwnd$visible$width
    • API String ID: 4029035365-3287978572
    • Opcode ID: cdf40cab2366d474823347ee74ded010f8589454e9a8ed620405f762b41591c2
    • Instruction ID: 7c009d2d987adbb363aa497ec87587860db69286cd7a2b73b38b20ca0b0dc8ae
    • Opcode Fuzzy Hash: cdf40cab2366d474823347ee74ded010f8589454e9a8ed620405f762b41591c2
    • Instruction Fuzzy Hash: 2F321C3190021A5BDB28AB649C8AFEF7BACFF95314F10405BF409E6181DF78ADC19B59
    Function 00421C34 Relevance: 92.1, APIs: 5, Strings: 47, Instructions: 1080COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00421C3E
    • _memset.LIBCMT ref: 00421D3E
      • Part of subcall function 0057BF6F: wcstoxl.LIBCMT ref: 0057BF7D
    • _memset.LIBCMT ref: 004229B0
    • _wcscmp.LIBCMT ref: 004229EC
      • Part of subcall function 005775E3: _malloc.LIBCMT ref: 005775FB
      • Part of subcall function 00430B5F: __EH_prolog3.LIBCMT ref: 00430B66
      • Part of subcall function 00430B5F: _memset.LIBCMT ref: 00430D3B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$H_prolog3H_prolog3__malloc_wcscmpwcstoxl
    • String ID: !$ActiveX$Button$CheckBox$ChildLayout$Combo$ComboBox$Container$Control$DateTime$Default$Edit$Font$GifAnim$HBox$HorizontalLayout$IContainer$Image$Include$Label$List$ListContainerElement$ListHBoxElement$ListHeader$ListHeaderItem$ListLabelElement$ListTextElement$MultiLanguage$Option$Progress$RichEdit$ScrollBar$Slider$TabLayout$Text$TileLayout$Tree$TreeNode$TreeNodeUI$TreeView$VBox$VerticalLayout$WebBrowser$count$cover$source$true
    • API String ID: 2128946125-562686441
    • Opcode ID: 1dfc49f9691acfc7bf708afa62782cd700b880965583529232e371f78ff46d7d
    • Instruction ID: 75d3b35a7a805b18f5b33c9d3229628f3f3ce4e8629cfbf0b9480a9e5c805cad
    • Opcode Fuzzy Hash: 1dfc49f9691acfc7bf708afa62782cd700b880965583529232e371f78ff46d7d
    • Instruction Fuzzy Hash: B272EB7170432A6BEB14AB74BE46B6E77A57F44314F5000AFF409E72C1DFB8CA409A5A
    Function 004184C3 Relevance: 49.6, APIs: 12, Strings: 16, Instructions: 595COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2393 4184c3-418501 call 57b551 2396 418507-41850f 2393->2396 2397 418d1f 2393->2397 2399 418515-41851b 2396->2399 2400 418c0e-418c1d 2396->2400 2398 418d21-418d26 call 57b500 2397->2398 2401 418524-418534 call 40875d 2399->2401 2402 41851d-41851f 2399->2402 2404 418c25-418c2e 2400->2404 2405 418c1f 2400->2405 2401->2402 2412 418536-4185a0 call 407ef8 call 407f41 * 3 call 408600 2401->2412 2402->2398 2408 418c30 2404->2408 2409 418c36-418c38 2404->2409 2405->2404 2408->2409 2409->2397 2411 418c3e-418c4f 2409->2411 2413 418c51-418c59 2411->2413 2414 418c6b-418c9e 2411->2414 2432 4185a6-4185a8 2412->2432 2433 418af9-418b1e call 40804b 2412->2433 2413->2414 2416 418c5b-418c61 2413->2416 2417 418ca1-418cb7 IntersectRect 2414->2417 2416->2414 2419 418c63-418c69 2416->2419 2417->2397 2420 418cb9-418ccf IntersectRect 2417->2420 2419->2414 2419->2417 2420->2397 2422 418cd1-418d1c call 4173b2 2420->2422 2422->2397 2434 4185a9-4185bf call 4083c3 * 2 2432->2434 2439 418b20-418b22 2433->2439 2440 418b24-418b2a call 408600 2433->2440 2446 4185cf-4185d5 2434->2446 2442 418b2f-418b3e call 408600 call 40a269 2439->2442 2440->2442 2454 418b43-418b47 2442->2454 2448 4185c1-4185c4 2446->2448 2449 4185d7-4185dd 2446->2449 2448->2449 2451 4185c6-4185cd CharNextW 2448->2451 2452 41863f-418645 2449->2452 2453 4185df-4185e5 2449->2453 2451->2446 2455 418631-418634 2452->2455 2456 418647-418653 2452->2456 2457 4185e7-4185ea 2453->2457 2458 418629-41862f 2453->2458 2459 418b49-418b86 call 407fe0 * 4 2454->2459 2460 418b8b-418b99 2454->2460 2455->2456 2461 418636-41863d CharNextW 2455->2461 2462 418af3 2456->2462 2463 418659 2456->2463 2457->2458 2466 4185ec-418605 CharNextW 2457->2466 2458->2452 2459->2402 2464 418bc5-418c08 call 407fe0 * 4 2460->2464 2465 418b9b-418ba1 2460->2465 2461->2452 2462->2433 2468 418669-41866f 2463->2468 2464->2400 2465->2464 2469 418ba3-418ba9 2465->2469 2471 418607-41861c call 408205 2466->2471 2472 41861e-418627 2466->2472 2475 418671-41867d 2468->2475 2476 41865b-41865e 2468->2476 2469->2464 2474 418bab-418bb1 2469->2474 2471->2472 2472->2453 2472->2458 2474->2464 2482 418bb3-418bbf 2474->2482 2475->2462 2483 418683-418689 2475->2483 2476->2475 2481 418660-418667 CharNextW 2476->2481 2481->2468 2482->2464 2487 4186d3-4186d6 2483->2487 2488 41868b-41868e 2483->2488 2487->2462 2491 4186dc-4186e9 call 40875d 2487->2491 2492 418690-4186a9 CharNextW 2488->2492 2493 4186cd 2488->2493 2505 418ad9-418ae6 2491->2505 2506 4186ef-418701 call 40808e 2491->2506 2498 4186c2-4186cb 2492->2498 2499 4186ab-4186c0 call 408205 2492->2499 2493->2487 2498->2488 2498->2493 2499->2498 2505->2462 2509 418ae8-418aed 2505->2509 2511 418703-418715 call 40808e 2506->2511 2512 418767 2506->2512 2509->2434 2509->2462 2518 418720-418732 call 40808e 2511->2518 2519 418717-41871e 2511->2519 2513 41876d-418779 call 40804b 2512->2513 2513->2505 2522 418734-41873a 2518->2522 2523 41873c-41874e call 40808e 2518->2523 2519->2512 2522->2513 2526 418750-418762 call 40806a 2523->2526 2527 41877e-418790 call 40808e 2523->2527 2526->2512 2531 418810-418822 call 40808e 2527->2531 2532 418792-41880b call 408600 call 57bf6f * 4 2527->2532 2538 4188a2-4188b4 call 40808e 2531->2538 2539 418824-41889d call 408600 call 57bf6f * 4 2531->2539 2568 418ad6 2532->2568 2547 4188ba-4188cc call 40808e 2538->2547 2548 418a5d-418ad0 call 408600 call 57bf6f * 4 2538->2548 2539->2568 2547->2548 2561 4188d2-4188e4 call 40808e 2547->2561 2548->2568 2572 4188e6-418907 call 4085a3 2561->2572 2573 41892c-41893e call 40808e 2561->2573 2568->2505 2581 418913 call 408600 2572->2581 2582 418909-418911 call 408600 2572->2582 2584 418940-418963 call 408600 call 57bf87 2573->2584 2585 418968-41897a call 40808e 2573->2585 2593 418918-418927 call 57bf87 2581->2593 2582->2593 2584->2505 2596 4189a5-4189b7 call 40808e 2585->2596 2597 41897c-4189a0 call 408600 call 57b788 2585->2597 2593->2505 2606 4189e2-4189f4 call 40808e 2596->2606 2607 4189b9-4189dd call 408600 call 57b788 2596->2607 2597->2505 2614 4189f6-418a1a call 408600 call 57b788 2606->2614 2615 418a1f-418a31 call 40808e 2606->2615 2607->2505 2614->2505 2615->2505 2622 418a37-418a5b call 408600 call 57b788 2615->2622 2622->2505
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 004184CD
    • CharNextW.USER32(00000000,?,00000258,0040F100,00402B77,?,00000174,00000628,?,?,0041084A,00000000,00000384,00402B77,00402B77), ref: 004185ED
    • IntersectRect.USER32(?,00402B77,?), ref: 00418CB3
    • IntersectRect.USER32(?,00402B77,?), ref: 00418CCB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: IntersectRect$CharH_prolog3_Next
    • String ID: *COLOR*$color$corner$dest$fade$file$hole$hsl$mask$res$restype$scale9$source$true$xtiled$ytiled
    • API String ID: 4181824985-1132870484
    • Opcode ID: 08bde262c94509362e6a728dc55379e7ed08cf560f144c5aa3b29e3ee4d584ed
    • Instruction ID: 2404f343a04c49ffc9eea038ebfac5bbfff7c5d588d221d75fe1b48afbf751f4
    • Opcode Fuzzy Hash: 08bde262c94509362e6a728dc55379e7ed08cf560f144c5aa3b29e3ee4d584ed
    • Instruction Fuzzy Hash: 643294718002199ACF20EF64CD85BEA77B4AF54744F1404EFE889A7282DF785AC5CF69
    Function 0040E391 Relevance: 44.2, APIs: 8, Strings: 17, Instructions: 424COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2999 40e391-40e3ae call 57b37e 3002 40e3b0-40e3dc call 57bf6f * 2 call 40ddb9 2999->3002 3003 40e3e6-40e3f5 call 57b37e 2999->3003 3017 40e3e1 KiUserCallbackDispatcher 3002->3017 3009 40e464-40e473 call 57b37e 3003->3009 3010 40e3f7-40e45f call 57bf6f * 4 call 40e28b 3003->3010 3018 40e4e2-40e4f1 call 57b37e 3009->3018 3019 40e475-40e4dd call 57bf6f * 4 call 40d8dd 3009->3019 3050 40e7ee-40e7f4 3010->3050 3017->3003 3027 40e4f3-40e524 call 57bf6f * 2 call 40e262 3018->3027 3028 40e529-40e538 call 57b37e 3018->3028 3019->3050 3027->3050 3042 40e570-40e57f call 57b37e 3028->3042 3043 40e53a-40e56b call 57bf6f * 2 call 40df70 3028->3043 3056 40e581-40e5b2 call 57bf6f * 2 call 40df57 3042->3056 3057 40e5b7-40e5c6 call 57b37e 3042->3057 3043->3050 3056->3050 3066 40e5c8-40e5e8 call 57b37e call 40e27b 3057->3066 3067 40e5ed-40e5fc call 57b788 3057->3067 3066->3050 3077 40e623-40e632 call 57b37e 3067->3077 3078 40e5fe-40e61e call 57b37e call 40e041 3067->3078 3085 40e634-40e645 call 57a3e7 call 40e051 3077->3085 3086 40e64a-40e659 call 57b788 3077->3086 3078->3050 3085->3050 3094 40e671-40e680 call 57b788 3086->3094 3095 40e65b-40e66c call 57a3e7 call 40df3b 3086->3095 3101 40e682-40e695 call 40de05 call 40deeb 3094->3101 3102 40e69a-40e6a9 call 57b37e 3094->3102 3095->3050 3101->3050 3110 40e6ab-40e6b2 3102->3110 3111 40e6dd-40e6ec call 57b37e 3102->3111 3114 40e6b4-40e6b5 CharNextW 3110->3114 3115 40e6bb-40e6d8 call 57bf87 call 40d90d 3110->3115 3118 40e720-40e72f call 57b37e 3111->3118 3119 40e6ee-40e6f5 3111->3119 3114->3115 3115->3050 3129 40e731-40e738 3118->3129 3130 40e763-40e772 call 57b37e 3118->3130 3122 40e6f7-40e6f8 CharNextW 3119->3122 3123 40e6fe-40e71b call 57bf87 call 40daeb 3119->3123 3122->3123 3123->3050 3131 40e741-40e75e call 57bf87 call 40db1f 3129->3131 3132 40e73a-40e73b CharNextW 3129->3132 3139 40e7a3-40e7b2 call 57b37e 3130->3139 3140 40e774-40e77b 3130->3140 3131->3050 3132->3131 3148 40e7e3-40e7e9 call 409b45 3139->3148 3149 40e7b4-40e7bb 3139->3149 3143 40e784-40e7a1 call 57bf87 call 40db53 3140->3143 3144 40e77d-40e77e CharNextW 3140->3144 3143->3050 3144->3143 3148->3050 3151 40e7c4-40e7e1 call 57bf87 call 40db87 3149->3151 3152 40e7bd-40e7be CharNextW 3149->3152 3151->3050 3152->3151
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Windowwcstoxl
    • String ID: caption$defaultfontcolor$disabledfontcolor$layeredimage$layeredopacity$linkfontcolor$linkhoverfontcolor$maxinfo$mininfo$noactivate$opacity$roundcorner$selectedcolor$showdirty$size$sizebox$true
    • API String ID: 746488559-519944345
    • Opcode ID: 87c4fc772855424f3ad9e37d3fdb0ba1dc57d50d2645efd09b0f2e7554dfe111
    • Instruction ID: 3f655cf38e266ab3f56d5b4d6f1c3b4287358b8dae7a8d9c94dfeb1bfb5baa83
    • Opcode Fuzzy Hash: 87c4fc772855424f3ad9e37d3fdb0ba1dc57d50d2645efd09b0f2e7554dfe111
    • Instruction Fuzzy Hash: 87C1D871A00209BFEB046F61DC87FAE3B5DEF50718F10882AF805EB1C1EB78DA545659
    Function 0042143F Relevance: 30.3, APIs: 1, Strings: 16, Instructions: 534COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3160 42143f-42148d call 4207f4 call 42089a 3165 421496-421498 3160->3165 3166 42148f-421491 3160->3166 3168 421b47-421b5b call 421c34 3165->3168 3169 42149e-4214c7 call 4207a2 call 42089a 3165->3169 3167 421b60-421b6e call 577dc4 3166->3167 3168->3167 3177 421adf-421af9 call 4207d8 call 57b37e 3169->3177 3178 4214cd-4214e9 call 4207d8 call 57b37e 3169->3178 3187 421b45-421b46 3177->3187 3188 421afb-421b04 call 3e1590 3177->3188 3189 421637-421646 call 57b37e 3178->3189 3190 4214ef-421520 call 420680 3178->3190 3187->3168 3188->3187 3197 421b06-421b15 call 420680 3188->3197 3200 4218c6-4218d5 call 57b37e 3189->3200 3201 42164c-42169f call 420680 3189->3201 3198 421526-421551 call 4206a0 call 4206e5 call 57b37e 3190->3198 3199 421aa5-421ad3 call 420819 call 42089a 3190->3199 3197->3187 3215 421b17-421b3b call 4206a0 call 4206e5 call 40e391 3197->3215 3235 421553-42155b 3198->3235 3236 421560-42156f call 57b37e 3198->3236 3199->3178 3228 421ad9 3199->3228 3213 4219d3-4219e2 call 57b37e 3200->3213 3214 4218db-421902 call 420680 3200->3214 3201->3199 3212 4216a5-4216d0 call 4206a0 call 4206e5 call 57b37e 3201->3212 3257 4216d2-4216ea call 57bf6f 3212->3257 3258 4216ef-4216fe call 57b37e 3212->3258 3213->3199 3231 4219e8-421a04 call 420680 3213->3231 3214->3199 3233 421908-42193c call 4206a0 call 4206e5 call 57b37e 3214->3233 3247 421b40-421b43 3215->3247 3228->3177 3231->3199 3249 421a0a 3231->3249 3277 421942-421956 call 57b37e 3233->3277 3278 42193e-421940 3233->3278 3241 4215f9 3235->3241 3253 421581-421590 call 57b37e 3236->3253 3254 421571-42157f 3236->3254 3250 4215ff 3241->3250 3247->3187 3247->3215 3255 421a0c-421a44 call 4206a0 call 4206e5 call 57b37e 3249->3255 3256 421605-42160c 3250->3256 3272 421592-421596 3253->3272 3273 4215c9-4215d8 call 57b37e 3253->3273 3254->3250 3313 421a61-421a7b call 57b37e 3255->3313 3314 421a46-421a5f call 57bf6f 3255->3314 3256->3198 3262 421612-421617 3256->3262 3276 42182c 3257->3276 3279 421713-421722 call 57b37e 3258->3279 3280 421700-42170e 3258->3280 3262->3199 3268 42161d-421632 call 409748 3262->3268 3268->3199 3284 4215a1-4215c7 call 57bf87 3272->3284 3285 421598-42159f CharNextW 3272->3285 3297 4215f3 3273->3297 3298 4215da-4215ed call 57b37e 3273->3298 3282 421832 3276->3282 3299 421962-421976 call 57b37e 3277->3299 3300 421958-421960 3277->3300 3289 421991 3278->3289 3301 421724-42174a call 57bf6f 3279->3301 3302 42174f-42175e call 57b37e 3279->3302 3280->3282 3293 421838-42184b 3282->3293 3284->3256 3285->3284 3294 421997-42199e 3289->3294 3293->3212 3303 421851-421856 3293->3303 3294->3233 3304 4219a4-4219af 3294->3304 3297->3241 3298->3297 3299->3289 3324 421978-42198b call 57b37e 3299->3324 3300->3294 3301->3293 3325 421760-421777 call 57b37e 3302->3325 3326 42177c-42178b call 57b37e 3302->3326 3303->3199 3311 42185c-42185e 3303->3311 3304->3199 3312 4219b5-4219ce call 409405 3304->3312 3311->3199 3320 421864-421894 call 4094e3 3311->3320 3312->3199 3330 421a7c-421a83 3313->3330 3314->3330 3320->3199 3339 42189a-4218c1 call 40d941 3320->3339 3324->3289 3341 421824-421825 3325->3341 3342 4217a6-4217b5 call 57b37e 3326->3342 3343 42178d-4217a4 call 57b37e 3326->3343 3330->3255 3335 421a85-421a90 3330->3335 3335->3199 3340 421a92-421a94 3335->3340 3339->3199 3340->3199 3349 421a96-421aa4 call 40993c 3340->3349 3348 421826 3341->3348 3353 4217d0-4217df call 57b37e 3342->3353 3354 4217b7-4217ce call 57b37e 3342->3354 3343->3341 3348->3276 3349->3199 3360 4217e1-4217fa call 57b37e 3353->3360 3361 4217fc-42180b call 57b37e 3353->3361 3354->3341 3360->3341 3361->3348 3366 42180d-42181e call 57b37e 3361->3366 3366->3341
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: Default$Font$Image$MultiLanguage$Window$bold$default$italic$mask$name$restype$shared$size$true$underline$value
    • API String ID: 0-1487863511
    • Opcode ID: d833fe7f9ff6604818effe3c14d30ab56cca4285900cf2af9a34a8a7f58f6944
    • Instruction ID: 641c20072efd20222db47cbd8ca2c275d802d3c02aae5bceb2da2f6a501f8754
    • Opcode Fuzzy Hash: d833fe7f9ff6604818effe3c14d30ab56cca4285900cf2af9a34a8a7f58f6944
    • Instruction Fuzzy Hash: EE02E871A012399EEB209E65AC81BDEB7B5BFA4314F4001DFE408B3291EB355ED5CE58
    Function 003FF400 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 246COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3601 3ff400-3ff485 call 3ee000 3604 3ff489-3ff4c4 call 407f1d call 40804b call 407fe0 3601->3604 3605 3ff487 3601->3605 3612 3ff4c6-3ff4d1 call 577634 3604->3612 3613 3ff4d4-3ff4f8 call 400990 call 4006b0 call 3ff930 call 409d16 3604->3613 3605->3604 3612->3613 3624 3ff4fa 3613->3624 3625 3ff500-3ff50f call 409d16 3613->3625 3624->3625 3628 3ff517-3ff526 call 409d16 3625->3628 3629 3ff511 3625->3629 3632 3ff52e-3ff5b1 call 402cc0 call 3ee700 call 4b4d10 call 3ee9a0 3628->3632 3633 3ff528 3628->3633 3629->3628 3642 3ff5b7-3ff5bc 3632->3642 3643 3ff5b3-3ff5b5 3632->3643 3633->3632 3645 3ff5c0-3ff5c9 3642->3645 3644 3ff5cf-3ff64b call 3e3820 call 4b4d10 GetModuleFileNameW 3643->3644 3651 3ff64d-3ff64f 3644->3651 3652 3ff651-3ff65a 3644->3652 3645->3645 3646 3ff5cb-3ff5cd 3645->3646 3646->3644 3653 3ff66f-3ff751 call 3e3820 call 3e3cd0 call 3ee1a0 call 4b4d10 call 40804b call 408275 call 3eb750 call 3eb600 call 4b4980 3651->3653 3654 3ff660-3ff669 3652->3654 3673 3ff756-3ff760 3653->3673 3654->3654 3655 3ff66b-3ff66d 3654->3655 3655->3653 3674 3ff762-3ff76d call 577634 3673->3674 3675 3ff770-3ff794 3673->3675 3674->3675 3677 3ff796-3ff7a1 call 577634 3675->3677 3678 3ff7a4-3ff7c8 3675->3678 3677->3678 3679 3ff7ca-3ff7d5 call 577634 3678->3679 3680 3ff7d8-3ff7fc 3678->3680 3679->3680 3684 3ff7fe-3ff809 call 577634 3680->3684 3685 3ff80c-3ff826 call 577dc4 3680->3685 3684->3685
    APIs
      • Part of subcall function 003EE000: _memset.LIBCMT ref: 003EE04F
      • Part of subcall function 003EE000: SHGetSpecialFolderLocation.SHELL32(00000000,00000026,00000000), ref: 003EE06C
      • Part of subcall function 003EE000: SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003EE084
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,x64,x64,00000000,progress_download,label_tip,label_progress,00000000,00000000,000000FF), ref: 003FF621
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileFolderFromListLocationModuleNamePathSpecial_memset
    • String ID: CDuiFrameWnd::InitData$CDuiFrameWnd::InitData$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$DownloadRatio:%d ==== ReadFileTimeout:%d$Windows Bit:%s$Windows Version:%s$downloader version:%s$label_progress$label_tip$progress_download$temp.progress$x64$x86
    • API String ID: 1666767966-3708967458
    • Opcode ID: 19110ba000d1f88e9bd3c4d7a460b30e2d39d37f1b02df5bb83d5574709cc092
    • Instruction ID: 15cea6f813f4ac95b187497a16f0d66d601aa4e42635f6d2d5592b54a84205cd
    • Opcode Fuzzy Hash: 19110ba000d1f88e9bd3c4d7a460b30e2d39d37f1b02df5bb83d5574709cc092
    • Instruction Fuzzy Hash: AAA1A070A00219AEDF25EF64CC4EBE9BBB5BF00304F1002ADE91D662D1DB756A58CF91
    Function 003F2B10 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 283registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3692 3f2b10-3f2be9 call 3e3820 RegCreateKeyExW * 2 3695 3f2bef-3f2c0f RegOpenKeyExW 3692->3695 3696 3f2d30-3f2d33 3692->3696 3699 3f2c22-3f2c6f call 5799a0 RegQueryValueExW 3695->3699 3700 3f2c11-3f2c1d call 3e3920 3695->3700 3697 3f2efe-3f2f13 RegCloseKey call 3e43f0 3696->3697 3698 3f2d39-3f2de2 call 5799a0 CoCreateGuid call 3f0b70 3696->3698 3705 3f2f18-3f2f1f 3697->3705 3718 3f2de8-3f2dee 3698->3718 3719 3f2de4-3f2de6 3698->3719 3699->3698 3712 3f2c75-3f2ce4 call 3e80b0 call 3f17b0 call 3f1890 call 3fa180 call 3f0c40 3699->3712 3700->3705 3709 3f2f2f-3f2f4c call 577dc4 3705->3709 3710 3f2f21-3f2f2c call 577634 3705->3710 3710->3709 3743 3f2cfa-3f2d0c 3712->3743 3744 3f2ce6-3f2cf7 call 577634 3712->3744 3723 3f2df0-3f2df5 3718->3723 3722 3f2df9-3f2e4c call 3e1120 call 3e0f90 call 3fa210 3719->3722 3738 3f2e8e-3f2e95 3722->3738 3739 3f2e4e-3f2e55 3722->3739 3723->3723 3725 3f2df7 3723->3725 3725->3722 3745 3f2e97-3f2ea2 call 577634 3738->3745 3746 3f2ea5-3f2eab 3738->3746 3741 3f2e57-3f2e62 call 577634 3739->3741 3742 3f2e65-3f2e89 call 3e4e30 3739->3742 3741->3742 3742->3738 3750 3f2d0e-3f2d14 call 577634 3743->3750 3751 3f2d17-3f2d28 call 3f1fd0 3743->3751 3744->3743 3745->3746 3753 3f2eb0-3f2eb5 3746->3753 3750->3751 3751->3697 3763 3f2d2e 3751->3763 3753->3753 3759 3f2eb7-3f2eee RegSetValueExW 3753->3759 3759->3697 3762 3f2ef0-3f2efb call 577634 3759->3762 3762->3697 3763->3698
    APIs
    • RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\WOW6432Node\iMyfone,00000000,00000000,00000000,00020006,00000000,?,?,0061B814,00000000,9C3DCF4C), ref: 003F2BB7
    • RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\WOW6432Node\iMyfone\iMyfoneDown,00000000,00000000,00000000,00020006,00000000,00000000,?), ref: 003F2BDE
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\WOW6432Node\iMyfone\iMyfoneDown,00000000,000F013F,00000000), ref: 003F2C07
    • _memset.LIBCMT ref: 003F2C38
    • RegQueryValueExW.ADVAPI32(00000000,GUID,00000000,00000000,?,00000800), ref: 003F2C67
    • _memset.LIBCMT ref: 003F2D45
    • CoCreateGuid.OLE32(?), ref: 003F2D54
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Create$_memset$GuidOpenQueryValue
    • String ID: %08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$GUID$SOFTWARE\WOW6432Node\iMyfone$SOFTWARE\WOW6432Node\iMyfone\iMyfoneDown$[a-zA-Z0-9\-]+
    • API String ID: 389107665-4038362879
    • Opcode ID: 6a3acaf68152cf0a4453c39aac6f885e5c3e5c8afb70f57000d9efa5e8f0eaec
    • Instruction ID: fad408a32aa6b6f04300188cab20a56465d946f3856a8df64dd94d6b5c6671b3
    • Opcode Fuzzy Hash: 6a3acaf68152cf0a4453c39aac6f885e5c3e5c8afb70f57000d9efa5e8f0eaec
    • Instruction Fuzzy Hash: EAB16F7190426CEEEF219B64CC45BEEBBF8FB14300F1481D9E589A6181DF759A88CF91
    Function 00408C9D Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 203libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00408CA4
      • Part of subcall function 00409027: __EH_prolog3.LIBCMT ref: 0040902E
      • Part of subcall function 00407E68: _malloc.LIBCMT ref: 00407E83
      • Part of subcall function 00407F69: _memset.LIBCMT ref: 00407FA3
      • Part of subcall function 0040908C: __EH_prolog3.LIBCMT ref: 00409093
    • _memset.LIBCMT ref: 00408EC7
    • GetStockObject.GDI32(00000011), ref: 00408ED7
    • GetObjectW.GDI32(00000000), ref: 00408EDE
    • CreateFontIndirectW.GDI32(?), ref: 00408EEC
    • _memset.LIBCMT ref: 00408F3B
    • CreatePen.GDI32(00000000,00000001,000000DC), ref: 00408F87
    • #17.COMCTL32 ref: 00408F92
    • LoadLibraryW.KERNELBASE(msimg32.dll), ref: 00408F9D
    • _memset.LIBCMT ref: 00408FDF
    • _memset.LIBCMT ref: 00408FED
    • _memset.LIBCMT ref: 00408FFB
    • _memset.LIBCMT ref: 00409009
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$CreateH_prolog3Object$FontH_prolog3_IndirectLibraryLoadStock_malloc
    • String ID: msimg32.dll
    • API String ID: 609589751-3287713914
    • Opcode ID: e49c2cfa52d7a4fecd91a7fd6f41092e3cdc3b7261f9645c169066b82dfc3a63
    • Instruction ID: 63f8ece39431e9056e6b7a43e7fc4302638fe7e54d0b022e726b7800c1534ab5
    • Opcode Fuzzy Hash: e49c2cfa52d7a4fecd91a7fd6f41092e3cdc3b7261f9645c169066b82dfc3a63
    • Instruction Fuzzy Hash: DCA15274805745DFD721DFB5C885BDABBE8BF19304F40486EE5AEA3282D7752608CB22
    Function 0041D143 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 272fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3827 41d143-41d166 call 579970 3830 41d405-41d40b 3827->3830 3831 41d16c-41d170 3827->3831 3832 41d40d-41d411 3830->3832 3833 41d44e-41d460 call 41fddf 3830->3833 3834 41d182-41d186 3831->3834 3835 41d172-41d176 3831->3835 3836 41d413-41d41a call 41f959 3832->3836 3837 41d41b-41d424 3832->3837 3849 41d462-41d467 3833->3849 3850 41d469-41d47f call 41f959 3833->3850 3840 41d190-41d19c 3834->3840 3841 41d188-41d18f call 41f959 3834->3841 3835->3834 3839 41d178-41d17d 3835->3839 3836->3837 3837->3839 3844 41d42a-41d42d 3837->3844 3845 41d481-41d491 call 577dc4 3839->3845 3840->3839 3847 41d19e-41d1a1 3840->3847 3841->3840 3851 41d43d-41d443 3844->3851 3852 41d42f-41d435 call 41f9ea 3844->3852 3855 41d1b3-41d1b8 3847->3855 3856 41d1a3-41d1a9 call 41f9ea 3847->3856 3849->3845 3850->3845 3863 41d445 call 41fb70 3851->3863 3864 41d437 call 41fa29 3851->3864 3875 41d43c 3852->3875 3859 41d1ab-41d1ad call 41fa29 3855->3859 3860 41d1ba-41d1d0 call 41cb20 3855->3860 3873 41d1b2 3856->3873 3859->3873 3876 41d1d2-41d1d6 3860->3876 3877 41d20f-41d21b 3860->3877 3872 41d44a-41d44b 3863->3872 3864->3875 3872->3833 3873->3855 3875->3851 3880 41d1d8-41d1da 3876->3880 3881 41d1df-41d20d call 41cf56 call 41c8e9 3876->3881 3878 41d341-41d344 3877->3878 3879 41d221-41d22b 3877->3879 3884 41d350-41d36e call 41fb70 call 41fddf 3878->3884 3885 41d346-41d34b 3878->3885 3882 41d231-41d23b 3879->3882 3883 41d328-41d33f CreateFileW 3879->3883 3880->3845 3881->3880 3887 41d245-41d24c 3882->3887 3883->3878 3899 41d3a0-41d3a2 3884->3899 3885->3845 3890 41d257 3887->3890 3891 41d24e-41d255 3887->3891 3894 41d25a-41d263 3890->3894 3891->3890 3891->3894 3894->3887 3898 41d265-41d267 3894->3898 3898->3883 3900 41d26d-41d28d call 57b6ba 3898->3900 3901 41d370 3899->3901 3902 41d3a4 3899->3902 3910 41d293-41d2aa 3900->3910 3911 41d494-41d4a2 call 57dc78 3900->3911 3904 41d372-41d38c WriteFile 3901->3904 3905 41d3ab-41d3b5 GetFileType 3901->3905 3902->3905 3904->3902 3907 41d38e-41d39d call 41fddf 3904->3907 3908 41d3b7-41d3be 3905->3908 3909 41d3dc-41d3e0 3905->3909 3907->3899 3908->3909 3913 41d3c0-41d3d6 SetFileTime 3908->3913 3914 41d3e2-41d3e3 CloseHandle 3909->3914 3915 41d3e9-41d403 call 41f959 3909->3915 3916 41d2ac-41d2b9 3910->3916 3917 41d2cf 3910->3917 3929 41d4a4-41d4a9 3911->3929 3930 41d4ab-41d4ae 3911->3930 3913->3909 3914->3915 3915->3845 3916->3917 3921 41d2bb-41d2c3 3916->3921 3919 41d2d6-41d30f call 57b8c5 * 2 3917->3919 3937 41d311-41d325 call 41c8e9 3919->3937 3938 41d326 3919->3938 3921->3917 3925 41d2c5-41d2cd 3921->3925 3925->3919 3931 41d4cb-41d4d1 3929->3931 3933 41d4b0-41d4b5 3930->3933 3934 41d4b7-41d4c3 3930->3934 3933->3931 3934->3931 3935 41d4c6 call 41d143 3934->3935 3935->3931 3937->3938 3938->3883
    APIs
    • _wcscpy.LIBCMT ref: 0041D275
    • _wcsstr.LIBCMT ref: 0041D2E2
    • _wcsstr.LIBCMT ref: 0041D2F5
    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000010,00000000), ref: 0041D339
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcsstr$CreateFile_wcscpy
    • String ID: ../$..\$/$:$\
    • API String ID: 2959087669-3971031215
    • Opcode ID: d24833f193d240a144b880ae4476a5abd9ef0d7b8488ae18f426a91fc91d4e13
    • Instruction ID: 29d4ddf0b5acd2686397b69548d7ee4bd8eb4fab9f56bdcad2d7e1b4ea390899
    • Opcode Fuzzy Hash: d24833f193d240a144b880ae4476a5abd9ef0d7b8488ae18f426a91fc91d4e13
    • Instruction Fuzzy Hash: 8FA1C8F1D002299FDB24EF64DC45AEAB778AF04310F1042ABF92993191D738AEC5CB59
    Function 004208F1 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 173fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3941 4208f1-42092e call 57b551 call 420c84 call 40a4bd call 407ef8 call 40a4c3 call 40875d 3954 420a07-420a1f call 40a4c3 call 408165 call 40a685 3941->3954 3955 420934-42096c call 4081ea call 408600 CreateFileW 3941->3955 3973 420a21-420a26 call 40a4c9 3954->3973 3974 420a28-420a3c call 408600 call 41d0e5 3954->3974 3964 420978-420983 GetFileSize 3955->3964 3965 42096e-420973 3955->3965 3968 420a81-420a88 3964->3968 3969 420989-42098f 3964->3969 3967 420ae8-420af1 call 420cac 3965->3967 3982 420b1e-420b34 call 407fe0 call 57b500 3967->3982 3968->3967 3971 420a92-420a99 3969->3971 3972 420995-4209d4 call 562805 ReadFile CloseHandle 3969->3972 3971->3967 3984 4209f0-420a02 call 420b37 3972->3984 3985 4209d6-4209eb call 5795c2 call 420c84 3972->3985 3987 420a3f-420a43 3973->3987 3974->3987 3999 420b16-420b1d call 5795c2 3984->3999 3985->3967 3989 420a50-420a6c call 41ca3d 3987->3989 3990 420a45-420a4b 3987->3990 4003 420a77-420a7f 3989->4003 4004 420a6e-420a75 3989->4004 3990->3967 3999->3982 4003->3968 4007 420a8a-420a90 4003->4007 4004->3967 4007->3971 4009 420a9b-420ab2 call 562805 call 41d49a 4007->4009 4013 420ab7-420abc 4009->4013 4014 420af3-420afa call 40a685 4013->4014 4015 420abe-420ac3 4013->4015 4021 420b03-420b15 call 420b37 4014->4021 4022 420afc-420b02 call 41c89f 4014->4022 4015->4014 4017 420ac5-420ad8 call 5795c2 call 40a685 4015->4017 4029 420ae1-420ae3 4017->4029 4030 420ada-420ae0 call 41c89f 4017->4030 4021->3999 4022->4021 4029->3967 4030->4029
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 004208FB
      • Part of subcall function 00420C84: _free.LIBCMT ref: 00420C8E
      • Part of subcall function 00420C84: _free.LIBCMT ref: 00420C9D
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,000002C4,00421BA9,?,00000000,00000000,00000001,?), ref: 0042095C
    • GetFileSize.KERNEL32(00000000,00000000,?,00421E4C,?,?,00000000,?,?,?,?,?), ref: 00420979
    • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 004209BC
    • CloseHandle.KERNEL32(?), ref: 004209C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: File$_free$CloseCreateH_prolog3_HandleReadSize
    • String ID: Could not find ziped file$Could not read file$Could not unzip file$Error opening file$Error opening zip file$File is empty$File too large
    • API String ID: 3496122116-2950584456
    • Opcode ID: c19c5c7f2b78bec0900ce5c514e410dc5c10aabf066fed4912d1e9ec1608e749
    • Instruction ID: a097d4e969f8fc531cabc1043b8ee60b0775bc9158055cf482b4dc735dbbfded
    • Opcode Fuzzy Hash: c19c5c7f2b78bec0900ce5c514e410dc5c10aabf066fed4912d1e9ec1608e749
    • Instruction Fuzzy Hash: FD510931B403246AEB21A721AC4AFBF6A79AF60704F5041AFF409761D3DE7C5E419A1E
    Function 00407B92 Relevance: 19.6, APIs: 13, Instructions: 84windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4033 407b92-407bde GetWindow ShowWindow EnableWindow IsWindow 4034 407c44-407c46 4033->4034 4035 407be0-407bf1 KiUserCallbackDispatcher 4034->4035 4036 407c48-407c5b EnableWindow SetFocus 4034->4036 4035->4036 4039 407bf3-407bf7 4035->4039 4037 407c66-407c6c 4036->4037 4038 407c5d-407c60 PostQuitMessage 4036->4038 4038->4037 4040 407c13-407c1f call 40e83c 4039->4040 4041 407bf9-407bff 4039->4041 4045 407c21-407c2f TranslateMessage DispatchMessageW 4040->4045 4046 407c35-407c39 4040->4046 4041->4040 4043 407c01-407c11 EnableWindow SetFocus 4041->4043 4043->4040 4045->4046 4046->4036 4047 407c3b-407c3e IsWindow 4046->4047 4047->4034
    APIs
    • GetWindow.USER32(?,00000004), ref: 00407BA7
    • ShowWindow.USER32(?,00000001,?,?,?,00000000,96C80000,00000000,80000000,80000000,80000000,80000000,00000000), ref: 00407BB4
    • EnableWindow.USER32(00000000,00000000), ref: 00407BBC
    • IsWindow.USER32(?), ref: 00407BD2
    • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00000000), ref: 00407BE9
    • EnableWindow.USER32(00000000,00000001), ref: 00407C0A
    • SetFocus.USER32(00000000,?,?,?,00000000), ref: 00407C11
    • TranslateMessage.USER32(00000000), ref: 00407C25
    • DispatchMessageW.USER32(00000000), ref: 00407C2F
    • IsWindow.USER32(?), ref: 00407C3E
    • EnableWindow.USER32(00000000,00000001), ref: 00407C4B
    • SetFocus.USER32(00000000,?,?,?,00000000,96C80000,00000000,80000000,80000000,80000000,80000000,00000000), ref: 00407C52
    • PostQuitMessage.USER32(00000000), ref: 00407C60
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Window$EnableMessage$Focus$CallbackDispatchDispatcherPostQuitShowTranslateUser
    • String ID:
    • API String ID: 802916070-0
    • Opcode ID: aa442f226f04977b4cc5ed01cf063cdbe3bda11c5460668f5ce9613775392416
    • Instruction ID: 5c444990eb402dc6281e7058a7b7f520e06b933e0af607c480969c142933306c
    • Opcode Fuzzy Hash: aa442f226f04977b4cc5ed01cf063cdbe3bda11c5460668f5ce9613775392416
    • Instruction Fuzzy Hash: B6218D31904608EFEF149FA4DDC8DEE7B79EF54301B004025F501E7290C779AA45DBA5
    Function 004006B0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 188COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4048 4006b0-400776 call 4b4980 GetModuleHandleW FindResourceW LoadResource LockResource SizeofResource call 5799a0 call 578230 4055 400778-40077a 4048->4055 4056 40077c-400782 4048->4056 4057 40078e-4007b9 call 3e1120 call 3eedb0 4055->4057 4058 400785-40078a 4056->4058 4064 4007bb 4057->4064 4065 4007bd-4007dd 4057->4065 4058->4058 4059 40078c 4058->4059 4059->4057 4064->4065 4066 4007e3-4007e8 4065->4066 4067 4007df-4007e1 4065->4067 4069 4007f0-4007f9 4066->4069 4068 4007ff-400817 call 3e3820 4067->4068 4073 400827-4008c7 call 3e3820 * 2 call 3eeda0 4068->4073 4074 400819-400824 call 577634 4068->4074 4069->4069 4070 4007fb-4007fd 4069->4070 4070->4068 4083 4008d7-4008ff 4073->4083 4084 4008c9-4008d4 call 577634 4073->4084 4074->4073 4086 400901-40090c call 577634 4083->4086 4087 40090f-400923 4083->4087 4084->4083 4086->4087 4090 400925-40092a call 3e3cd0 4087->4090 4091 40092f-40095b call 4b4980 4087->4091 4090->4091 4096 40096b-400986 call 577dc4 4091->4096 4097 40095d-400968 call 577634 4091->4097 4097->4096
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,9C3DCF4C), ref: 00400704
    • FindResourceW.KERNELBASE(00000000,0000006A,0000000A,?,9C3DCF4C), ref: 00400711
    • LoadResource.KERNEL32(00000000,00000000,?,9C3DCF4C), ref: 0040071B
    • LockResource.KERNEL32(00000000,?,9C3DCF4C), ref: 00400722
    • SizeofResource.KERNEL32(00000000,00000000,?,9C3DCF4C), ref: 0040072C
    • _memset.LIBCMT ref: 00400749
    • _memmove.LIBCMT ref: 00400757
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Resource$FindHandleLoadLockModuleSizeof_memmove_memset
    • String ID: CDuiFrameWnd::LoadDomainFile$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$Domain:%s$LoadDomainFile
    • API String ID: 875142443-896417496
    • Opcode ID: 3ea660e1f0ba2b62b9d11d4bab9cd68d15fd8ce0ddd8f4253cf599bdac31793a
    • Instruction ID: 81c6dce9361e9637a052b09421dc648e49538baf9db2b0887b09fceabb4e314a
    • Opcode Fuzzy Hash: 3ea660e1f0ba2b62b9d11d4bab9cd68d15fd8ce0ddd8f4253cf599bdac31793a
    • Instruction Fuzzy Hash: 1571B271D042689EDF259B64CC0ABEABBB8FF08704F0001E9E50977281EB795B84CF95
    Function 00400B30 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 100COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,9C3DCF4C), ref: 00400B80
    • FindResourceW.KERNELBASE(00000000,00000069,0000000A,?,9C3DCF4C), ref: 00400B8D
    • LoadResource.KERNEL32(00000000,00000000,?,9C3DCF4C), ref: 00400B97
    • LockResource.KERNEL32(00000000,?,9C3DCF4C), ref: 00400B9E
    • SizeofResource.KERNEL32(00000000,00000000,?,9C3DCF4C), ref: 00400BAC
    Strings
    • D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp, xrefs: 00400B6C
    • CDuiFrameWnd::LoadResZipFile, xrefs: 00400B71
    • LoadResZipFile, xrefs: 00400B60
    • language\, xrefs: 00400BBA
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Resource$FindHandleLoadLockModuleSizeof
    • String ID: CDuiFrameWnd::LoadResZipFile$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$LoadResZipFile$language\
    • API String ID: 1601749889-254271956
    • Opcode ID: 5a2e5264ea5efac7825bfa440eb4d960b01cbbf190920f0b21b1759b07787918
    • Instruction ID: 61de552a7592d8db370730b4b93aa558045e27f13513b7992b46723eb2a68f70
    • Opcode Fuzzy Hash: 5a2e5264ea5efac7825bfa440eb4d960b01cbbf190920f0b21b1759b07787918
    • Instruction Fuzzy Hash: 0C31D475A04244AFDB14DBA4CC09FEEBBB8FF49704F00006EF906A7281EB755A04CB61
    Function 003EE1A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 107COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4126 3ee1a0-3ee214 GetFileVersionInfoSizeW 4127 3ee2ba-3ee2be 4126->4127 4128 3ee21a-3ee24c call 562805 GetFileVersionInfoW 4126->4128 4130 3ee2cb-3ee2de 4127->4130 4131 3ee2c0-3ee2c8 call 577634 4127->4131 4134 3ee24e-3ee263 VerQueryValueW 4128->4134 4135 3ee2b1-3ee2b7 call 577634 4128->4135 4131->4130 4134->4135 4137 3ee265-3ee281 VerQueryValueW 4134->4137 4135->4127 4137->4135 4139 3ee283-3ee2ac wsprintfW call 3e80b0 4137->4139 4139->4135
    APIs
    • GetFileVersionInfoSizeW.VERSION(?,00000000,9C3DCF4C), ref: 003EE20B
    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?,?,?,?,?,005B3331,000000FF), ref: 003EE245
    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,00000034,?,00000000,00000000,00000000,?,?,?,?,?,?,005B3331,000000FF), ref: 003EE25C
    • VerQueryValueW.VERSION(00000000,0061B8C0,00000007,00000000,00000000,\VarFileInfo\Translation,?,00000034,?,00000000,00000000,00000000), ref: 003EE27A
    • wsprintfW.USER32 ref: 003EE2A0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileInfoQueryValueVersion$Sizewsprintf
    • String ID: %d.%d.%d.%d$4$\VarFileInfo\Translation
    • API String ID: 2824581984-4139423713
    • Opcode ID: 55657eb2da1b877f8991e45e0f4b53b400523a49336411e1c04155612fb1a8c5
    • Instruction ID: b6b4e53ef1f8a9de4296cf7e3f3c02da6eddb69f4186dfee80cc97e60566594b
    • Opcode Fuzzy Hash: 55657eb2da1b877f8991e45e0f4b53b400523a49336411e1c04155612fb1a8c5
    • Instruction Fuzzy Hash: 0031DFB1500248ABCB00DF99CC45BAFBBFCFB48714F104629F905E6281D739E905CBA1
    Function 003EE700 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,0061B814,00000000), ref: 003EE790
    • RegCloseKey.ADVAPI32(00000000), ref: 003EE7A0
    • _memset.LIBCMT ref: 003EE7CD
    • RegQueryValueExW.KERNELBASE(00000000,ProductName,00000000,00000000,?,00000800), ref: 003EE7FC
    • RegCloseKey.KERNELBASE(00000000), ref: 003EE848
    Strings
    • ProductName, xrefs: 003EE7F1
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 003EE77C
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Close$OpenQueryValue_memset
    • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • API String ID: 3651382416-1787575317
    • Opcode ID: dbda723e697e77a34533fc02e84d6cf2fc29c755f03f05544bf46160bd975ddf
    • Instruction ID: 339e562817b3b938f52c699898fa0c63836c0b5b748f4061ca89948bbaf0e8cb
    • Opcode Fuzzy Hash: dbda723e697e77a34533fc02e84d6cf2fc29c755f03f05544bf46160bd975ddf
    • Instruction Fuzzy Hash: 40414C7190426C9ADF219B64DC49BEDB7F8FF08704F0485A9E449A6180EF716B88CFD0
    Function 00407AFC Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(0000000C), ref: 00407B18
    • GetSystemMetrics.USER32(0000000B), ref: 00407B23
    • LoadImageW.USER32(00000000,?,00000001,-0000000F), ref: 00407B35
    • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00407B4F
    • GetSystemMetrics.USER32(00000032), ref: 00407B55
    • GetSystemMetrics.USER32(00000031), ref: 00407B60
    • LoadImageW.USER32(00000000,?,00000001,-0000000F,?,00000001), ref: 00407B74
    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00407B88
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: MetricsSystem$ImageLoadMessageSend
    • String ID:
    • API String ID: 530543073-0
    • Opcode ID: 1d5b912abb3705ea4773be5da154637b0ee9b3286ad2995f34af94aa9b67b0b5
    • Instruction ID: 49804a241ea5192ea4a25a59e7d1112393b5d986f8097486de2123e51c5b3c9a
    • Opcode Fuzzy Hash: 1d5b912abb3705ea4773be5da154637b0ee9b3286ad2995f34af94aa9b67b0b5
    • Instruction Fuzzy Hash: 79119B726D06047FDA105774DC83F9A7A5CEB04720F154211FE14EE2D1C675EA0467B8
    Function 00411D76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00411D80
      • Part of subcall function 003E3820: _memmove.LIBCMT ref: 003E38DC
      • Part of subcall function 003E4F30: _memmove.LIBCMT ref: 003E4F53
    • _wcsncpy.LIBCMT ref: 00411E54
    • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411ED4
    • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,00000000,00000003,00000000), ref: 00411EE9
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000003,00000000), ref: 00411EF0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: File_memmove$CloseCreateH_prolog3_HandleWrite_wcsncpy
    • String ID: %s%s
    • API String ID: 3125416519-3252725368
    • Opcode ID: 47a1a82f0195bf91c893a083a5841acc6585293b6ed4939036132746c8ec715e
    • Instruction ID: d8985a794c9b4f3cd6314dfd7fd57822ff89788db12377b5650d298785235988
    • Opcode Fuzzy Hash: 47a1a82f0195bf91c893a083a5841acc6585293b6ed4939036132746c8ec715e
    • Instruction Fuzzy Hash: 114142B1900268AFDB10DBA0DC89FDA777CEF14704F4045D9B608A7181EB746F84CB69
    Function 00407190 Relevance: 9.2, APIs: 6, Instructions: 207synchronizationCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004071CC
    • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00407320
    • GetLastError.KERNEL32 ref: 0040732E
    • FindWindowW.USER32(00000000,00000000), ref: 00407402
    • ShowWindow.USER32(00000000,00000009), ref: 00407445
    • SetForegroundWindow.USER32(00000000), ref: 0040744C
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Window$CreateErrorFileFindForegroundLastModuleMutexNameShow
    • String ID:
    • API String ID: 3931967369-0
    • Opcode ID: 40161de62a79950568730d4bfe7cd6751ad0e83f6e1439620cf87592f20a4d5e
    • Instruction ID: be37c1c463f7d2b0475f2dcc83bf630bd48408d6b5f53de59264c173a4ee4844
    • Opcode Fuzzy Hash: 40161de62a79950568730d4bfe7cd6751ad0e83f6e1439620cf87592f20a4d5e
    • Instruction Fuzzy Hash: E9819270D052289ADF20EB60DD4EBDDB774AF14304F1001EAE509B61D1DB786B98CF9A
    Function 00421B71 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(00000000,?,?,00000000,00000001,?,?,00421E4C,?,?,00000000,?,?,?,?,?), ref: 00421BB6
    • LoadResource.KERNEL32(00000000,00000000,?,00421E4C,?,?,00000000,?,?,?,?,?), ref: 00421BC9
    • FreeResource.KERNEL32(00000000,?,00421E4C,?,?,00000000,?,?,?,?,?), ref: 00421BD7
    • SizeofResource.KERNEL32(00000000,00000000,00000000,?,00421E4C,?,?,00000000,?,?,?,?,?), ref: 00421BF1
    • LockResource.KERNEL32(?,00000000,?,00421E4C,?,?,00000000,?,?,?,?,?), ref: 00421BFB
    • FreeResource.KERNEL32(00000000,?,?,00000000,?,?,?,?,?), ref: 00421C0E
      • Part of subcall function 004208A6: _malloc.LIBCMT ref: 004208C0
      • Part of subcall function 004208A6: _memmove.LIBCMT ref: 004208CC
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Resource$Free$FindLoadLockSizeof_malloc_memmove
    • String ID:
    • API String ID: 2766266730-0
    • Opcode ID: b06a36e129cde2702f2411f1be682c230b3990375cba8df771c7fa6a22ccab9e
    • Instruction ID: ad052a28c05e51f48095b3d228c64fd72cc8a1fa68755aa85938545887c7ac54
    • Opcode Fuzzy Hash: b06a36e129cde2702f2411f1be682c230b3990375cba8df771c7fa6a22ccab9e
    • Instruction Fuzzy Hash: C811BE70600324AFDF106F75AC09E7B3BB9AF64754B40881FF90593222EB3DDC119A69
    Function 00418ED8 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00418EE2
      • Part of subcall function 0040CD8B: __EH_prolog3_GS.LIBCMT ref: 0040CD95
    • SetBkMode.GDI32(0000270F,00000001), ref: 00418F47
    • SetTextColor.GDI32(0000270F), ref: 00418F6D
      • Part of subcall function 00409ED2: _memset.LIBCMT ref: 00409EF3
      • Part of subcall function 00409ED2: __itow.LIBCMT ref: 00409F01
    • SelectObject.GDI32(0000270F,00000000), ref: 00418F88
    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00418FA6
    • SelectObject.GDI32(?,00000000), ref: 00418FAE
      • Part of subcall function 00407FE0: _free.LIBCMT ref: 00407FE9
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: H_prolog3_ObjectSelectText$ColorDrawMode__itow_free_memset
    • String ID:
    • API String ID: 2393719197-0
    • Opcode ID: 72abb4648cb778dde1924b4f0875bb14e457ba8cd2b5b7c9daf83ec051d3c1cf
    • Instruction ID: 84ae7852e9a44c27cb02045335243d216eb75f2e99fa4bccd9c3b6be2d747a7a
    • Opcode Fuzzy Hash: 72abb4648cb778dde1924b4f0875bb14e457ba8cd2b5b7c9daf83ec051d3c1cf
    • Instruction Fuzzy Hash: 82215E709001299BDB149B25CC45FAEB7B9AF84320F10429AF919B32D1DA349E45CF64
    Function 004B4800 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • OutputDebugStringA.KERNEL32(?,9C3DCF4C,?,00000000,?,?,?,?,?,?,00000000,005C0DD8), ref: 004B4860
    • InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000,005C0DD8,000000FF,?,004B4CD3,00000000), ref: 004B48B1
    • EnterCriticalSection.KERNEL32(01278580,?,00000000,?,?,?,?,?,?,00000000,005C0DD8,000000FF,?,004B4CD3,00000000), ref: 004B48BD
    • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,005C0DD8,000000FF,?,004B4CD3,00000000), ref: 004B48E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CriticalSection$DebugEnterInitializeLeaveOutputString
    • String ID: [log] %s
    • API String ID: 174071661-1135976059
    • Opcode ID: 00724b9e1687521c894f1a18e7df3828fd17b001e1f7bec3ad371fbc1d9efb34
    • Instruction ID: 1b7230a85e1eccecf290adcc6b1fc0c3314257b2794bc7cb3c7fbe716533a81f
    • Opcode Fuzzy Hash: 00724b9e1687521c894f1a18e7df3828fd17b001e1f7bec3ad371fbc1d9efb34
    • Instruction Fuzzy Hash: C541A671900108EBDF10EB65EC05AEF77BAFF85314F04053AF41693262EB74A904DBA5
    Function 00406FD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • GetFileVersionInfoSizeW.VERSION(?,?,9C3DCF4C), ref: 00407039
    • GetFileVersionInfoW.VERSION(?,?,?,?,?,?,9C3DCF4C), ref: 0040706C
    • VerQueryValueW.VERSION(?,0061B8C0,?,?,?,?,?,?,?,?,9C3DCF4C), ref: 00407083
    • VerQueryValueW.VERSION(?,\StringFileInfo\040904b0\FileDescription,?,?,?,0061B8C0,?,?,?,?,?,?,?,?,9C3DCF4C), ref: 0040709A
    Strings
    • \StringFileInfo\040904b0\FileDescription, xrefs: 00407094
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileInfoQueryValueVersion$Size
    • String ID: \StringFileInfo\040904b0\FileDescription
    • API String ID: 2099394744-1833576830
    • Opcode ID: a5705ce1359d8b3e542c2da93a42e84e417c2ba19ac50b1b14ce0236d7959216
    • Instruction ID: 9e8ffe1d7aed5ec4bb88c9f9000556b9f33c478530fad12f43eb3b9798f21f98
    • Opcode Fuzzy Hash: a5705ce1359d8b3e542c2da93a42e84e417c2ba19ac50b1b14ce0236d7959216
    • Instruction Fuzzy Hash: 81313EB1D04249ABDB10DFA5DD45BEEBBB8FF48314F04462AF911B7280E774A904CBA5
    Function 00411F0A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00411F14
      • Part of subcall function 003E3820: _memmove.LIBCMT ref: 003E38DC
      • Part of subcall function 003E4F30: _memmove.LIBCMT ref: 003E4F53
    • _wcsncpy.LIBCMT ref: 00411FDF
    • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,00412118,?,00000000), ref: 0041204C
    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00412118,?,00000000), ref: 0041205F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove$AttributesCreateDirectoryFileH_prolog3__wcsncpy
    • String ID: %s%s
    • API String ID: 1063294586-3252725368
    • Opcode ID: 2d29189482b15dca034e4661ee4c4a18610414484a7ac46c87d754317ee0cfab
    • Instruction ID: ab3286851463e2ecd8ab616024ccda1e7a7425e8e9fc898d3835a0d9d3b453bf
    • Opcode Fuzzy Hash: 2d29189482b15dca034e4661ee4c4a18610414484a7ac46c87d754317ee0cfab
    • Instruction Fuzzy Hash: C03152B19102289ADB20DB64DC89FDAB77CAF54704F4045D9F208E7182EB70AFC4CB69
    Function 003EE9A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 003EE9D7
    • GetProcAddress.KERNEL32(00000000), ref: 003EE9DE
    • GetNativeSystemInfo.KERNELBASE(?), ref: 003EE9EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AddressHandleInfoModuleNativeProcSystem
    • String ID: GetNativeSystemInfo$kernel32.dll
    • API String ID: 3469989633-192647395
    • Opcode ID: 82683994af5fd456b20b0ab0ff4e61e80e0b22d8bff2419130bfd04739fa903f
    • Instruction ID: a76682d8dc0ab2217192f858e6d1066782d95406f227a5e7fbc7c7a10ca9a11c
    • Opcode Fuzzy Hash: 82683994af5fd456b20b0ab0ff4e61e80e0b22d8bff2419130bfd04739fa903f
    • Instruction Fuzzy Hash: BAF07265C103881FCF10AFA9AC46AB9F7A4FB58711F40036CFC4063280FB706950D2D6
    Function 0040EB3C Relevance: 7.6, APIs: 5, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0040EB43
      • Part of subcall function 00407E68: _malloc.LIBCMT ref: 00407E83
      • Part of subcall function 00409027: __EH_prolog3.LIBCMT ref: 0040902E
      • Part of subcall function 00407F69: _memset.LIBCMT ref: 00407FA3
    • _memset.LIBCMT ref: 0040ECE7
    • _memset.LIBCMT ref: 0040ECF6
    • _memset.LIBCMT ref: 0040ED05
    • _memset.LIBCMT ref: 0040ED14
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$H_prolog3$_malloc
    • String ID:
    • API String ID: 456537711-0
    • Opcode ID: 7810a4a94333e25da0c0c0ace0464bc81c6a67bf20c731fbb5925d8340d22025
    • Instruction ID: e3e62fb2cc85f15a62fa3ceb824b40f559158bc1f2cadc0992ad9663b05e3ac6
    • Opcode Fuzzy Hash: 7810a4a94333e25da0c0c0ace0464bc81c6a67bf20c731fbb5925d8340d22025
    • Instruction Fuzzy Hash: DF5137B0845B84DED321DF75C585BDABBE4BF19304F80485EE0DA53282DB797644CB26
    Function 00579CDB Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 00579CE7
      • Part of subcall function 00579A68: __FF_MSGBANNER.LIBCMT ref: 00579A7F
      • Part of subcall function 00579A68: __NMSG_WRITE.LIBCMT ref: 00579A86
      • Part of subcall function 00579A68: RtlAllocateHeap.NTDLL(01230000,00000000,00000001,00000001,?,?,?,0057A197,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579AAB
    • _free.LIBCMT ref: 00579CFA
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AllocateHeap_free_malloc
    • String ID:
    • API String ID: 1020059152-0
    • Opcode ID: eb989b2b794ce5819c16a237c412675b87034f48ce475e27e8950a339a12c4b8
    • Instruction ID: 81c80db37972af3a3bbfffa10adf36f6c6a18f37c6debb6d7cb51b6f9f9c352e
    • Opcode Fuzzy Hash: eb989b2b794ce5819c16a237c412675b87034f48ce475e27e8950a339a12c4b8
    • Instruction Fuzzy Hash: 0E119132504A16ABCF313F74BC0DA6A3FDCBB543A0F10C925F94DAA161DB318980A764
    Function 00407D81 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,000000EB), ref: 00407DA1
    • GetWindowLongW.USER32(?,000000EB), ref: 00407DBE
    • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00407DDE
    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00407DED
    • DefWindowProcW.USER32(?,?,?,?), ref: 00407E18
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Window$Long$Proc$Call
    • String ID:
    • API String ID: 1819824282-0
    • Opcode ID: 1173e98fa02f8a4e13d17fae2f41ba4079b2c72f6ba3b5c7bc860d433c6dc8a9
    • Instruction ID: 700d6201721261b0baff7b91ee4556eaf9e08eb3cea4f496e082e966e4c280ce
    • Opcode Fuzzy Hash: 1173e98fa02f8a4e13d17fae2f41ba4079b2c72f6ba3b5c7bc860d433c6dc8a9
    • Instruction Fuzzy Hash: 0811D631505614AFCF118F54CCC8E6B7BB9FF88721F104819F952A32A1C33AAC20DBA2
    Function 0042A02E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free
    • String ID: bad req_comp
    • API String ID: 269201875-3549665374
    • Opcode ID: bb41c5f1580dd277b0ecc21130e638e75f3a19e53a7bf311ee2e0e207a1af48b
    • Instruction ID: 5c44119e10859f58260f41fc3531182a7a3ec239c162e476d1484260384e9483
    • Opcode Fuzzy Hash: bb41c5f1580dd277b0ecc21130e638e75f3a19e53a7bf311ee2e0e207a1af48b
    • Instruction Fuzzy Hash: 6C218E753002109FC720DF59E881D57BBE5EF89320B45846DFA4A8B321C776E820DF56
    Function 005A621F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _wcscmp.LIBCMT ref: 005A6236
    • _wcscmp.LIBCMT ref: 005A6247
      • Part of subcall function 0058B0B9: GetLocaleInfoEx.KERNELBASE(?,20001004,?,0058DDCD,?,0058DDCD,?,20001004,?,00000002,?,00000004,?,00000000), ref: 0058B0D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp$InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2268238039-711371036
    • Opcode ID: 9c7bd97e9f87195fe832d2adb2fdcced6a1c7eaedd69d12cc4bdfd098cd51aec
    • Instruction ID: 6f540b0d4e27404e2eead42049936d1b199e92ba9ecbf37e7a8a64b7d5b40ac5
    • Opcode Fuzzy Hash: 9c7bd97e9f87195fe832d2adb2fdcced6a1c7eaedd69d12cc4bdfd098cd51aec
    • Instruction Fuzzy Hash: 7C019636601106B6FF106A98DC4AFEE3BACBF52761F084421FA14F6181FB70D54042D6
    Function 004B52D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004B5710: PathFileExistsW.KERNELBASE(?), ref: 004B5752
    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,000000FF), ref: 004B543A
    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,000000FF), ref: 004B546B
    Strings
    • invalid string position, xrefs: 004B54A1
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CreateDirectory$ExistsFilePath
    • String ID: invalid string position
    • API String ID: 3539644139-1799206989
    • Opcode ID: f4986f7870549cd78d8dfef13313ff35169ab8940b82147163f08833ed8871bc
    • Instruction ID: 9f093120ef19c6bdc7a2739b56601e519491fa813ccb64072ef663a0d056a93d
    • Opcode Fuzzy Hash: f4986f7870549cd78d8dfef13313ff35169ab8940b82147163f08833ed8871bc
    • Instruction Fuzzy Hash: E751D371900208EBCF01EF64DC49BDE7BB8AF05358F10456AF8059B281E739D699CBE6
    Function 003EE2E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003EE000: _memset.LIBCMT ref: 003EE04F
      • Part of subcall function 003EE000: SHGetSpecialFolderLocation.SHELL32(00000000,00000026,00000000), ref: 003EE06C
      • Part of subcall function 003EE000: SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003EE084
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003EE33E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileFolderFromListLocationModuleNamePathSpecial_memset
    • String ID: .$imyfone_down\
    • API String ID: 1666767966-2779201977
    • Opcode ID: 6a684bc8052381dea66ef5290ed844399b7ca55b32f5a0ebc23c1ff434fec8cd
    • Instruction ID: 7b3a2be46c911e3a273d7bf5c8cb50c46f207eda1eb8727585cd031a678facc2
    • Opcode Fuzzy Hash: 6a684bc8052381dea66ef5290ed844399b7ca55b32f5a0ebc23c1ff434fec8cd
    • Instruction Fuzzy Hash: EB516E70C142689ADF61DB65DC8DBDEBBB8BF14304F0002E9E40DA6291EB756B84CF91
    Function 004291B9 Relevance: 4.7, APIs: 3, Instructions: 188COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3e8c70a09d943c051615d68045c1c0f0296bdda6415ec2921284d453963bfbb9
    • Instruction ID: a95367fd8cc476426925f67735519d87f329cf4af48577a3429e6e3fb6f60337
    • Opcode Fuzzy Hash: 3e8c70a09d943c051615d68045c1c0f0296bdda6415ec2921284d453963bfbb9
    • Instruction Fuzzy Hash: 5D812671E002299FDB28DF59D841BADBBB5FF48314F1581AAE848A7211DB34AD81CF54
    Function 003E49D0 Relevance: 4.6, APIs: 3, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E49FA
    • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E4A99
      • Part of subcall function 005775E3: _malloc.LIBCMT ref: 005775FB
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception$_malloc
    • String ID:
    • API String ID: 2334408457-0
    • Opcode ID: 2a381568d060bb20bb211e8525166ec362d20527a89674594b7702189c7d895b
    • Instruction ID: e6647ae9ede671777f39f2a2a9bcc957c238aaf9cf92353fe9f8e8d67c667781
    • Opcode Fuzzy Hash: 2a381568d060bb20bb211e8525166ec362d20527a89674594b7702189c7d895b
    • Instruction Fuzzy Hash: 9C31B371A0025A9BCB24DF69D84176EBBE8FB58320F10473EF855D7781E770DA0487A1
    Function 0041FB70 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ea2b07b7da7608ef59e34bfda180fd84659bfcef4a6c4a18770cb766aa9f23ed
    • Instruction ID: 8732d9e42cf450d8feeb27a2ccde85112f2cea9e1b20c57107cc7459be65cf8b
    • Opcode Fuzzy Hash: ea2b07b7da7608ef59e34bfda180fd84659bfcef4a6c4a18770cb766aa9f23ed
    • Instruction Fuzzy Hash: DA313DB2905B16AFD720CF2AD890996F7E4BB08324710463FE95AC2B40E774F585DB94
    Function 00412079 Relevance: 4.6, APIs: 3, Instructions: 89fileCOMMON
    Download Yara Rule
    APIs
    • SHCreateDirectory.SHELL32(00000000,00000000,00000000,00000002), ref: 004120A2
    • GetFileAttributesW.KERNELBASE(00000000), ref: 004120A9
    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 004120B6
      • Part of subcall function 00411D76: __EH_prolog3_GS.LIBCMT ref: 00411D80
      • Part of subcall function 00411D76: _wcsncpy.LIBCMT ref: 00411E54
      • Part of subcall function 00411D76: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411ED4
      • Part of subcall function 00411D76: WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,00000000,00000003,00000000), ref: 00411EE9
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CreateFile$Directory$AttributesH_prolog3_Write_wcsncpy
    • String ID:
    • API String ID: 3909004097-0
    • Opcode ID: 409aba14805a9c525355bd3dfc44967bdc9c3b519b6d7685ccb679100a158847
    • Instruction ID: ab08bb15606190164184193f8804b0bc9fd67aab7de429820bc31f47315db043
    • Opcode Fuzzy Hash: 409aba14805a9c525355bd3dfc44967bdc9c3b519b6d7685ccb679100a158847
    • Instruction Fuzzy Hash: A8218C31800218BBCB20AB65DC89EEEBB7CEF49314F1001DAF608A6251DB395F91CB64
    Function 003EE000 Relevance: 4.6, APIs: 3, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003EE04F
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000026,00000000), ref: 003EE06C
    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003EE084
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FolderFromListLocationPathSpecial_memset
    • String ID:
    • API String ID: 2157604179-0
    • Opcode ID: 03312c356b7d7af10b608e7fc5d291f26e8e40bcfe4b7731991354f1a2ef4d5c
    • Instruction ID: 43ef8552ec499ea998fc28f039f31381a256ff5c824ebc095177324b080193b6
    • Opcode Fuzzy Hash: 03312c356b7d7af10b608e7fc5d291f26e8e40bcfe4b7731991354f1a2ef4d5c
    • Instruction Fuzzy Hash: 6031817591016C9ADB24DF54DC8DBEAB7B8FF18704F0002D9E80AA7280EB746B48CF91
    Function 005775E3 Relevance: 4.5, APIs: 3, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 005775FB
      • Part of subcall function 00579A68: __FF_MSGBANNER.LIBCMT ref: 00579A7F
      • Part of subcall function 00579A68: __NMSG_WRITE.LIBCMT ref: 00579A86
      • Part of subcall function 00579A68: RtlAllocateHeap.NTDLL(01230000,00000000,00000001,00000001,?,?,?,0057A197,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579AAB
    • std::exception::exception.LIBCMT ref: 00577619
    • __CxxThrowException@8.LIBCMT ref: 0057762E
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
    • String ID:
    • API String ID: 3074076210-0
    • Opcode ID: 254fc64e413c8e116f7a2293ad9461c7b70ebd0968b56c60551ca8c4b7c323ac
    • Instruction ID: 0d90f0a00c2730ebcd1e1bf220ba712a00ee89a1f883315aaf92c8ea69ddf140
    • Opcode Fuzzy Hash: 254fc64e413c8e116f7a2293ad9461c7b70ebd0968b56c60551ca8c4b7c323ac
    • Instruction Fuzzy Hash: 38E0377444420FA6DF21AF68EC099ED7FBDBB44300F108556E818A5191DBB19A04F691
    Function 003E0380 Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32(0064F4F4), ref: 003E03A5
    • WSAStartup.WS2_32(00000002,?), ref: 003E03B9
    • InterlockedExchange.KERNEL32(0064F4F8,00000000), ref: 003E03C5
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Interlocked$ExchangeIncrementStartup
    • String ID:
    • API String ID: 1856147945-0
    • Opcode ID: 169999a771183e0147df6a27365fb009016c76857668566a26a20889ecebadea
    • Instruction ID: 5071ebd443441c8d1f7e0d7e9029490114f5b6e183e984f4dd662009531859e4
    • Opcode Fuzzy Hash: 169999a771183e0147df6a27365fb009016c76857668566a26a20889ecebadea
    • Instruction Fuzzy Hash: CEF06574A04248DFD700EFA4FE0BD7E7BFAEB59B11F500468F90986193DE705A489A62
    Function 003E3820 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: string too long
    • API String ID: 4104443479-2556327735
    • Opcode ID: 10886bc442c1dfcead5ef3300eb2c6862f256954fe9f42ce5dff8d62afe49888
    • Instruction ID: d4859f7147bcac9d1dbf9fb3c441694fd019bd844c53fdf04e92423a941a31b1
    • Opcode Fuzzy Hash: 10886bc442c1dfcead5ef3300eb2c6862f256954fe9f42ce5dff8d62afe49888
    • Instruction Fuzzy Hash: 0C4116323143649BC6269E5EE88896AF3EAEFD0750711072EF546C7680D721AE0887A5
    Function 004B4B70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • PathFindFileNameW.SHLWAPI(9C3DCF4C,9C3DCF4C,?,00000000,9C3DCF4C,00000000,?,?,?,00000000,005C0E40,000000FF,?,004B4D88,00000000,?), ref: 004B4C26
      • Part of subcall function 004B51A0: WideCharToMultiByte.KERNEL32(00000001,00000000,005C0E40,000000FF,00000000,00000000,00000000,00000000,9C3DCF4C), ref: 004B5212
      • Part of subcall function 004B51A0: WideCharToMultiByte.KERNEL32(00000001,00000000,005C0E40,000000FF,00000000,00000000,00000000,00000000,9C3DCF4C), ref: 004B5241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$FileFindNamePath
    • String ID: [%s:%d][%s] %s
    • API String ID: 2461351750-269775
    • Opcode ID: ce2c20f9ea605a973ccd765555b331a9828a594ce5c61605553226b0d692b679
    • Instruction ID: a1aaa2dd34d2bd30e94cddcf25b87013823fad7b7ca594db7d3fe09dc87a1ab1
    • Opcode Fuzzy Hash: ce2c20f9ea605a973ccd765555b331a9828a594ce5c61605553226b0d692b679
    • Instruction Fuzzy Hash: E841A0B1C012499BDF01DFA4DC49BEEBFB9EB05714F14016AE405B7282D7795A44CBB2
    Function 004B4A40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • PathFindFileNameA.SHLWAPI(9C3DCF4C,9C3DCF4C,?,00000000,9C3DCF4C,00000000,004B49F2,00000000,?), ref: 004B4ACE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileFindNamePath
    • String ID: [%s:%d][%s] %s
    • API String ID: 1422272338-269775
    • Opcode ID: f3a24200ca3664a892c2082966e7d5dcb36430d4af1c53e17349ca9963ff7d2d
    • Instruction ID: 47e2b8df907c98719c1e2533b73fdd3eaf493db705cdd73d05d672a5621c0d1d
    • Opcode Fuzzy Hash: f3a24200ca3664a892c2082966e7d5dcb36430d4af1c53e17349ca9963ff7d2d
    • Instruction Fuzzy Hash: 6331ADB1804149AFEF15DFA4DC49BEFBFB4EB49314F04416AE80262282D7796A44CBA5
    Function 004C0920 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _open
    • String ID: GGK
    • API String ID: 4183159743-3567387533
    • Opcode ID: 26e6d43ea45ee9afe334e0ab7e07100b781acd63185fd0eddbb566d0dcf8a2dc
    • Instruction ID: 785a81c2a7e0037a7320d4e8fafb4a47f844711bdc5848185f3fbf6de9eedd64
    • Opcode Fuzzy Hash: 26e6d43ea45ee9afe334e0ab7e07100b781acd63185fd0eddbb566d0dcf8a2dc
    • Instruction Fuzzy Hash: 7C218CB0504784EFDB20CF59C809B5ABFE9FB45724F104A2EE85197781E3B9A944CB90
    Function 004B8650 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004C0920: _open.LIBCMT ref: 004C09C1
    • __libm_sse2_log10_precise.LIBCMT ref: 004B869C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __libm_sse2_log10_precise_open
    • String ID: GGK
    • API String ID: 2290428419-3567387533
    • Opcode ID: e62212b4c6886dd2c9d320d521d3360fdd2af5298df65b1dfd8838600507a826
    • Instruction ID: 1f6c5623cb88c5441365d027e2ef2c56193a99991f4d83f2fa63cfd777692470
    • Opcode Fuzzy Hash: e62212b4c6886dd2c9d320d521d3360fdd2af5298df65b1dfd8838600507a826
    • Instruction Fuzzy Hash: 1501A2741103099FDB569F36D820996BBA9EF59350B00862EF806B2720F33198A1DF90
    Function 004338BF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00422B20: __EH_prolog3.LIBCMT ref: 00422B27
      • Part of subcall function 00422B20: _memset.LIBCMT ref: 00422B93
    • _memset.LIBCMT ref: 00433901
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$H_prolog3
    • String ID: \
    • API String ID: 2144794740-417808876
    • Opcode ID: d24e7d455c1c4c7d283a0a4cdb24053ba86a0465f7b045e9b787a8f263fd14cc
    • Instruction ID: 56d5acde66ae3bb699561b4599626aad6966b19a44f7be60bf19322fa815f4a3
    • Opcode Fuzzy Hash: d24e7d455c1c4c7d283a0a4cdb24053ba86a0465f7b045e9b787a8f263fd14cc
    • Instruction Fuzzy Hash: A0E09AB1901B509ED3A1DF78A906BC3BFE9BB99314F04092EE19ED3601EB726464CB51
    Function 003EDBD0 Relevance: 3.3, APIs: 2, Instructions: 269COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003EDC27
    • GetPrivateProfileSectionW.KERNEL32(00000007,?,00001000,9C3DCF4C), ref: 003EDC3D
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: PrivateProfileSection_memset
    • String ID:
    • API String ID: 2820951895-0
    • Opcode ID: cbaecab1611f71f37921aa19743922205b46c4d18b02a69892ffbd93506019bf
    • Instruction ID: 68ee93a7e02b67c152917e13532f2e261f40da0c4a5190a6bdf5db1d1eebc4dd
    • Opcode Fuzzy Hash: cbaecab1611f71f37921aa19743922205b46c4d18b02a69892ffbd93506019bf
    • Instruction Fuzzy Hash: 6BB15AB5D00369DADF25DF65CC4DB9AB7B9AF44304F0041DAE90DA7292D7706A88CFA0
    Function 003E4A00 Relevance: 3.1, APIs: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E4A99
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
    • String ID:
    • API String ID: 120817956-0
    • Opcode ID: e6cb1d4978e3f63eae5db0a788d06f8eaf7376e1c3e5a132f0450661df0da48f
    • Instruction ID: 03fdb37b896ab337594320e5f56f9c2f922bbc7a91b791a241a9640108b5b314
    • Opcode Fuzzy Hash: e6cb1d4978e3f63eae5db0a788d06f8eaf7376e1c3e5a132f0450661df0da48f
    • Instruction Fuzzy Hash: 6531E371A0066A9BCB24CF69D48166EBBF9FB48720F20473EE456C7780DB70DA04C7A1
    Function 003EEDB0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • _setlocale.LIBCMT ref: 003EEDF4
      • Part of subcall function 00579780: _mbstowcs_s.LIBCMT ref: 005797A6
      • Part of subcall function 00579780: __invoke_watson.LIBCMT ref: 005797C1
      • Part of subcall function 00579780: __calloc_crt.LIBCMT ref: 005797CB
    • _mbstowcs.LIBCMT ref: 003EEE31
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __calloc_crt__invoke_watson_mbstowcs_mbstowcs_s_setlocale
    • String ID:
    • API String ID: 3550724559-0
    • Opcode ID: 8d5b3b99405db05963af57074bbe1c30a0d3785af288859931c6398cea3b12e6
    • Instruction ID: fb9553a22a341c7cf7df30e46f82293c88563feb2dc06dbee582a23ea4713a38
    • Opcode Fuzzy Hash: 8d5b3b99405db05963af57074bbe1c30a0d3785af288859931c6398cea3b12e6
    • Instruction Fuzzy Hash: 02212475600259ABDB15DF28DC06BBEB7A8FF88314F00462DFC0A87280E775AA04C7A0
    Function 003EE890 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileStringW.KERNEL32(00000007,?,0061B814,?,00000100,9C3DCF4C), ref: 003EE92C
    • GetLastError.KERNEL32 ref: 003EE934
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorLastPrivateProfileString
    • String ID:
    • API String ID: 900184866-0
    • Opcode ID: bde78b41104a651850436849e159674490f3bf09f22a420c91766b9024945f94
    • Instruction ID: 63a6b0ff870ae2a5bd2a1405d82950c20ced8063111cff605363b3ce304ae1a5
    • Opcode Fuzzy Hash: bde78b41104a651850436849e159674490f3bf09f22a420c91766b9024945f94
    • Instruction Fuzzy Hash: 3631A07494025D9FCF24DF14D888BEAB7B8FB08714F004699F819A7280D7B46A44CFA0
    Function 00425435 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040EB3C: __EH_prolog3.LIBCMT ref: 0040EB43
      • Part of subcall function 0040EB3C: _memset.LIBCMT ref: 0040ECE7
      • Part of subcall function 0040EB3C: _memset.LIBCMT ref: 0040ECF6
    • _memset.LIBCMT ref: 00425520
    • GdiplusStartup.GDIPLUS(?,?,00000000,?,?), ref: 0042552C
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$GdiplusH_prolog3Startup
    • String ID:
    • API String ID: 2893185210-0
    • Opcode ID: 4b4b9d6b07ee51f5a85d548d3ab31448c19dd1cb78b29a13136d742d02157852
    • Instruction ID: 13e749b6abf0eef0628ef0bc8b3a26bd269e46121d0ce185bf36a113cbade4e3
    • Opcode Fuzzy Hash: 4b4b9d6b07ee51f5a85d548d3ab31448c19dd1cb78b29a13136d742d02157852
    • Instruction Fuzzy Hash: E921A7B19013018FEB90DF6984C17D17BE6BB95325F1882BADC9CDE25AE77600A1CF20
    Function 0041F959 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2d0a2c4510d4ac732b7918629eb1bdaf172a132c42fb108658c0008762c80cdd
    • Instruction ID: feb2b007933dd1f95ebbb006e7fb4df5afd1d0a949f21e2544c97dec5f863d77
    • Opcode Fuzzy Hash: 2d0a2c4510d4ac732b7918629eb1bdaf172a132c42fb108658c0008762c80cdd
    • Instruction Fuzzy Hash: E601B173124711AFDB306E29D840B9273E4FB44376F200A2FE19A86591C77DA886CA58
    Function 00422B20 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00422B27
      • Part of subcall function 0040EB3C: __EH_prolog3.LIBCMT ref: 0040EB43
      • Part of subcall function 0040EB3C: _memset.LIBCMT ref: 0040ECE7
      • Part of subcall function 0040EB3C: _memset.LIBCMT ref: 0040ECF6
      • Part of subcall function 00407E68: _malloc.LIBCMT ref: 00407E83
    • _memset.LIBCMT ref: 00422B93
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$H_prolog3$_malloc
    • String ID:
    • API String ID: 456537711-0
    • Opcode ID: 026f92e2710b742fc620636b7ded8e0a9026e78a20593191d28397396244b3ca
    • Instruction ID: 307468bc911f3b44270926332a55f05a7718f723e03b2d58234c7c2dd0d638e4
    • Opcode Fuzzy Hash: 026f92e2710b742fc620636b7ded8e0a9026e78a20593191d28397396244b3ca
    • Instruction Fuzzy Hash: 37F0ECB0901B048ED760DF758885796FFF5BB84304F40492EE0AE97341DB766554DB25
    Function 0059E574 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 0059E58B
      • Part of subcall function 005835ED: __mtinitlocknum.LIBCMT ref: 005835FF
      • Part of subcall function 005835ED: EnterCriticalSection.KERNEL32(00000000,?,0058C1E1,0000000D), ref: 00583618
    • __tzset_nolock.LIBCMT ref: 0059E59E
      • Part of subcall function 0059E7F2: __lock.LIBCMT ref: 0059E817
      • Part of subcall function 0059E7F2: ____lc_codepage_func.LIBCMT ref: 0059E85E
      • Part of subcall function 0059E7F2: __getenv_helper_nolock.LIBCMT ref: 0059E87F
      • Part of subcall function 0059E7F2: _free.LIBCMT ref: 0059E8B2
      • Part of subcall function 0059E7F2: _strlen.LIBCMT ref: 0059E8B9
      • Part of subcall function 0059E7F2: __malloc_crt.LIBCMT ref: 0059E8C0
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
    • String ID:
    • API String ID: 360932542-0
    • Opcode ID: 9d077fb063453753b545266342dab32e558ccc17de5dd2504101c892eb22e497
    • Instruction ID: 46f2cc5d4aa8609585d04fdd1a1dff17598f4a37461cf8c4ae999cd96d8d9d5c
    • Opcode Fuzzy Hash: 9d077fb063453753b545266342dab32e558ccc17de5dd2504101c892eb22e497
    • Instruction Fuzzy Hash: 58E08CB00413059AEF20FBB0D90B32C3A75BF8032FF512284E481251D2ABF802C49A12
    Function 00409748 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • _memmove.LIBCMT ref: 00409807
      • Part of subcall function 0057BF6F: wcstoxl.LIBCMT ref: 0057BF7D
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmovewcstoxl
    • String ID:
    • API String ID: 775103430-0
    • Opcode ID: 6234c0c2c0393c0ce4a9adff5fa441d07a447d4773b94c2b76ae7e1defb3eb95
    • Instruction ID: f014fa2faa516cc2a0fb6f3aff0623c859926caafe352920c76d535e4b95b52c
    • Opcode Fuzzy Hash: 6234c0c2c0393c0ce4a9adff5fa441d07a447d4773b94c2b76ae7e1defb3eb95
    • Instruction Fuzzy Hash: 92414662910300AAEB246F628C85F777BADAF81740F00843FF945A22C3DE78DC448274
    Function 0040DF89 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • InvalidateRect.USER32(?,00000000,00000000), ref: 0040DFB4
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: InvalidateRect
    • String ID:
    • API String ID: 634782764-0
    • Opcode ID: 38a661a7d0a7318c746d00e00e77214b7f88da12dfca9bb0aeb44ff5796b3136
    • Instruction ID: 106adcb8569007af5e88175d3e69c3768ea8f242ddd2a6651105313cd9a86573
    • Opcode Fuzzy Hash: 38a661a7d0a7318c746d00e00e77214b7f88da12dfca9bb0aeb44ff5796b3136
    • Instruction Fuzzy Hash: 53218470A00259AFC711CFA9C880BEBFBF8AF55304F1448AEE559A7291C3B56D44CB65
    Function 0041C9B5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset
    • String ID:
    • API String ID: 2102423945-0
    • Opcode ID: 31a20b6e2ec6289f96c3e4dd1bf24a2eb0dd03b781d752fed10c8001b4bda6bd
    • Instruction ID: 3bee9f40116d14934892be0022e2e0100ea82ec6110e330991dfc54d7c69b1b4
    • Opcode Fuzzy Hash: 31a20b6e2ec6289f96c3e4dd1bf24a2eb0dd03b781d752fed10c8001b4bda6bd
    • Instruction Fuzzy Hash: 5211E1316402069BEB25DE24AC417DB3794AF013A0F10462ABCA5D72E1D728DCA1DB99
    Function 00430AC7 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 2953ab2fcffe29a3283e8a87ecbd4a2c3e1a7891fafc729bcf5b6a3a2618e04f
    • Instruction ID: f75522b125c324bfa3606285e71b11a4ccfa82de247967abe70c779e39072514
    • Opcode Fuzzy Hash: 2953ab2fcffe29a3283e8a87ecbd4a2c3e1a7891fafc729bcf5b6a3a2618e04f
    • Instruction Fuzzy Hash: AE113372A0011A9BCF24DF69DC51ABEF7B9AF48704F1041BEB909E7641DA34AE409B94
    Function 0040F7D9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • IntersectRect.USER32(?,?,?), ref: 0040F7F9
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: IntersectRect
    • String ID:
    • API String ID: 481094312-0
    • Opcode ID: ea52fe3740145b0f7a988a135642bca9cfda991c10c897519c7d68db8b9b2bae
    • Instruction ID: 0c22f3d2d08e87e2419dbb6910b995cd1f03ab92c7d713245e2368057b64cf3e
    • Opcode Fuzzy Hash: ea52fe3740145b0f7a988a135642bca9cfda991c10c897519c7d68db8b9b2bae
    • Instruction Fuzzy Hash: 00018032100704ABCF30AF50C804EEA37A9AF15B54F00843EF956ABA90C736FA19DB94
    Function 00407656 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • CreateWindowExW.USER32(80000000,00000000,?,?,004073B4,00000000,00000000,96C80000,00000000,80000000,80000000,80000000), ref: 004076B3
      • Part of subcall function 004078FD: _memset.LIBCMT ref: 00407910
      • Part of subcall function 004078FD: GetClassInfoExW.USER32(00000000,00000000), ref: 0040792C
      • Part of subcall function 004078FD: GetClassInfoExW.USER32(00000000,00000000), ref: 00407948
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ClassInfo$CreateWindow_memset
    • String ID:
    • API String ID: 834990534-0
    • Opcode ID: 80215818f095a9c6fdfec09192fab91c0abbb444a57ecde99f96d0efec5b4ea7
    • Instruction ID: e324f902571a0a20515dee95980901c54c8fc7b66e43f32d3d6fb54068b95ead
    • Opcode Fuzzy Hash: 80215818f095a9c6fdfec09192fab91c0abbb444a57ecde99f96d0efec5b4ea7
    • Instruction Fuzzy Hash: 6501A231204504AFCF115F58CC04DAE3FAAEF18394700446AFD46A32A1CB3BED21DB9A
    Function 004B5710 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • PathFileExistsW.KERNELBASE(?), ref: 004B5752
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ExistsFilePath
    • String ID:
    • API String ID: 1174141254-0
    • Opcode ID: 0f4860c5e53214a1272befc594c83e7b2fb94516175b796142044294a8499647
    • Instruction ID: 90bd39a9b133d727f89efe0c80d8170a6d992c587db648ccc50f9edc63059f98
    • Opcode Fuzzy Hash: 0f4860c5e53214a1272befc594c83e7b2fb94516175b796142044294a8499647
    • Instruction Fuzzy Hash: 20F08CB6904608EFCB00DF55DC85B8ABBACFB09614F40812AFC1982250E739E618CE90
    Function 00407F69 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset
    • String ID:
    • API String ID: 2102423945-0
    • Opcode ID: 9a998adeb936b467a4dce7054e164e75607d2e3ec0a42ab02cc069a3c5ca7f58
    • Instruction ID: 90513b79f6d3fe834106c9dccadf78a14d7b03039946b652c58f1c0836868673
    • Opcode Fuzzy Hash: 9a998adeb936b467a4dce7054e164e75607d2e3ec0a42ab02cc069a3c5ca7f58
    • Instruction Fuzzy Hash: 20E0A0B3B002112BE7185A3C9C06B66B68CE784761F01852BF709D72C0DAA0985042E4
    Function 003EF4E0 Relevance: 1.5, APIs: 1, Instructions: 26comCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(0060DCF8,00000000,00000017,0060DCE8,00000000), ref: 003EF505
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CreateInstance
    • String ID:
    • API String ID: 542301482-0
    • Opcode ID: 0c77b59c89c99f7bc53509cedc6555b31f55647dc871b608be0b8a0c0c9f6046
    • Instruction ID: e767efeb8e6b9d9e9a8a592dbf039d6dbc7a995753f2bcd139c0e4f3394c9a07
    • Opcode Fuzzy Hash: 0c77b59c89c99f7bc53509cedc6555b31f55647dc871b608be0b8a0c0c9f6046
    • Instruction Fuzzy Hash: 75E06D71280310BBD7108B85CC45F82FBA9FF99B21F008526FA08972C0C7B0E850CAA0
    Function 00432BBC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00422B20: __EH_prolog3.LIBCMT ref: 00422B27
      • Part of subcall function 00422B20: _memset.LIBCMT ref: 00422B93
    • _memset.LIBCMT ref: 00432BFE
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$H_prolog3
    • String ID:
    • API String ID: 2144794740-0
    • Opcode ID: 4ec0390ff236446fefc42ea0aec8b278c7ba398c953abf75647eafb4a1902f9f
    • Instruction ID: 315d2ca5fa5dc1fb8e191f3a3c07a7bb0b57477d2411b313bd8af24388007bd3
    • Opcode Fuzzy Hash: 4ec0390ff236446fefc42ea0aec8b278c7ba398c953abf75647eafb4a1902f9f
    • Instruction Fuzzy Hash: 8FE092B15017515ED3A0DF7894027C3BFE9BB99314F44096E91DED3601E7726464CB51
    Function 003DFE60 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID:
    • API String ID: 4104443479-0
    • Opcode ID: fdc144b75a3fd2b56f851f100e5a0ce68cca1d02e20fbd1a147e9e2a18dee86c
    • Instruction ID: 26c18674b5f5c875dbc8c4b30bb2ecbee0c65c4417517dfe24e95954b044f22a
    • Opcode Fuzzy Hash: fdc144b75a3fd2b56f851f100e5a0ce68cca1d02e20fbd1a147e9e2a18dee86c
    • Instruction Fuzzy Hash: 6ED05EA094420C76DA04FF91BD0BE5A7EACD710704F4001A8B90892242E6A26E0094A5
    Function 004077B8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • CallWindowProcW.USER32(?,?,?,?,?), ref: 004077CA
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CallProcWindow
    • String ID:
    • API String ID: 2714655100-0
    • Opcode ID: 3c7eed99aeae186f5f8fc9362a2bbd4d123d4dd7816c1ab5b53b8e67b661748f
    • Instruction ID: bdbde2fc5b8084a756f759bdac1becc240d1eb53b4efe49ba22294024493d774
    • Opcode Fuzzy Hash: 3c7eed99aeae186f5f8fc9362a2bbd4d123d4dd7816c1ab5b53b8e67b661748f
    • Instruction Fuzzy Hash: ACC0EA36000508FB8F025F91DD44C99BF3AEB19254B148059FA1808022C7339572EB91
    Function 0057949E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __wfsopen
    • String ID:
    • API String ID: 197181222-0
    • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
    • Instruction ID: 708900cb5e712d253de6a2d170a81d4ce94eefa7ff64960d71a4d3b94d24f612
    • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
    • Instruction Fuzzy Hash: 53B092B244020D77CE012A82EC02A993F1AAB80660F048020FB1C2C2A1A673A661A6A9
    Function 0042061D Relevance: 1.5, APIs: 1, Instructions: 7COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00420623
      • Part of subcall function 00579A30: RtlFreeHeap.NTDLL(00000000,00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A44
      • Part of subcall function 00579A30: GetLastError.KERNEL32(00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A56
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorFreeHeapLast_free
    • String ID:
    • API String ID: 1353095263-0
    • Opcode ID: f0e14b59bcee2c33e62aa0089212377f65b6c9d0b6e997bba375b7514f6c954b
    • Instruction ID: 5e1492ae0eca1ecd70889849ffec821bfb63d8f16929f0a9b1ebb61b61f4fcd3
    • Opcode Fuzzy Hash: f0e14b59bcee2c33e62aa0089212377f65b6c9d0b6e997bba375b7514f6c954b
    • Instruction Fuzzy Hash: FDA0223200C32C3B8F003A82FC038083FACEA80230F20C032F80C088222E33B820A0AC

    Non-executed Functions

    Function 003E5070 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 276networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetCloseHandle.WININET(0000000F), ref: 003E5131
    • InternetCloseHandle.WININET(00000000), ref: 003E5142
    • InternetCloseHandle.WININET(?), ref: 003E5153
    • InternetOpenW.WININET(Http-connect,00000000,00000000,00000000,00000000), ref: 003E5169
    • __CxxThrowException@8.LIBCMT ref: 003E518C
    • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 003E522A
    • __CxxThrowException@8.LIBCMT ref: 003E524F
    • HttpOpenRequestA.WININET(00000000,GET,?), ref: 003E529C
    • HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 003E5332
    • HttpSendRequestA.WININET(?,?,?,?,?), ref: 003E534B
    • __CxxThrowException@8.LIBCMT ref: 003E536B
    • __CxxThrowException@8.LIBCMT ref: 003E5397
    • _memset.LIBCMT ref: 003E53B1
    • InternetReadFile.WININET(?,?,00001000,00001000), ref: 003E53E6
    • __CxxThrowException@8.LIBCMT ref: 003E52BF
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • __CxxThrowException@8.LIBCMT ref: 003E5454
    • GetLastError.KERNEL32(?,?,?,0063A544), ref: 003E5459
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8InternetThrow$CloseHandleHttpRequest$Open$ConnectErrorExceptionFileHeadersLastRaiseReadSend_memset
    • String ID: GET$HTTP/1.1$Http-connect$P$POST
    • API String ID: 481937817-1777155406
    • Opcode ID: 1f1135d0655bcf9fc42f22431675d40cb94939df97fcaf3d5b9b49a0106d41bc
    • Instruction ID: 438bb4617b82b1fe0f4cc4744009be8a07c227a65fc62bec7807cba87f7e5181
    • Opcode Fuzzy Hash: 1f1135d0655bcf9fc42f22431675d40cb94939df97fcaf3d5b9b49a0106d41bc
    • Instruction Fuzzy Hash: 4EB17F70A047989BEB31CF65DC54BDAB7B8AF14344F004599E589A72C1D7F4AEC88F60
    Function 004145F6 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 353libraryloaderwindowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(msimg32.dll,AlphaBlend,?,?), ref: 0041463F
    • GetProcAddress.KERNEL32(00000000), ref: 00414642
    • GetModuleHandleW.KERNEL32(msimg32.dll,GradientFill,?,?), ref: 0041467B
    • GetProcAddress.KERNEL32(00000000), ref: 0041467E
    • CreateCompatibleDC.GDI32(?), ref: 004146EA
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 004146FC
    • SelectObject.GDI32(00000000,00000000), ref: 00414709
    • SelectObject.GDI32(?,00000000), ref: 004149B7
    • DeleteObject.GDI32(00000000), ref: 004149C0
    • DeleteDC.GDI32(?), ref: 004149C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$AddressCompatibleCreateDeleteHandleModuleProcSelect$Bitmap
    • String ID: AlphaBlend$GradientFill$msimg32.dll
    • API String ID: 202487901-216815851
    • Opcode ID: 83e3de4b5fe1db5662604b49a633a105c250c32fb503b82771394a08af421e18
    • Instruction ID: 77483659a5faa44a409fdb691ad0bd4684ae9108edbec6d8de3832686494e8be
    • Opcode Fuzzy Hash: 83e3de4b5fe1db5662604b49a633a105c250c32fb503b82771394a08af421e18
    • Instruction Fuzzy Hash: 3ED13775E102199FCB04CFA8D984AEEBBF6FF89311F10811AE815FB290D7749945CB94
    Function 004A9810 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 281fileCOMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00000000), ref: 004A9888
    • SetFilePointerEx.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000001,00000000,00000000), ref: 004A98DC
    • GetLastError.KERNEL32 ref: 004A9911
    • SetFilePointerEx.KERNEL32(FFFFFFFF,00000001,00000002,00000000,00000000,00000000,00000000), ref: 004A9974
    • GetLastError.KERNEL32 ref: 004A9981
    • ReadFile.KERNEL32(FFFFFFFF,000000FF,?,00000002,00000000), ref: 004A99D4
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004A9AFA
    • ReadFileScatter.KERNEL32(00000002,?,?,00000000,00000000), ref: 004A9B1C
    • GetLastError.KERNEL32 ref: 004A9B30
    • GetLastError.KERNEL32 ref: 004A9B68
    • CloseHandle.KERNEL32(?), ref: 004A9B96
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorFileLast$PointerRead$CloseCreateEventHandleInfoScatterSystem
    • String ID: D,]
    • API String ID: 3502140410-2755246825
    • Opcode ID: c251d65a1203dabac0a0b367612860390b36e2fcebdf54eab0cb19cc7738400d
    • Instruction ID: 718f7282c8672c41fb5e2ff78aeb5a7c109e69fa6beaf0ce3fd8d3f105588434
    • Opcode Fuzzy Hash: c251d65a1203dabac0a0b367612860390b36e2fcebdf54eab0cb19cc7738400d
    • Instruction Fuzzy Hash: 3BC138B4D002099FCB10DFA8D884B9EBBF5FF59320F14452AE815A7361DB75A941CFA4
    Function 0042EA4A Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 323COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free_malloc
    • String ID: 0 width$bad H$bad SOF len$bad TQ$bad V$bad component ID$bad component count$no header height$only 8-bit$outofmem$too large
    • API String ID: 845055658-1458373056
    • Opcode ID: baa88ba0e8a33410592d1226dbe8138b9c88a049df5a6e1b39d4f2aa7496f36b
    • Instruction ID: 851055de183bf5d92507e2a5d91fa0385d4a31092948fc7999e49b7197b9cb73
    • Opcode Fuzzy Hash: baa88ba0e8a33410592d1226dbe8138b9c88a049df5a6e1b39d4f2aa7496f36b
    • Instruction Fuzzy Hash: 5CC1B671B00622EFCB08CF66E4817A5BBA1FF46301FA4826FD459DB241D778E851CB99
    Function 003FEC60 Relevance: 22.7, APIs: 15, Instructions: 184encryptionfileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(003FD42F,80000000,00000001,00000000,00000003,08000000,00000000), ref: 003FECBD
    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 003FED0A
    • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 003FED38
    • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 003FED6C
    • CryptHashData.ADVAPI32(00000000,?,00000000,00000000), ref: 003FED8C
    • ReadFile.KERNEL32(00000000,?,00001000,00000000,00000000), ref: 003FEDB0
    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 003FEDD5
    • _Smanip.LIBCPMT ref: 003FEE2B
    • CryptDestroyHash.ADVAPI32(00000000,00000002,00000001), ref: 003FEE6E
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 003FEE7C
    • CloseHandle.KERNEL32(00000000), ref: 003FEE83
    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003FEEB8
    • CryptDestroyHash.ADVAPI32(00000000), ref: 003FEEE4
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 003FEEF2
    • CloseHandle.KERNEL32(00000000), ref: 003FEEF9
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Crypt$Hash$ContextFile$CloseCreateDestroyHandleReadRelease$AcquireDataIos_base_dtorParamSmanipstd::ios_base::_
    • String ID:
    • API String ID: 312563479-0
    • Opcode ID: 3a72997e07c9118c380007e8fb37aa6d33eb0854ae091427b4b1cd914186db2b
    • Instruction ID: b646962806794b8c47204fe6d49f46264897a0d93b45b989b39d38915a6b20fb
    • Opcode Fuzzy Hash: 3a72997e07c9118c380007e8fb37aa6d33eb0854ae091427b4b1cd914186db2b
    • Instruction Fuzzy Hash: AA71A475A00298EFEB21DF50DD49FE977B8FB08700F104099F649A61D0DBB4AA84DF24
    Function 003FD030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 558fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003FBA50: _free.LIBCMT ref: 003FBB17
    • _memset.LIBCMT ref: 003FD25E
    • swprintf.LIBCMT ref: 003FD282
    • CharLowerA.USER32(00000000,?,?,00000000,00000001,?,?,?,?), ref: 003FD55D
    • CharLowerA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003FD56D
    • DeleteFileW.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003FD66B
      • Part of subcall function 00445D20: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,00000000,?,003FD70F,?,00000000), ref: 00445D5C
      • Part of subcall function 00445D20: WinHttpReadData.WINHTTP(?,?,00001000,?), ref: 00445D8D
      • Part of subcall function 00445D20: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00445DC6
      • Part of subcall function 00445D20: WinHttpReadData.WINHTTP(?,?,00001000,00000000), ref: 00445DE6
      • Part of subcall function 00445D20: CloseHandle.KERNEL32(00000000), ref: 00445DF5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: File$CharDataHttpLowerRead$CloseCreateDeleteHandleWrite_free_memsetswprintf
    • String ID: CDuiFrameWnd::OnClickInstall::<lambda_ab5c8509296b880e48c98e9cd081d606>::operator ()$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$download image failed, url[%s], filePath[%s].$get image finished.$get image start.$language\$pr_%d.png
    • API String ID: 60353467-773636155
    • Opcode ID: a8375752982de4aad8803bfeb5803e19ca62f4905e082f87ec2439b15a086a37
    • Instruction ID: c224d1c0b4eaa82a301b06ce47fa7c12ebea5a98b0137e7d7fc7003545333154
    • Opcode Fuzzy Hash: a8375752982de4aad8803bfeb5803e19ca62f4905e082f87ec2439b15a086a37
    • Instruction Fuzzy Hash: 0932A7B080526D8BDF26EF28CC4DBAEBBB5AB11304F1441E9E50967282DB755F88CF51
    Function 00427BBD Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 852COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: BMP RLE$bad BMP$monochrome$not BMP$outofmem$unknown BMP
    • API String ID: 0-3034250254
    • Opcode ID: be1f5aeb25c11c80f1a7b683ec271b7d7ff34e06c63d9d72385b660be34167bd
    • Instruction ID: 1f82f37284031128c2746d6d4ae609012a016c037d044d295a3f2bb27fef78d5
    • Opcode Fuzzy Hash: be1f5aeb25c11c80f1a7b683ec271b7d7ff34e06c63d9d72385b660be34167bd
    • Instruction Fuzzy Hash: DA7282B0B05624DFCB25DF29E88079EB7F0AF45304FA484AED68993241DA385985CF5E
    Function 004074F5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,00000000), ref: 0040751C
    • GetParent.USER32(?), ref: 00407536
    • GetWindow.USER32(?,00000004), ref: 00407541
    • MonitorFromWindow.USER32(00000000,00000002), ref: 00407566
    • GetMonitorInfoW.USER32(00000000), ref: 0040756D
    • IsIconic.USER32(00000000), ref: 00407582
    • GetWindowRect.USER32(00000000,80000000), ref: 00407591
    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,?,?), ref: 00407619
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Window$MonitorRect$FromIconicInfoParent
    • String ID: (
    • API String ID: 1680950861-3887548279
    • Opcode ID: 72d00736805effc3b8e23214ab77fde1e0eed139212476618ff008da68ec068c
    • Instruction ID: a13db907e3f265c7b717bbe59615999e4043edd5f8f766deae59ca2727e9217a
    • Opcode Fuzzy Hash: 72d00736805effc3b8e23214ab77fde1e0eed139212476618ff008da68ec068c
    • Instruction Fuzzy Hash: 17416F32E006199FCF14CFA8CD889AEBBB6BF48305F154229E901BB295D775BD098B50
    Function 003EDAB0 Relevance: 15.1, APIs: 10, Instructions: 88stringprocessCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003EDADC
    • lstrcpyW.KERNEL32(?,?), ref: 003EDAF7
    • _memset.LIBCMT ref: 003EDB0B
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003EDB21
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 003EDB35
    • lstrcmpW.KERNEL32(?,?), ref: 003EDB5E
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 003EDB6C
    • CloseHandle.KERNEL32(00000000), ref: 003EDB76
    • CloseHandle.KERNEL32(00000000), ref: 003EDBAB
    • _wprintf.LIBCMT ref: 003EDBBD
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CloseHandleProcess32_memset$CreateFirstNextSnapshotToolhelp32_wprintflstrcmplstrcpy
    • String ID:
    • API String ID: 722654583-0
    • Opcode ID: 63a653b375d48941523bf367d8d5ff77bb7b66479a2732a97eb2dbef67a915fb
    • Instruction ID: 195135e339092bb0da422997abe4b4a52d87e3b2d8ca81fb32351b57684937ef
    • Opcode Fuzzy Hash: 63a653b375d48941523bf367d8d5ff77bb7b66479a2732a97eb2dbef67a915fb
    • Instruction Fuzzy Hash: BC317F7190026AABDB11DF65DC49FDA77ACFF49310F0142A5F908D7181EB309A448BA1
    Function 00405CA0 Relevance: 14.3, Strings: 11, Instructions: 591COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: H$client_id$event_category$event_label$events$invalid vector<T> subscript$name$params$uid$user_properties$value
    • API String ID: 4104443479-2012674547
    • Opcode ID: 2d14ae5399d1e28599bda71ed0a4071396f3a5847dac0a7fb7491120fac35424
    • Instruction ID: 64fc0d88b82b63f9baa593a5b8bab1c7ea9ee2c38c67edd012f166593d26777e
    • Opcode Fuzzy Hash: 2d14ae5399d1e28599bda71ed0a4071396f3a5847dac0a7fb7491120fac35424
    • Instruction Fuzzy Hash: D032AD71D00249DBDF14DFA8C844BEEBBB5BF59304F14416AE845BB381EB74AA85CB90
    Function 00420DB5 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 269COMMON
    Download Yara Rule
    APIs
    • CharNextW.USER32(?,004208D9,004208DB,004208DB,?,?,?,?,004210B5,004208DB,00000000), ref: 00420FFE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CharNext
    • String ID: Error parsing element name$Expected end-tag start$Expected start tag$Expected start-tag closing$Unmatched closing tag
    • API String ID: 3213498283-2540963027
    • Opcode ID: 1a635faf36a46b50e2f27876ea2173fcc5700a89fd7f294a486f03a647850acb
    • Instruction ID: e2bb748090c0f60ffe01270105f7445b80c28d525b604d8d831f0f1052761740
    • Opcode Fuzzy Hash: 1a635faf36a46b50e2f27876ea2173fcc5700a89fd7f294a486f03a647850acb
    • Instruction Fuzzy Hash: 7681B370700220DFDB24DF68E44197AB3F5EF69304B90846FF481DB6A1E6B59D81CB59
    Function 005A69D3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _wcscmp.LIBCMT ref: 005A69EA
    • _wcscmp.LIBCMT ref: 005A69FB
    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,005A6C99,?,00000000), ref: 005A6A17
    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,005A6C99,?,00000000), ref: 005A6A41
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: InfoLocale_wcscmp
    • String ID: ACP$OCP
    • API String ID: 1351282208-711371036
    • Opcode ID: addb8ec2d310819e430fc9e8e22a26a3a2be94a76d40e28103a4b164158fd100
    • Instruction ID: 36f98c928f25ef8d7cc034f0c78b58ff4a9bd06062d68ca258be6d5d23b705a7
    • Opcode Fuzzy Hash: addb8ec2d310819e430fc9e8e22a26a3a2be94a76d40e28103a4b164158fd100
    • Instruction Fuzzy Hash: DC018036251515EADB109F68EC49FDE3FD8FB16761F08C015F509EA091E730DA809784
    Function 0040A7B5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000011), ref: 0040A7C1
    • GetKeyState.USER32(00000002), ref: 0040A7CE
    • GetKeyState.USER32(00000001), ref: 0040A7DA
    • GetKeyState.USER32(00000010), ref: 0040A7E6
    • GetKeyState.USER32(00000012), ref: 0040A7F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: State
    • String ID: J@
    • API String ID: 1649606143-3016281811
    • Opcode ID: a5eb82d4dd367533e9519e8672b6fcb0ea196081f3269a527e2bcc154f5c0483
    • Instruction ID: 8fd499f0a108420cbe1b8f27218f10314ba46f713a093c8d73c5c5f948667432
    • Opcode Fuzzy Hash: a5eb82d4dd367533e9519e8672b6fcb0ea196081f3269a527e2bcc154f5c0483
    • Instruction Fuzzy Hash: 07E06D3BB4037A14ED2032D95C01FA589244FA0BE0F834172ED44BB0C409D5999324B2
    Function 003FE3B0 Relevance: 9.1, APIs: 6, Instructions: 73memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32 ref: 003FE3E1
    • HeapAlloc.KERNEL32(00000000,00000000), ref: 003FE3F5
    • _memmove.LIBCMT ref: 003FE410
    • GetFileAttributesW.KERNEL32(00000000), ref: 003FE427
    • HeapFree.KERNEL32(?,00000000,00000000), ref: 003FE435
    • GetLastError.KERNEL32 ref: 003FE455
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Heap$AllocAttributesErrorFileFreeLastProcess_memmove
    • String ID:
    • API String ID: 172174232-0
    • Opcode ID: 91ef135a980c27bec1e52d63a50e76ab05081c9fd67a1dd04b2f9ee2f4ecb9a7
    • Instruction ID: eff34cc738d35abf241ca1bc6b682681111836c887b2e833d029d0bae9af7060
    • Opcode Fuzzy Hash: 91ef135a980c27bec1e52d63a50e76ab05081c9fd67a1dd04b2f9ee2f4ecb9a7
    • Instruction Fuzzy Hash: 53110A3A500604AFCB209F98EC88BBA77A8EF48315F41455AFD198B250E7729D45D7D0
    Function 004A4720 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118fileCOMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?,9C3DCF4C,00000000), ref: 004A4787
    • CreateFileW.KERNEL32(0000000100000003,-005D3FE0,?,00000000,?,?,00000000,9C3DCF4C,00000000), ref: 004A4809
    • GetLastError.KERNEL32 ref: 004A4845
    • DeviceIoControl.KERNEL32(00000000,000900C4,00000000,00000000,00000000,00000000,?,00000000), ref: 004A4896
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CloseControlCreateDeviceErrorFileHandleLast
    • String ID: D,]
    • API String ID: 4026078076-2755246825
    • Opcode ID: 7a3c8d429f0d629dc2260951b6ca730bc6e567dad4d3e6df66c9095d041b4bfa
    • Instruction ID: 42dc9ff93682ca1072074c60b6c738a3db5a7697bfcce42d57232b5a30c0323e
    • Opcode Fuzzy Hash: 7a3c8d429f0d629dc2260951b6ca730bc6e567dad4d3e6df66c9095d041b4bfa
    • Instruction Fuzzy Hash: 3141F275A00200EFC710CF58EC84B4ABBF5FBAA324F10466EE915DB3A2D775A845CB14
    Function 003C1000 Relevance: 7.6, Strings: 6, Instructions: 129COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: Auth$Genu$cAMD$enti$ineI$ntel
    • API String ID: 0-1714976780
    • Opcode ID: c77623a033a8abfacda9f66ad4af76de5be2dd884c722bfa4f30fc1e450f6a10
    • Instruction ID: b1fc91afe4dfeae29b50d58fb54b2db3c88d371d32f1f0e16cc6b6b405ed807c
    • Opcode Fuzzy Hash: c77623a033a8abfacda9f66ad4af76de5be2dd884c722bfa4f30fc1e450f6a10
    • Instruction Fuzzy Hash: 68314E77B245560BEB3A9879984576D31839352330F2ECB3DD676D36C2D46DCD806390
    Function 00411BDE Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(00000000), ref: 00411C09
    • GetWindowRect.USER32(00000000,?), ref: 00411C32
    • CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 00411C68
    • SetWindowRgn.USER32(00000000,00000000,00000001), ref: 00411C7B
    • DeleteObject.GDI32(00000000), ref: 00411C82
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: RectWindow$CreateDeleteIconicObjectRound
    • String ID:
    • API String ID: 2123885154-0
    • Opcode ID: ab9579096971c1c335157d5b81fff64e5e1cf7010394e31aef92c4dbf3d93438
    • Instruction ID: 60733228f9c7f015f1cebac150f14cf86b07dfebb72aee593b7aa581de3d4b42
    • Opcode Fuzzy Hash: ab9579096971c1c335157d5b81fff64e5e1cf7010394e31aef92c4dbf3d93438
    • Instruction Fuzzy Hash: 5D213075A0020AAFCF00EFA5DD89DBFB7B9EF95301B10416AF402E3291EA345E049B65
    Function 003F9A00 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 438COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __aulldiv$__aulldvrm
    • String ID: d
    • API String ID: 4119620657-2564639436
    • Opcode ID: 5c65d2c49fbaf478d8aec7408c3a680dc4b48b3faff98182ddfd2de8567f7525
    • Instruction ID: 347c5d467d1fa94d9a05726adc3cffaee59daa7609f5dbeeb9b404cbfa78ecd1
    • Opcode Fuzzy Hash: 5c65d2c49fbaf478d8aec7408c3a680dc4b48b3faff98182ddfd2de8567f7525
    • Instruction Fuzzy Hash: 3E022C249083C94FC70A9F2D9450678FFB5AF6E200B1981EBD9EB8F762C534DA54DB50
    Function 003F7910 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 380COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00562763: std::regex_error::regex_error.LIBCPMT ref: 0056276F
      • Part of subcall function 00562763: __CxxThrowException@8.LIBCMT ref: 0056277D
    • ___from_strstr_to_strchr.LIBCMT ref: 003F7A2A
    • ___from_strstr_to_strchr.LIBCMT ref: 003F7A4E
      • Part of subcall function 003F18F0: _memmove.LIBCMT ref: 003F1935
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$Exception@8Throw_memmovestd::regex_error::regex_error
    • String ID: B$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
    • API String ID: 2120282176-796622603
    • Opcode ID: 66411b523da157d02b4a5f850afae39b88c965c0bdfc782fe23bfff1862137bc
    • Instruction ID: 8712c7ec8fe056579961ffd9977b93e3334d7475f86338cbf3664847d54de86b
    • Opcode Fuzzy Hash: 66411b523da157d02b4a5f850afae39b88c965c0bdfc782fe23bfff1862137bc
    • Instruction Fuzzy Hash: AFE1BB7160860AEFDB16CF28C881BBABBB6FF09300F154159EA118B741D774ED61DBA0
    Function 00428B9D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset
    • String ID: bad codelengths
    • API String ID: 2102423945-697342978
    • Opcode ID: ffe5e77bba7779165362c19a36be5e33061ba999ad0cb2e52e35a1732b26d4b0
    • Instruction ID: 7bcdf678c836084383e0a29895030f88ef12183df5a86582a203ca8505002c9a
    • Opcode Fuzzy Hash: ffe5e77bba7779165362c19a36be5e33061ba999ad0cb2e52e35a1732b26d4b0
    • Instruction Fuzzy Hash: 77714B72E0162AABD710CE26EC809ADF7E4FB14324F54836FE818C2681DB38D955CBD5
    Function 0041DFF8 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 716COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: 8!A
    • API String ID: 4104443479-1484589535
    • Opcode ID: 4ec6ec4f48173ad0d2ed2c183ddfeac857575ee6dff465804300bcb624ae026d
    • Instruction ID: c271874b02ea332d4d41e14d65b9edaae27cfdf3a7b2c3e687599b0347b8693a
    • Opcode Fuzzy Hash: 4ec6ec4f48173ad0d2ed2c183ddfeac857575ee6dff465804300bcb624ae026d
    • Instruction Fuzzy Hash: 3C522DB5A0060AEFDB04CF69C990AADBBB1FF58310F54816AE819D7741D734EA90CF94
    Function 004921A0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 503COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: vector<T> too long
    • API String ID: 0-3788999226
    • Opcode ID: c437ab1df5615da149d104632983e6a38d07a1e0c4240c32c0c8dd7e9afb3430
    • Instruction ID: b05d6be77dc0aeaac0d451bde3f01ac73e6bf0f1bd476d31ce8be6832329c2b6
    • Opcode Fuzzy Hash: c437ab1df5615da149d104632983e6a38d07a1e0c4240c32c0c8dd7e9afb3430
    • Instruction Fuzzy Hash: 1DC14633B005292F8B04CE6DDE84569BF9AEBC9770728C23BEA05CB745D671E80687D4
    Function 00585180 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0058E949,?,?,?,00000001), ref: 00585185
    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0058518E
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 22c825b40a0ffff6ff840b8669b77c962a6d992822cfaed10c5ecd8eab507ec3
    • Instruction ID: a8e0a2ccfd13a3ff271ff1e43cf541e00eb8793ea4785db93a733d3943771f8c
    • Opcode Fuzzy Hash: 22c825b40a0ffff6ff840b8669b77c962a6d992822cfaed10c5ecd8eab507ec3
    • Instruction Fuzzy Hash: 68B09235044608AFCB012B91EC09F587F28EB94752F000010F60E44060CBA25614AA95
    Function 0042E178 Relevance: 2.9, Strings: 2, Instructions: 385COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: bad file$bad format
    • API String ID: 0-3769057332
    • Opcode ID: ea0fb6e9ff955366083586df77a494089961406e605768793eccbe495907eb5a
    • Instruction ID: 3208015f9c2b3e328b469058dd6ed3f19e6387b51cbe216aeb1949aa6a5a4d18
    • Opcode Fuzzy Hash: ea0fb6e9ff955366083586df77a494089961406e605768793eccbe495907eb5a
    • Instruction Fuzzy Hash: 8EE19130B00624DFCB24CFAAE480BEEB7F5BF49315F54452AE49AD7240D738A885CB59
    Function 003FACF0 Relevance: 1.8, Strings: 1, Instructions: 507COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: gfff
    • API String ID: 0-1553575800
    • Opcode ID: 3097277f124d4fdd512b5b5a72cafa2fa2bad6c79d603f556a5a027f6eb32586
    • Instruction ID: 0d5e885eebac104594e8f6b167a0289c0085f7029a2325bd3c81951ad32a7045
    • Opcode Fuzzy Hash: 3097277f124d4fdd512b5b5a72cafa2fa2bad6c79d603f556a5a027f6eb32586
    • Instruction Fuzzy Hash: 3112BBB8C00A4D8EDB26CF68C4547FDFBB6AFA9300F24815AD645AB351C7349983CB91
    Function 0041D5EB Relevance: 1.6, Strings: 1, Instructions: 381COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: A
    • API String ID: 0-2078354741
    • Opcode ID: efeace194f3316b2042ba047b88e0b2caa3ffaaa13dba250a1431e03c4507c2c
    • Instruction ID: f2d41ad4b212fa92bac82ee49b3998d437b1be69881d043b6542c6b18fe15f1f
    • Opcode Fuzzy Hash: efeace194f3316b2042ba047b88e0b2caa3ffaaa13dba250a1431e03c4507c2c
    • Instruction Fuzzy Hash: 1902B1B1E1022A8FDB64CF68C980BDDB7B5BB58300F1086EAD55DE7340D674AE858F54
    Function 003EE140 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003EE163
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: DiskFreeSpace
    • String ID:
    • API String ID: 1705453755-0
    • Opcode ID: 8dff0d3fbc1582a1ce84dbce3494c5d8bd60a4ab9c59a5594fd83e1d6db10dea
    • Instruction ID: 41e4d14b44fa80289b3e9b2c7222b5613a90207db0427ec3b2de6eccd0c9ba5a
    • Opcode Fuzzy Hash: 8dff0d3fbc1582a1ce84dbce3494c5d8bd60a4ab9c59a5594fd83e1d6db10dea
    • Instruction Fuzzy Hash: 8BF0877291010DABCF04CE99DC558EE7BA8AB14300F44026DE84693240E635EA99DBA0
    Function 0058B033 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(0058B01F,00000001,?,005A5EAE,005A5F4C,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0058B061
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 04b053a44ddebfefc8934140c43a0522233b84bf647949f35d377324f541ad75
    • Instruction ID: 235700f76b08e5faef47510bf9643b4041208d60ee3151b2893bd0f28b11cb4c
    • Opcode Fuzzy Hash: 04b053a44ddebfefc8934140c43a0522233b84bf647949f35d377324f541ad75
    • Instruction Fuzzy Hash: 8FE0B636150308EBDB11EF94EC89B593BAAFB04B29F105054FA185A5A0C772A6E4AB44
    Function 00411979 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(00000000), ref: 00411982
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Iconic
    • String ID:
    • API String ID: 110040809-0
    • Opcode ID: 7bf44454fdb85f857c117cfa11f233b0c6b9237e386192639b65d894128b1b34
    • Instruction ID: f8640be98c45b2dfe736993c310062f1af62a456bfa3bb6e924ea8cbc712866e
    • Opcode Fuzzy Hash: 7bf44454fdb85f857c117cfa11f233b0c6b9237e386192639b65d894128b1b34
    • Instruction Fuzzy Hash: C1D0123111031C8FCF01AF71994AB5B33DC6B00752F00C826B445CB191EF78E960DA64
    Function 003F2FB0 Relevance: .2, Instructions: 245COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6a1481046d01beb4afd158eeb2c7243a596ed67bb4e0c897c666c73cb23a9deb
    • Instruction ID: bcd18091999bcb9bb841c16b14dfbe7317d61c68fc9e05fec8ec8abb3e869356
    • Opcode Fuzzy Hash: 6a1481046d01beb4afd158eeb2c7243a596ed67bb4e0c897c666c73cb23a9deb
    • Instruction Fuzzy Hash: 3B914B75A0010AAFDF09DF59C8916BDBBB6EF88310F14C129EA1A9B351E734DA51CF90
    Function 003F8D80 Relevance: .2, Instructions: 159COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aad97aab9db3c80ed3359fce44d16e0560b09498a0302a72eb57ed7519753bd3
    • Instruction ID: dc987f2b86926ba57921e10bc6ec74aa4af70aac6e54fc1f2aa5b69870fe9708
    • Opcode Fuzzy Hash: aad97aab9db3c80ed3359fce44d16e0560b09498a0302a72eb57ed7519753bd3
    • Instruction Fuzzy Hash: E6517432E0051D9BCB19CFACC8904BEB7B5EF94350B568369E915DB784CA71AE10C790
    Function 0041F83E Relevance: .1, Instructions: 80COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 23031752128c5b082d5c963c40896db4d5544d272e58097137ff42c6a7595495
    • Instruction ID: 8e278dad0b70ef82c262af7e884440a6a9df446e48e3ec92d6794d97bae2826d
    • Opcode Fuzzy Hash: 23031752128c5b082d5c963c40896db4d5544d272e58097137ff42c6a7595495
    • Instruction Fuzzy Hash: 0821B8736288D10F9B1CCF29DCA3532F752FB5520270E427ED957C5482C92DE769D6A0
    Function 00579B00 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction ID: 4ab651b68932f49c76ccf0136c074d63d8ef688069a71be3296f16c3ce3aa04a
    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction Fuzzy Hash: 86112BB7248092C3D6048A2EF4F86B6EF95FBC533072CC37AD05D4B758D222A945B620
    Function 0041B441 Relevance: 96.6, APIs: 33, Strings: 22, Instructions: 375COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp
    • String ID: $align$autohscroll$autovscroll$center$false$font$hscrollbar$left$multiline$password$readonly$rich$right$textcolor$textpadding$transparent$true$vscrollbar$wantctrlreturn$wantreturn$wanttab
    • API String ID: 856254489-1406728206
    • Opcode ID: dd098bf4c096e0f921697f6ff4549d30d3342664918bb1f823eaef8a8dee070d
    • Instruction ID: ac5d916e129c7062f63b80ceb8db06e9cfab9e25235229e6a75caffdc520c95f
    • Opcode Fuzzy Hash: dd098bf4c096e0f921697f6ff4549d30d3342664918bb1f823eaef8a8dee070d
    • Instruction Fuzzy Hash: 6AA10D3164830769F7187965AC8BFFB1BDCEFE1B78B10412FF804A51C2EF289981559A
    Function 004248A4 Relevance: 59.8, APIs: 18, Strings: 16, Instructions: 288COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp$wcstoxl
    • String ID: bottom$center$childalign$childpadding$childvalign$hscrollbar$hscrollbarstyle$inset$left$mousechild$right$top$true$vcenter$vscrollbar$vscrollbarstyle
    • API String ID: 534013132-3258161461
    • Opcode ID: ac667017ebf657d9353f5d825f8e2ea06e7c1f5ec5645277d6f9e4d6c5c74ca4
    • Instruction ID: 2a4c032712280a8061473455c55adf737914dfa4a80bdf763618b7bcf74cc1c0
    • Opcode Fuzzy Hash: ac667017ebf657d9353f5d825f8e2ea06e7c1f5ec5645277d6f9e4d6c5c74ca4
    • Instruction Fuzzy Hash: B481E531704216AFEB085E64FC8AFAA3FE8EF85325F50817EF819DA1C1DB34E9059654
    Function 003E58E0 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 394networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetCloseHandle.WININET(?), ref: 003E5977
    • InternetCloseHandle.WININET(?), ref: 003E5988
    • InternetCloseHandle.WININET(?), ref: 003E5999
    • InternetOpenW.WININET(Http-connect,00000000,00000000,00000000,00000000), ref: 003E59AF
    • __CxxThrowException@8.LIBCMT ref: 003E59D2
    • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 003E5A6E
    • __CxxThrowException@8.LIBCMT ref: 003E5A93
    • HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,00000000,00000000,80000000,00000000), ref: 003E5AD0
    • HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 003E5B2E
    • HttpSendRequestW.WININET(?,00000000,00000000,00000000,00000000), ref: 003E5B3F
    • __CxxThrowException@8.LIBCMT ref: 003E5B5F
    • _memset.LIBCMT ref: 003E5B79
    • __CxxThrowException@8.LIBCMT ref: 003E5BB2
    • HttpQueryInfoA.WININET(?,00000005,00000000,00000400,00000000), ref: 003E5BCC
    • __CxxThrowException@8.LIBCMT ref: 003E5BEC
    • _malloc.LIBCMT ref: 003E5C45
    • GetFileAttributesW.KERNEL32(?,?,00000000,00000000,?), ref: 003E5CB2
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 003E5CD4
    • __wfopen_s.LIBCMT ref: 003E5D09
    • __CxxThrowException@8.LIBCMT ref: 003E5D30
      • Part of subcall function 0057DC78: ___report_securityfailure.LIBCMT ref: 0057DC7D
    • InternetReadFile.WININET(?,00000000,00000050,00000400), ref: 003E5D52
    • __CxxThrowException@8.LIBCMT ref: 003E5D9A
    • __CxxThrowException@8.LIBCMT ref: 003E5E36
    • __CxxThrowException@8.LIBCMT ref: 003E5AF3
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • __CxxThrowException@8.LIBCMT ref: 003E5EA9
    • _free.LIBCMT ref: 003E5EF4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw$Internet$Http$CloseHandleRequest$FileOpen$AttributesConnectCreateDirectoryExceptionHeadersInfoQueryRaiseReadSend___report_securityfailure__wfopen_s_free_malloc_memset
    • String ID: GET$HTTP/1.1$Http-connect$P$wb+
    • API String ID: 1057819454-2808296293
    • Opcode ID: 1ab10461874746d0697a5f23d3e01746300ad9339fc9f59b8ed46c25415ea0aa
    • Instruction ID: 7fc0a27dd733873f44c117a80472ed7e5c0d0e2d2d67a446564679170af1b09e
    • Opcode Fuzzy Hash: 1ab10461874746d0697a5f23d3e01746300ad9339fc9f59b8ed46c25415ea0aa
    • Instruction Fuzzy Hash: 84F1C2B09007699FDB31DF25CC45BDAB7B8BF54304F0046E9E649A7180DB709A88CF55
    Function 0043FC6B Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 208COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp
    • String ID: disabledimage$fadedelta$fivestatusimage$focusedimage$focusedtextcolor$foreimage$hotbkcolor$hotforeimage$hotimage$hottextcolor$normalimage$pushedimage$pushedtextcolor
    • API String ID: 856254489-1272733750
    • Opcode ID: 499bf20e1faa1b01ee9e7d874a6a4ca9c2724b2f15a4788cfeb2a689c9e3c038
    • Instruction ID: c3b00882a1475100b471fa1f0f4526bd65d6594d1d5fb52e643ac3650d93586a
    • Opcode Fuzzy Hash: 499bf20e1faa1b01ee9e7d874a6a4ca9c2724b2f15a4788cfeb2a689c9e3c038
    • Instruction Fuzzy Hash: A851F521A447077AEF192A20AC4FFAF2B5DEF94334F10801BF81599282EF7DD915661E
    Function 003E5F40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 307networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetCloseHandle.WININET(?), ref: 003E5FD6
    • InternetCloseHandle.WININET(?), ref: 003E5FE7
    • InternetCloseHandle.WININET(?), ref: 003E5FF8
    • InternetOpenW.WININET(Http-connect,00000000,00000000,00000000,00000000), ref: 003E600E
    • __CxxThrowException@8.LIBCMT ref: 003E6031
    • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 003E60CD
    • __CxxThrowException@8.LIBCMT ref: 003E60F2
    • HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,00000000,00000000,80000000,00000000), ref: 003E612F
    • HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 003E618D
    • HttpSendRequestW.WININET(?,00000000,00000000,00000000,00000000), ref: 003E619E
    • __CxxThrowException@8.LIBCMT ref: 003E61BE
    • _memset.LIBCMT ref: 003E61D9
    • __CxxThrowException@8.LIBCMT ref: 003E6212
    • HttpQueryInfoW.WININET(?,00000005,?,00000400,00000000), ref: 003E622C
    • GetLastError.KERNEL32 ref: 003E6234
    • __CxxThrowException@8.LIBCMT ref: 003E6266
    • __CxxThrowException@8.LIBCMT ref: 003E62BB
    • _malloc.LIBCMT ref: 003E62CB
    • InternetReadFile.WININET(?,00000000,00800000,00000400), ref: 003E62E7
    • InternetReadFile.WININET(?,00000000,00800000,00000400), ref: 003E6311
    • __CxxThrowException@8.LIBCMT ref: 003E633E
    • __CxxThrowException@8.LIBCMT ref: 003E6152
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • __CxxThrowException@8.LIBCMT ref: 003E6394
    • _free.LIBCMT ref: 003E63B3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw$Internet$Http$CloseHandleRequest$FileOpenRead$ConnectErrorExceptionHeadersInfoLastQueryRaiseSend_free_malloc_memset
    • String ID: GET$HTTP/1.1$Http-connect$P
    • API String ID: 1965105385-978018513
    • Opcode ID: 2d78b474317d367a97be5a00b7acfeffc55747e138a1388e4b201916da4ea463
    • Instruction ID: e74625bb483ccec55672fb0dc1e815dba659dda0e38a6d59b06d51410fec1c73
    • Opcode Fuzzy Hash: 2d78b474317d367a97be5a00b7acfeffc55747e138a1388e4b201916da4ea463
    • Instruction Fuzzy Hash: B0C17070A00269DBDB21DF65DC46BAAB7F8FF14704F1481A5E489A7280DF75AE84CF90
    Function 0041358C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 175COMMON
    Download Yara Rule
    APIs
    • _wcscmp.LIBCMT ref: 0041359C
    • _wcscmp.LIBCMT ref: 004135AF
      • Part of subcall function 004139DB: SendMessageW.USER32(00000000,000000CF,?,00000000), ref: 00413A0D
    • _wcscmp.LIBCMT ref: 004135D2
    • _wcscmp.LIBCMT ref: 004135E5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp$MessageSend
    • String ID: autoselall$disabledimage$focusedimage$hotimage$maxchar$nativebkcolor$normalimage$numberonly$password$readonly$true
    • API String ID: 2129226235-3096893876
    • Opcode ID: 1539ba2f75366e7703cbfb41178253fcf917923cc3927497b31a828d9a71c09b
    • Instruction ID: ce07ab95e0ffd8f2a14275cd2bca6548320a6db180cfb3763091ee7b1d5a2677
    • Opcode Fuzzy Hash: 1539ba2f75366e7703cbfb41178253fcf917923cc3927497b31a828d9a71c09b
    • Instruction Fuzzy Hash: D741C6B174421A7A6A1C3E61AC4FEEE1F89EBE172A310C10FF415951C1DF6CAA86611E
    Function 00401240 Relevance: 42.3, APIs: 9, Strings: 15, Instructions: 329threadtimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00407FE0: _free.LIBCMT ref: 00407FE9
    • SetLastError.KERNEL32(00000000,00000000,-00000002,?,0061B8C0,?,00000001,?,9C3DCF4C,?,?,?), ref: 004013B9
      • Part of subcall function 00408182: _strlen.LIBCMT ref: 0040819E
      • Part of subcall function 00408182: GetACP.KERNEL32(00000000,00000000,000000FF,?,00000000,?,00000000,?,?,?,00401329,005C952C,0061B8C0), ref: 004081BE
      • Part of subcall function 00408182: MultiByteToWideChar.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00401329,005C952C,0061B8C0), ref: 004081C5
    • std::_Pad::_Launch.LIBCPMT ref: 004014D4
    • std::_Pad::~_Pad.LIBCPMT ref: 004014DC
    • std::_Throw_Cpp_error.LIBCPMT ref: 004014F1
    • std::_Pad::_Launch.LIBCPMT ref: 0040153F
    • std::_Pad::~_Pad.LIBCPMT ref: 00401547
    • std::_Throw_Cpp_error.LIBCPMT ref: 0040155C
    • CreateThread.KERNEL32(00000000,00000000,Function_0003EA50,00000000,00000000,00000000), ref: 004015F9
    • SetTimer.USER32(00000000,0000000D,000003E8,00000000), ref: 004016CF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$Cpp_errorLaunchPad::_Pad::~_Throw_$ByteCharCreateErrorLastMultiThreadTimerWide_free_strlen
    • String ID: CDuiFrameWnd::OnClickInstall$CDuiFrameWnd::OnClickInstall$CDuiFrameWnd::UpdateWindowSate$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$OnClickInstall$STR_PATH_INVALID$UpdateWindowSate:kWindow_Downloading$change page downloading begin$change page downloading end$sel path end$sel path:%s$send ga begin$send ga end$switch
    • API String ID: 13458494-1778231162
    • Opcode ID: f262c1b7cdc76cd6acdecfc85f061cc82a5565b6f87de9bb2540dddcf039c061
    • Instruction ID: de43d6ab7f37f27a4ce588bab7f6c88d4d89d840f8edb948dc17335437646ab8
    • Opcode Fuzzy Hash: f262c1b7cdc76cd6acdecfc85f061cc82a5565b6f87de9bb2540dddcf039c061
    • Instruction Fuzzy Hash: 7ED1A070A40319AEDB11EBA4CC4AFDEBBB4BF14704F0401AEE405772D1DBB56A44CB65
    Function 003E7140 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 225filetimeCOMMON
    Download Yara Rule
    APIs
    • WinHttpCloseHandle.WINHTTP(?), ref: 003E715C
    • WinHttpCloseHandle.WINHTTP(?), ref: 003E716D
    • WinHttpCloseHandle.WINHTTP(?), ref: 003E717E
    • WinHttpOpen.WINHTTP(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 003E7194
    • WinHttpSetTimeouts.WINHTTP(00000000,00000000,?,?,?), ref: 003E71C2
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DA8
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DB9
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DCA
      • Part of subcall function 003E7D50: WinHttpOpen.WINHTTP(Microsoft Internet Explorer,00000000,00000000,00000000,00000000,9C3DCF4C,?,6F756160), ref: 003E7DE0
      • Part of subcall function 003E7CC0: _memset.LIBCMT ref: 003E7CE0
      • Part of subcall function 003E7CC0: WinHttpQueryHeaders.WINHTTP(?,00000013,00000000,?,00000030,00000000,?,?,6F756160), ref: 003E7D00
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?), ref: 003E725F
    Strings
    • Microsoft Internet Explorer, xrefs: 003E718F
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Http$CloseHandle$Open$CreateFileHeadersQueryTimeouts_memset
    • String ID: Microsoft Internet Explorer
    • API String ID: 722904905-3125735337
    • Opcode ID: bed653d565362b2ae81bf64a4fb08d10c4afbb5c5c8c458b0825aa6d08b93513
    • Instruction ID: f6fa48908743bdb28c8490839f374e5aac3a51d3e8dd50008f1509b1a47f4fbd
    • Opcode Fuzzy Hash: bed653d565362b2ae81bf64a4fb08d10c4afbb5c5c8c458b0825aa6d08b93513
    • Instruction Fuzzy Hash: 7E711F31604755AFD7119F35EC09F5ABBA8FF88710F00462AFA44E7290D771E854DBA1
    Function 003FEF20 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003FDA20,?,?,?,?,?,?), ref: 003FEF49
    • WinHttpSetOption.WINHTTP(00000000,00000058,00000000,00000004), ref: 003FEF64
    • WinHttpConnect.WINHTTP(00000000,?,00000050,00000000), ref: 003FEF93
    • WinHttpOpenRequest.WINHTTP(00000000,GET,?,00000000,00000000,00000000,00000000), ref: 003FEFB7
    • WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FEFD0
    • WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 003FEFDD
    • WinHttpQueryHeaders.WINHTTP(00000000,00000013,00000000,00000000,?,00000000), ref: 003FF005
    • _memset.LIBCMT ref: 003FF02B
    • WinHttpQueryHeaders.WINHTTP(00000000,00000013,00000000,00000000,00000000,00000000), ref: 003FF03F
    • StrToIntW.SHLWAPI(00000000), ref: 003FF042
    • WinHttpQueryHeaders.WINHTTP(00000000,00000021,00000000,00000000,00000000,00000000), ref: 003FF072
    Strings
    • D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp, xrefs: 003FF0E6
    • GetRedirectUrl, xrefs: 003FF0EB
    • `auo, xrefs: 003FF0F8
    • GET, xrefs: 003FEFB1
    • Error %d has occurred., xrefs: 003FF0DA
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Http$HeadersQuery$OpenRequest$ConnectOptionReceiveResponseSend_memset
    • String ID: D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$Error %d has occurred.$GET$GetRedirectUrl$`auo
    • API String ID: 797034079-3937419044
    • Opcode ID: a308de6e93d11f3f8b206d63f6819ce3ffe97e79af5b686cb580cfcc41b5c7ec
    • Instruction ID: 9346aa09e572e60fd5f11be719f01ea3e556d81b47d257185993ace83e8775d2
    • Opcode Fuzzy Hash: a308de6e93d11f3f8b206d63f6819ce3ffe97e79af5b686cb580cfcc41b5c7ec
    • Instruction Fuzzy Hash: 70519671A403197FEB209BA4DC4AFBE77BCEF58700F110029F606BB1D1DAB4A9048B65
    Function 003E54A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 279networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetCloseHandle.WININET(0000000F), ref: 003E5567
    • InternetCloseHandle.WININET(00000000), ref: 003E5578
    • InternetCloseHandle.WININET(?), ref: 003E5589
    • InternetOpenW.WININET(Http-connect,00000000,00000000,00000000,00000000), ref: 003E559F
    • __CxxThrowException@8.LIBCMT ref: 003E55C2
    • InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 003E565E
    • __CxxThrowException@8.LIBCMT ref: 003E5683
    • HttpOpenRequestW.WININET(00000000,GET,?), ref: 003E56D0
    • __CxxThrowException@8.LIBCMT ref: 003E56F3
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 003E5771
    • HttpSendRequestW.WININET(?,?,?,?,?), ref: 003E578A
    • __CxxThrowException@8.LIBCMT ref: 003E57AA
    • _memset.LIBCMT ref: 003E57C4
    • __CxxThrowException@8.LIBCMT ref: 003E57FD
    • InternetReadFile.WININET(?,?,00001000,00001000), ref: 003E5826
    • __CxxThrowException@8.LIBCMT ref: 003E5894
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8InternetThrow$CloseHandleHttpRequest$Open$ConnectExceptionFileHeadersRaiseReadSend_memset
    • String ID: GET$HTTP/1.1$Http-connect$P$POST
    • API String ID: 1144360650-1777155406
    • Opcode ID: b82ef80b757bf2609231f53db4c1a4f25065f19487b76e579be264494ebc7289
    • Instruction ID: 9d778921992830df2658b186c015d60e373c8b622f934f81324b8c11b792ebc0
    • Opcode Fuzzy Hash: b82ef80b757bf2609231f53db4c1a4f25065f19487b76e579be264494ebc7289
    • Instruction Fuzzy Hash: D0C16074A046A9DBDB21CF65DC45BE9B7B9BF04344F0042A9E489A72C0D7B4AED4CF60
    Function 004B12F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 226synchronizationCOMMON
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,0044B1BD,00000000,?,00010000), ref: 004B1306
    • GetLastError.KERNEL32(?,?,?,0044B1BD,00000000,?,00010000), ref: 004B1318
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0044B1BD,00000000,?,00010000), ref: 004B138D
    • GetLastError.KERNEL32(?,?,?,0044B1BD,00000000,?,00010000), ref: 004B139F
    • __beginthreadex.LIBCMT ref: 004B1424
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0044B1BD,00000000), ref: 004B1439
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044B1BD,00000000), ref: 004B144F
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,0044B1BD,00000000), ref: 004B145C
    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,0044B1BD,00000000), ref: 004B14BA
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044B1BD,00000000), ref: 004B14C1
    • EnterCriticalSection.KERNEL32(00000000,9C3DCF4C,00000000,00000000,75922EE0,?,?,thread), ref: 004B1531
    • CloseHandle.KERNEL32(?), ref: 004B157F
    • LeaveCriticalSection.KERNEL32(00000000), ref: 004B1595
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CloseHandle$ErrorLast$CreateCriticalEventSection$EnterLeaveObjectSingleWait__beginthreadex
    • String ID: D,]$D,]$D,]$D,]$thread$thread.entry_event$thread.exit_event
    • API String ID: 257529719-164939557
    • Opcode ID: e2c138edd4e3e9dbfb769584709e0849f76c9175e3979def761e2202f44c2274
    • Instruction ID: d95d8828d20dc0cda3a00683b6ca36955bca5874d6259f18289c2f0cf551a5eb
    • Opcode Fuzzy Hash: e2c138edd4e3e9dbfb769584709e0849f76c9175e3979def761e2202f44c2274
    • Instruction Fuzzy Hash: 7E81D375A00305AFDB10DF94DC84B9FBBF5FB45720F10452AE90697362DB799A00CBA4
    Function 00427146 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 126COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp
    • String ID: foreimage$group$selected$selectedbkcolor$selectedhotimage$selectedimage$selectedtextcolor$true
    • API String ID: 856254489-3444983114
    • Opcode ID: f3f5bc511729dc73879a1d0355b476848d54e52b93ae3f25616cd408cda51d14
    • Instruction ID: 09d4faf3fb94af52b66544a5e66e1f1f9dcdfd4be576d9ecb29ae7738655aaf8
    • Opcode Fuzzy Hash: f3f5bc511729dc73879a1d0355b476848d54e52b93ae3f25616cd408cda51d14
    • Instruction Fuzzy Hash: 3A311A31708325BADB183661BC5AEAF3B9DEF90320B90C01FF8159A282DF799951553D
    Function 003FD980 Relevance: 28.5, APIs: 1, Strings: 15, Instructions: 483windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003FEF20: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003FDA20,?,?,?,?,?,?), ref: 003FEF49
      • Part of subcall function 003FEF20: WinHttpSetOption.WINHTTP(00000000,00000058,00000000,00000004), ref: 003FEF64
    • MessageBoxW.USER32(?,?,00000000,00000000), ref: 003FDE85
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Http$MessageOpenOption
    • String ID: %s %d %s$0MB$CDuiFrameWnd::OnClickInstall::<lambda_adf7fad06e781bd2a4999bd62dd277fd>::operator ()$CDuiFrameWnd::OnClickInstall::<lambda_adf7fad06e781bd2a4999bd62dd277fd>::operator ()$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$STR_MB$STR_MESSAGEBOX_TITLE$STR_STORAGE$get disk size begin$get disk size end$get file size begin$get file size end$get redirect Url:%s$imyfone-download.exe
    • API String ID: 1568938648-2017695130
    • Opcode ID: 3a233bbbe6baab4087bf66e49e2bb57eda8cf2b8162b36de50b856ebd5aea320
    • Instruction ID: 19c960650bb349c2e8dbc1de32da7c7c92f02149266a6684bfb0240a1ec156fb
    • Opcode Fuzzy Hash: 3a233bbbe6baab4087bf66e49e2bb57eda8cf2b8162b36de50b856ebd5aea320
    • Instruction Fuzzy Hash: 88129C70914258DEDF11EBA4DC4ABEEBBB5BF14304F1400ADE109B7282EB755A48CF66
    Function 00496950 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 205timeCOMMON
    Download Yara Rule
    APIs
    • std::exception::exception.LIBCMT ref: 00496993
      • Part of subcall function 0057A0A2: std::exception::_Copy_str.LIBCMT ref: 0057A0BB
      • Part of subcall function 00472040: __CxxThrowException@8.LIBCMT ref: 0047205E
    • EnterCriticalSection.KERNEL32(?,9C3DCF4C,00000118,00000000,00000000,005BE778,000000FF,?,00480CFF,00000000,00000000), ref: 004969B3
    • type_info::operator==.LIBCMT ref: 004969F0
    • LeaveCriticalSection.KERNEL32(?,?,9C3DCF4C,00000118,00000000,00000000,005BE778,000000FF), ref: 00496A18
    • std::exception::exception.LIBCMT ref: 00496A40
      • Part of subcall function 00472100: __CxxThrowException@8.LIBCMT ref: 0047211E
      • Part of subcall function 00472100: __CxxThrowException@8.LIBCMT ref: 0047214E
      • Part of subcall function 00472100: __CxxThrowException@8.LIBCMT ref: 0047217E
    • EnterCriticalSection.KERNEL32(?,9C3DCF4C,00000000,00000000,?,?,?,?,9C3DCF4C), ref: 00496A91
    • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00496ABE
    • GetLastError.KERNEL32 ref: 00496ACB
    • SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000), ref: 00496B56
    • CloseHandle.KERNEL32(?), ref: 00496B94
    • LeaveCriticalSection.KERNEL32(?), ref: 00496BAA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CriticalException@8SectionThrow$EnterLeaveTimerWaitablestd::exception::exception$CloseCopy_strCreateErrorHandleLaststd::exception::_type_info::operator==
    • String ID: D,]$D,]$timer$|7]$|7]
    • API String ID: 4243092630-2891330326
    • Opcode ID: f04d58177136ebf29ddbf2294593883528fd0c7198e9b241d65a28d63f8e9f62
    • Instruction ID: 7345808b1e01e4bbbb6012e0241589a83ba56dc453e96fbe4fa49bd8ae0481ce
    • Opcode Fuzzy Hash: f04d58177136ebf29ddbf2294593883528fd0c7198e9b241d65a28d63f8e9f62
    • Instruction Fuzzy Hash: E1718DB5A00604AFCB20CF68C945B9BBFF8FB08714F10852AE805A7341D775EA04CBA4
    Function 0049DBA0 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 348COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _strcspn
    • String ID: /?#$:/?#$@/?#$@:[/?#$D,]$`>
    • API String ID: 3709121408-2376957972
    • Opcode ID: 76a7798af1dedcfbd2303eff8130e84547b62096b8a135c1f1c52eb4017fd275
    • Instruction ID: a4ab3d8600b48196f19d52f1ae0f63cb64aeaef9a483f65115193b9bc1f5878d
    • Opcode Fuzzy Hash: 76a7798af1dedcfbd2303eff8130e84547b62096b8a135c1f1c52eb4017fd275
    • Instruction Fuzzy Hash: 9BE17A70D002599FDF21DF64CC81BAEBBB9FB52304F1445AAE40A67242D7746E89CF61
    Function 00412C7B Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 296timeCOMMON
    Download Yara Rule
    APIs
    • GetCaretBlinkTime.USER32(00000000), ref: 00412CC7
    • SetTimer.USER32(?,00000014,00000000), ref: 00412CD3
    • GetClientRect.USER32(?,?), ref: 00412D40
    • InvalidateRect.USER32(?,?,00000000), ref: 00412D4E
    • GetClientRect.USER32(?,?), ref: 00412E2A
    • GetCaretPos.USER32(?), ref: 00412E34
      • Part of subcall function 00418D27: CreatePenIndirect.GDI32(00000000), ref: 00418D76
      • Part of subcall function 00418D27: SelectObject.GDI32(?,00000000), ref: 00418D80
      • Part of subcall function 00418D27: MoveToEx.GDI32(?,?,?,00000000), ref: 00418D9F
      • Part of subcall function 00418D27: LineTo.GDI32(?,?,?), ref: 00418DB1
      • Part of subcall function 00418D27: SelectObject.GDI32(?,00000000), ref: 00418DBB
      • Part of subcall function 00418D27: DeleteObject.GDI32(00000000), ref: 00418DC2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ObjectRect$CaretClientSelect$BlinkCreateDeleteIndirectInvalidateLineMoveTimeTimer
    • String ID: return
    • API String ID: 3388831396-2812165903
    • Opcode ID: 9431b3d65815c3fb03d5f6d70d99542d00d0d4b9acbec53d43b01456d4e2ee16
    • Instruction ID: 2cebfb0791fe116100810daf996900450e8fa924a26763b3ca01a7c768cf1e8f
    • Opcode Fuzzy Hash: 9431b3d65815c3fb03d5f6d70d99542d00d0d4b9acbec53d43b01456d4e2ee16
    • Instruction Fuzzy Hash: EFA19F75A002049FCF08DF64CA98DEE7BB5EF48304B00446AF802EB396DA79DD64DB65
    Function 0041420A Relevance: 25.7, APIs: 17, Instructions: 221windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(?), ref: 00414214
    • CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 00414283
    • SelectObject.GDI32(00000000,00000000), ref: 004142A0
    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020,?,00CC0020), ref: 004142C6
    • SelectObject.GDI32(00000000,?), ref: 004142D0
    • DeleteObject.GDI32(?), ref: 004142F1
    • CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 00414341
    • SelectObject.GDI32(00000000,00000000), ref: 00414356
    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00414375
    • SelectObject.GDI32(00000000,?), ref: 0041437F
    • SelectObject.GDI32(00000000,?), ref: 0041440D
    • DeleteDC.GDI32(00000000), ref: 0041446E
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Select$Create$DeleteSection$CompatibleStretch
    • String ID:
    • API String ID: 3339966072-0
    • Opcode ID: 6a18390d27771dc1cce768658d0ce60d7ba6f08158a9b76e4902b3175bcae860
    • Instruction ID: 32f523e25c29cb152fccb43cd37dfcc717797944d36c8a78a9e18f65c0bf16db
    • Opcode Fuzzy Hash: 6a18390d27771dc1cce768658d0ce60d7ba6f08158a9b76e4902b3175bcae860
    • Instruction Fuzzy Hash: 3C818D71900609FFCB159F65DC09AAEBFB9FF88350F10861AF909A2251D734EA90DB94
    Function 003E73F0 Relevance: 25.7, APIs: 17, Instructions: 165COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DA8
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DB9
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DCA
      • Part of subcall function 003E7D50: WinHttpOpen.WINHTTP(Microsoft Internet Explorer,00000000,00000000,00000000,00000000,9C3DCF4C,?,6F756160), ref: 003E7DE0
    • __CxxThrowException@8.LIBCMT ref: 003E7470
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • __CxxThrowException@8.LIBCMT ref: 003E7494
    • __CxxThrowException@8.LIBCMT ref: 003E74BA
    • WinHttpQueryDataAvailable.WINHTTP(?,00000000,00000000,?,00000000,00000000,00000000,9C3DCF4C), ref: 003E74C6
    • __CxxThrowException@8.LIBCMT ref: 003E74E0
    • __CxxThrowException@8.LIBCMT ref: 003E74FF
    • _malloc.LIBCMT ref: 003E7505
    • _malloc.LIBCMT ref: 003E7512
    • _free.LIBCMT ref: 003E752B
    • _malloc.LIBCMT ref: 003E7534
    • WinHttpReadData.WINHTTP(?,00000000,00000000,00000000), ref: 003E754A
    • __CxxThrowException@8.LIBCMT ref: 003E7564
    • _memmove.LIBCMT ref: 003E7576
    • WinHttpQueryDataAvailable.WINHTTP(?,00000000), ref: 003E758B
    • __CxxThrowException@8.LIBCMT ref: 003E75A5
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8HttpThrow$CloseDataHandle_malloc$AvailableQuery$ExceptionOpenRaiseRead_free_memmove
    • String ID:
    • API String ID: 1223377970-0
    • Opcode ID: 0905f802dbfb37abc510b08e7606a2e892b560fb364139fe4fd849d67c229c08
    • Instruction ID: b5918132bd3b6521ff8e79f066a9c625c9c2a3662fd7e8c5f108403c1014d272
    • Opcode Fuzzy Hash: 0905f802dbfb37abc510b08e7606a2e892b560fb364139fe4fd849d67c229c08
    • Instruction Fuzzy Hash: 2A517EB1D04259ABCF11DFA1E849BEEBFB9FF49714F014129F804B7281D7799A049BA0
    Function 0041900B Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 165windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(00000000), ref: 00419059
    • CreateCompatibleBitmap.GDI32(00000000,?,00412F82), ref: 00419090
    • SelectObject.GDI32(00000000,00000000), ref: 0041909B
    • CreateCompatibleDC.GDI32(00000000), ref: 00419105
    • CreateDIBSection.GDI32(00000000,00000028,00000000,00000000,00000000,00000000), ref: 00419122
    • SelectObject.GDI32(00000000,00000000), ref: 00419133
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Create$Compatible$ObjectSelect$BitmapSection
    • String ID: (
    • API String ID: 2425437800-3887548279
    • Opcode ID: 71025f0484d0b263b8558a75e9c612df53891903f46ca848bd4d251d220372f8
    • Instruction ID: 1a29ef7de8237b4703ca6604f55fef12b2707f7e9e87526e1df6d373c2648ec5
    • Opcode Fuzzy Hash: 71025f0484d0b263b8558a75e9c612df53891903f46ca848bd4d251d220372f8
    • Instruction Fuzzy Hash: 02517A75A00308AFDF01DFE4DC48AEEBBB9FF58301F004029E506BB250DB789A498B15
    Function 00400360 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 134timesleepwindowCOMMON
    Download Yara Rule
    APIs
    • KillTimer.USER32(00000000,0000000B,?,?,9C3DCF4C,00000000,?,00000000,005BE3D8,000000FF,?,003FCFF9,00000000,00000001), ref: 004003B5
    • KillTimer.USER32(00000000,0000000C,?,?,9C3DCF4C,00000000,?,00000000,005BE3D8,000000FF,?,003FCFF9,00000000,00000001), ref: 004003C6
    • IsWindowVisible.USER32(00000000), ref: 00400490
    • Sleep.KERNEL32(000003E8,?,?,9C3DCF4C,00000000,?,00000000,005BE3D8,000000FF,?,003FCFF9,00000000,00000001), ref: 004004B1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: KillTimer$SleepVisibleWindow
    • String ID: CDuiFrameWnd::InstallExeFinish$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$InstallExeFinish$btn_install$btn_start$control_tip$customLayout$false$lineLayout$visible
    • API String ID: 2272305364-718872000
    • Opcode ID: 38c85d1a654c966522220b7778fae77ebd874f9e5bf982ed815545e19826d658
    • Instruction ID: 04082cfcd20150569c5c76964838bb0a4e8432460e29cbecde69adccd129ff7e
    • Opcode Fuzzy Hash: 38c85d1a654c966522220b7778fae77ebd874f9e5bf982ed815545e19826d658
    • Instruction Fuzzy Hash: A241C231740645AFDB04EBA1DC4AFBEB775BF48700F14023DF606AA2D1EBB0A914CA94
    Function 004094E3 Relevance: 22.7, APIs: 15, Instructions: 181COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 004094ED
    • _memset.LIBCMT ref: 00409515
    • GetStockObject.GDI32(00000011), ref: 00409528
    • GetObjectW.GDI32(00000000), ref: 0040952F
    • _wcsncpy.LIBCMT ref: 0040953C
    • CreateFontIndirectW.GDI32(00000000), ref: 00409585
      • Part of subcall function 005775E3: _malloc.LIBCMT ref: 005775FB
    • _memset.LIBCMT ref: 004095D5
    • SelectObject.GDI32(?,00000000), ref: 00409623
    • GetTextMetricsW.GDI32(?,00000090), ref: 0040963A
    • SelectObject.GDI32(?,00000000), ref: 0040964D
    • _memset.LIBCMT ref: 0040965D
    • __itow.LIBCMT ref: 0040966B
    • DeleteObject.GDI32(00000000), ref: 004096A3
    • DeleteObject.GDI32(00000000), ref: 004096ED
      • Part of subcall function 00407FE0: _free.LIBCMT ref: 00407FE9
    • DeleteObject.GDI32(00000000), ref: 00409724
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Delete_memset$Select$CreateFontH_prolog3_IndirectMetricsStockText__itow_free_malloc_wcsncpy
    • String ID:
    • API String ID: 1145538800-0
    • Opcode ID: b9c6e158270f298e139bd095df775bf098687b27fa716eb6d7bfdf48b9061d72
    • Instruction ID: 4f08873898cf3523f21ec8f4daf70b98526fcc1a6f04617ad6ab8bf3e5fccce2
    • Opcode Fuzzy Hash: b9c6e158270f298e139bd095df775bf098687b27fa716eb6d7bfdf48b9061d72
    • Instruction Fuzzy Hash: 9161AF71904219AFEB11AF70DC45FAE7BB8BF54300F0440AEF949B7283DA749A48DB65
    Function 0041AE06 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 0041AF3C
    • ScreenToClient.USER32(00000000), ref: 0041AF62
    • PtInRect.USER32(?,?,?), ref: 0041AF75
    • SetFocus.USER32(00000000), ref: 0041AFE7
    • GetCaretPos.USER32(?), ref: 0041B04F
    • ImmGetContext.IMM32(00000000), ref: 0041B064
    • ImmSetCompositionWindow.IMM32(00000000,00000020,00000000), ref: 0041B094
    • GetObjectW.GDI32(00000000,0000005C,?), ref: 0041B0B1
    • ImmSetCompositionFontW.IMM32(00000000,?), ref: 0041B0BC
    • ImmReleaseContext.IMM32(00000000), ref: 0041B0D1
    • ScreenToClient.USER32(00000000), ref: 0041B10B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ClientCompositionContextScreen$CaretCursorFocusFontObjectRectReleaseWindow
    • String ID:
    • API String ID: 850084529-3916222277
    • Opcode ID: a914a2d6d3aa6eb1a1572eb0d668ac2f4840da35f3756de01bc98c28cd4ae824
    • Instruction ID: efd8208a76c89572cf561f190835b74778826ab41ba606a965d3ad4fd139753f
    • Opcode Fuzzy Hash: a914a2d6d3aa6eb1a1572eb0d668ac2f4840da35f3756de01bc98c28cd4ae824
    • Instruction Fuzzy Hash: 12A18F74A002158FDF24DF64C898BFEBBA5FF48340F04446AE85AE7381DB389D918B55
    Function 003E7D50 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 175timeCOMMON
    Download Yara Rule
    APIs
    • WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DA8
    • WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DB9
    • WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DCA
    • WinHttpOpen.WINHTTP(Microsoft Internet Explorer,00000000,00000000,00000000,00000000,9C3DCF4C,?,6F756160), ref: 003E7DE0
    • WinHttpSetTimeouts.WINHTTP(00000000,00000000,?,?,?,?,6F756160), ref: 003E7E0A
    • WinHttpConnect.WINHTTP(?,?,?,00000000), ref: 003E7E82
    • WinHttpOpenRequest.WINHTTP(00000000,GET,?,00000000,00000000,00000000,00000000), ref: 003E7ED8
    • WinHttpSetOption.WINHTTP(00000000,0000001F,?,00000004), ref: 003E7EFD
    • WinHttpReceiveResponse.WINHTTP(?,00000000,00000000,?), ref: 003E7F26
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Http$CloseHandle$Open$ConnectOptionReceiveRequestResponseTimeouts
    • String ID: GET$Microsoft Internet Explorer$POST
    • API String ID: 1619924244-83886455
    • Opcode ID: a93031539cce86516b4d73025ec99456005f2d5cfd853431136019849fceea6a
    • Instruction ID: f0c46631b3d8149e3de16d2584c27c81fef6898dd6d489227503e4e8c942818b
    • Opcode Fuzzy Hash: a93031539cce86516b4d73025ec99456005f2d5cfd853431136019849fceea6a
    • Instruction Fuzzy Hash: 7A614870208781AFDB21CF25DC49B5BBBE8BF94704F504A2DF58687290EB75E908DB52
    Function 00413CA6 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 86COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp
    • String ID: foreimage$hor$max$min$true$value
    • API String ID: 856254489-3169578315
    • Opcode ID: 056366e7483b3a4ab21fbd7cf86ead6ba089ded8555baf0917700e7322b8bb21
    • Instruction ID: d09005e15abcb5d3f55f162b2dd98c97caa42e2edc2b3d7877738ca4c5529a34
    • Opcode Fuzzy Hash: 056366e7483b3a4ab21fbd7cf86ead6ba089ded8555baf0917700e7322b8bb21
    • Instruction Fuzzy Hash: 2C119A3224451A2A2A0D3E75BC4BEFF1F8DEED172BB60801FF41595182DF69A682315E
    Function 0040D941 Relevance: 19.6, APIs: 13, Instructions: 129COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Select_memset$Delete$CreateFontIndirectMetricsStockText_wcsncpy
    • String ID:
    • API String ID: 3774237059-0
    • Opcode ID: c84340f11e85e3afcc1a7b466eaefa07a928929cdcaf52e258b536f2cbfc2f58
    • Instruction ID: ef2c25a94a0ad3a1724cc3fbf9d017e791e3bbea33a9b1fceb4c869f4fd0e517
    • Opcode Fuzzy Hash: c84340f11e85e3afcc1a7b466eaefa07a928929cdcaf52e258b536f2cbfc2f58
    • Instruction Fuzzy Hash: 9B51D875904288AFDB01DFA49C49BDA7FB8AF55700F084079FE44EB283C6758A09DB75
    Function 004448D0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 294COMMON
    Download Yara Rule
    APIs
    • __time64.LIBCMT ref: 0044491A
      • Part of subcall function 0057E6DC: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0044491F,00000000,CMFDownload::Download,HttpDownload.cpp,0000006C,00000001,Download....,9C3DCF4C), ref: 0057E6E5
      • Part of subcall function 0057E6DC: __aulldiv.LIBCMT ref: 0057E705
    • _xtime_get.LIBCPMT ref: 00444AAA
    • __Xtime_diff_to_millis2.LIBCPMT ref: 00444ABD
    • Concurrency::wait.LIBCMT ref: 00444AC3
    • __Thrd_sleep.LIBCPMT ref: 00444AD4
    • __time64.LIBCMT ref: 00444C41
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Time__time64$Concurrency::waitFileSystemThrd_sleepXtime_diff_to_millis2__aulldiv_xtime_get
    • String ID: CMFDownload::Download$Download....$HttpDownload avhttp cancel but almost complete.$HttpDownload avhttp user maybe cancel.$HttpDownload.cpp
    • API String ID: 2235673321-1450646205
    • Opcode ID: ff2f3cbe8c62f821e9e35d59def0fd12dda6f24d50d1b303524fb47a9639a46b
    • Instruction ID: af123ea155bdb2a0c3dd4d9ee6a9108a5d6722a95b4e9fa05c632ffc43252551
    • Opcode Fuzzy Hash: ff2f3cbe8c62f821e9e35d59def0fd12dda6f24d50d1b303524fb47a9639a46b
    • Instruction Fuzzy Hash: 3CB1B1B0D003489BFF20DBA8DC4AB9EBBB5FF94314F14455AE408A7281E7799984CF56
    Function 00402260 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 251windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003EDAB0: _memset.LIBCMT ref: 003EDADC
      • Part of subcall function 003EDAB0: lstrcpyW.KERNEL32(?,?), ref: 003EDAF7
      • Part of subcall function 003EDAB0: _memset.LIBCMT ref: 003EDB0B
      • Part of subcall function 003EDAB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003EDB21
      • Part of subcall function 003EDAB0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 003EDB35
      • Part of subcall function 003EDAB0: lstrcmpW.KERNEL32(?,?), ref: 003EDB5E
      • Part of subcall function 003EDAB0: Process32NextW.KERNEL32(00000000,0000022C), ref: 003EDB6C
      • Part of subcall function 003EDAB0: CloseHandle.KERNEL32(00000000), ref: 003EDB76
    • MessageBoxW.USER32(?,00000000,00000000,00190031), ref: 004023C9
    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 004024E0
    • GetFileAttributesW.KERNEL32(?), ref: 004024F2
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0040250B
    • std::_Pad::_Launch.LIBCPMT ref: 00402538
    • std::_Pad::~_Pad.LIBCPMT ref: 00402540
    • std::_Throw_Cpp_error.LIBCPMT ref: 00402555
      • Part of subcall function 003E3820: _memmove.LIBCMT ref: 003E38DC
    Strings
    • STR_SOFT_RUN, xrefs: 00402343
    • CDuiFrameWnd::StartInstallExe, xrefs: 004022F8
    • D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp, xrefs: 004022F3
    • STR_MESSAGEBOX_TITLE, xrefs: 0040231D
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Createstd::_$DirectoryProcess32_memset$AttributesCloseCpp_errorFileFirstHandleLaunchMessageNextPad::_Pad::~_SnapshotThrow_Toolhelp32_memmovelstrcmplstrcpy
    • String ID: CDuiFrameWnd::StartInstallExe$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$STR_MESSAGEBOX_TITLE$STR_SOFT_RUN
    • API String ID: 3410834099-2629175263
    • Opcode ID: 6d80fb85ddf5c7a9d8d052d44b9e24fe5f19d13799ec0993e6948865bc3a44f7
    • Instruction ID: d039c8a48e8d11519f29e09a5e628b04e8b88d273ace336ef0f39e40491ad27d
    • Opcode Fuzzy Hash: 6d80fb85ddf5c7a9d8d052d44b9e24fe5f19d13799ec0993e6948865bc3a44f7
    • Instruction Fuzzy Hash: 13A19B70D00258DEDF11DBA4CD49BDEBBB4BF55304F10416AE409B7281EB75AA48CFA6
    Function 003E16B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166networkCOMMON
    Download Yara Rule
    APIs
    • gethostbyname.WS2_32(?), ref: 003E16FA
    • __CxxThrowException@8.LIBCMT ref: 003E1714
    • closesocket.WS2_32(?), ref: 003E180B
    • socket.WS2_32(00000002,00000001,00000006), ref: 003E1817
    • __CxxThrowException@8.LIBCMT ref: 003E1835
    • setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 003E1852
    • htons.WS2_32(?), ref: 003E1864
    • inet_addr.WS2_32(00000000), ref: 003E1872
    • connect.WS2_32(?,?,00000010), ref: 003E1884
    • __CxxThrowException@8.LIBCMT ref: 003E189F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw$closesocketconnectgethostbynamehtonsinet_addrsetsockoptsocket
    • String ID: %d.%d.%d.%d
    • API String ID: 507487181-3491811756
    • Opcode ID: e35598163df3f6b634d417504a0f4b1e7bd88d87d369303edbcc34b036fe2344
    • Instruction ID: fdc0928b9fe6d1fb9863802330ca1508b468cf2878d1f4cdc121653c8533694d
    • Opcode Fuzzy Hash: e35598163df3f6b634d417504a0f4b1e7bd88d87d369303edbcc34b036fe2344
    • Instruction Fuzzy Hash: 1F61D170D04288EFDB11DFA5D849BEEBBB8FF18714F204229E415A72D1D7759A08CB90
    Function 004ED380 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91registryfilewindowCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F4,00000065,004ED4D6,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,004ED0BE,.\crypto\cryptlib.c,00000254,pointer != NULL,00000168,?,?,00000000,005B7483), ref: 004ED39B
    • GetFileType.KERNEL32(00000000,?,?,00000000,005B7483,000000FF), ref: 004ED3A8
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,005B7483,000000FF), ref: 004ED3EB
    • vswprintf.LIBCMT ref: 004ED3CB
      • Part of subcall function 00580C16: __vsnprintf_l.LIBCMT ref: 00580C27
    • vswprintf.LIBCMT ref: 004ED420
    • RegisterEventSourceA.ADVAPI32(00000000,OpenSSL), ref: 004ED440
    • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 004ED468
    • DeregisterEventSource.ADVAPI32(00000000), ref: 004ED46F
    • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 004ED499
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Event$FileSourcevswprintf$DeregisterHandleMessageRegisterReportTypeWrite__vsnprintf_l
    • String ID: OpenSSL$OpenSSL: FATAL
    • API String ID: 365571034-4224901669
    • Opcode ID: a1299f9496d81b907957e839bff08f50bc182baafa89f79efb6a574837140ea7
    • Instruction ID: 9dfdfd2c82fbcf535b14f509586327760b88e861f89ffc2ef80b9aee1b62f917
    • Opcode Fuzzy Hash: a1299f9496d81b907957e839bff08f50bc182baafa89f79efb6a574837140ea7
    • Instruction Fuzzy Hash: FB31B671608345AFE731EB24DC4AFEF7B98EF98B01F400419B689D61C1EBB495449763
    Function 003E4630 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 357COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid string position$string too long
    • API String ID: 4104443479-4289949731
    • Opcode ID: 60dcefee130e543ed9aacfb566ea5b4818030778ef18d13bb0eac79fd1b0029c
    • Instruction ID: dff8beadb0e4d8be98fedf85ec5c0c6be27c3002b6e310907352743f4908de56
    • Opcode Fuzzy Hash: 60dcefee130e543ed9aacfb566ea5b4818030778ef18d13bb0eac79fd1b0029c
    • Instruction Fuzzy Hash: A4D16D306002AADBCB11CF59D9C089AB7BAFF8C704B204629E855DB696D730ED55CBE0
    Function 003F3ED0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 331COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003EFBF0: _free.LIBCMT ref: 003EFD15
      • Part of subcall function 003EFBF0: _free.LIBCMT ref: 003EFD25
    • _free.LIBCMT ref: 003F4375
    • _free.LIBCMT ref: 003F4395
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free
    • String ID: 4}\$CGA::SendGACommon$Content-Type: application/json; charset=utf-8$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\common\GA.cpp$request info: %s$request ret Code: %d$request url: %s$tran code guid:%s
    • API String ID: 269201875-972111153
    • Opcode ID: 4048aa851e29ffe8c03ec94980cd427b8cf2abc2e6a0fe10e4b13c609b840524
    • Instruction ID: 3d523101685f84456ad320070b45bff8eb1978d5b3fdd661d74777d86dab04d6
    • Opcode Fuzzy Hash: 4048aa851e29ffe8c03ec94980cd427b8cf2abc2e6a0fe10e4b13c609b840524
    • Instruction Fuzzy Hash: 9CE17B70D0426D9FDF21DBA4CC45BEEBBB4BB05304F1441A9E509BB282DB755A88CFA1
    Function 00491860 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 225COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 0049198A
    • __CxxThrowException@8.LIBCMT ref: 004919B8
    • __CxxThrowException@8.LIBCMT ref: 004919E1
      • Part of subcall function 004048E0: __CxxThrowException@8.LIBCMT ref: 00404996
      • Part of subcall function 004048E0: __CxxThrowException@8.LIBCMT ref: 004049C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: fe9b28121e8d3de299c33e3b904dc3b09520769c442a55f91ab95b69f9e86480
    • Instruction ID: a420a4f1c31a911dfd1d857f8a9202ae7899486380377b3c944d9d695fda8b88
    • Opcode Fuzzy Hash: fe9b28121e8d3de299c33e3b904dc3b09520769c442a55f91ab95b69f9e86480
    • Instruction Fuzzy Hash: 498100706002089FDB14DF58D891FAABBF1BF14B18F14856EE4459B3A2CBB9ED46CB44
    Function 003EEAB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 191processsynchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003EEAF4
    • _memset.LIBCMT ref: 003EEC15
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,9C3DCF4C,?,000000FF, /verysilent /imyfone_down /wait_run /path=",0000002C,?,?,?), ref: 003EEC4F
    • ResumeThread.KERNEL32(?), ref: 003EEC5C
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003EEC67
    • CloseHandle.KERNEL32(?), ref: 003EEC76
    • CloseHandle.KERNEL32(?), ref: 003EEC7B
    • GetLastError.KERNEL32 ref: 003EEC7F
    Strings
    • /progress=", xrefs: 003EEBBF
    • /verysilent /imyfone_down /wait_run /path=", xrefs: 003EEB8D
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CloseHandle_memset$CreateErrorLastObjectProcessResumeSingleThreadWait
    • String ID: /progress="$ /verysilent /imyfone_down /wait_run /path="
    • API String ID: 1410714770-3156103713
    • Opcode ID: 9385bd83a9e60ac7a60094e8bf4b634862a40f807e656656f4b7f4d6f04158a0
    • Instruction ID: 481ccfb205502d8f12333cb42d499886824fa36c7db1fbfc55271ab5363098a0
    • Opcode Fuzzy Hash: 9385bd83a9e60ac7a60094e8bf4b634862a40f807e656656f4b7f4d6f04158a0
    • Instruction Fuzzy Hash: D861AF71D10299AADF11DFA4DC46BEEBB74FF48710F144229E506BB2D0EB712A44CB61
    Function 004090F1 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004090F8
    • DeleteObject.GDI32(?), ref: 004091A3
    • DestroyWindow.USER32(?,00000000,00000000,00000000,?,?,?,?,9C3DCF4C,?,?,?,005B527B,000000FF), ref: 004091E0
    • DeleteDC.GDI32(?), ref: 004091FF
    • DeleteDC.GDI32(?), ref: 00409210
    • DeleteObject.GDI32(?), ref: 00409221
    • DeleteObject.GDI32(?), ref: 0040922E
    • ReleaseDC.USER32(?,?), ref: 00409241
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Delete$Object$DestroyH_prolog3ReleaseWindow
    • String ID: d
    • API String ID: 2182690835-820377970
    • Opcode ID: 6add0d5c9ef82e7a04bc9b21432a5bd39f91acfff45ca6a4bc058808b34ae979
    • Instruction ID: 6ea3b42d2981e63ebb524b779f76d67dac221dc0fce1cb1ef2040f2eaf35757f
    • Opcode Fuzzy Hash: 6add0d5c9ef82e7a04bc9b21432a5bd39f91acfff45ca6a4bc058808b34ae979
    • Instruction Fuzzy Hash: EF61D2306007419BDB15EB75C855BAEB7E56F54308F00486EE49B672C2DF786E08C766
    Function 00400D80 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 132COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: banner$btn_browse$btn_hide$btn_install$btn_lisence$btn_start$imageIndex
    • API String ID: 1452528299-1084377155
    • Opcode ID: 1884a29f4cad3495c4e99a050dfceeb459533453c3276b8be91c0f0538175367
    • Instruction ID: f675ddbf9bf65d2c8864d35bfc2a0ef151c179f1ce61033ec22a1301e47ab061
    • Opcode Fuzzy Hash: 1884a29f4cad3495c4e99a050dfceeb459533453c3276b8be91c0f0538175367
    • Instruction Fuzzy Hash: B341D031604248AACB20EB60CC46FFEB765BF45704F14057EF8457B2C1DFB86A48DA6A
    Function 004ED240 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 106libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,004ED435), ref: 004ED267
    • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004ED277
    • GetProcessWindowStation.USER32(?,00000000,?,004ED435), ref: 004ED29B
    • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00000000,?,004ED435), ref: 004ED2B6
    • GetLastError.KERNEL32(?,00000000,?,004ED435), ref: 004ED2C4
    • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00000000,?,004ED435), ref: 004ED2FF
    • _wcsstr.LIBCMT ref: 004ED324
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow_wcsstr
    • String ID: Service-0x$_OPENSSL_isservice
    • API String ID: 304827962-1672312481
    • Opcode ID: c919ec74f16f705704ae8a0218ee151bb0b45b40c15a9a658d3603e7ba714c99
    • Instruction ID: 9622ea2afe47c02f224cf29465ba0fd57309446c13369925b073d6e88a943018
    • Opcode Fuzzy Hash: c919ec74f16f705704ae8a0218ee151bb0b45b40c15a9a658d3603e7ba714c99
    • Instruction Fuzzy Hash: 4831EB35E001099FCB20DF79EC49AAE77B8EF85711F10466AF825D72D0EB349A048B91
    Function 0040DE05 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66timelibraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 0040DE33
    • GetModuleHandleW.KERNEL32(User32.dll), ref: 0040DE4E
    • GetProcAddress.KERNEL32(00000000,UpdateLayeredWindow), ref: 0040DE5E
    • GetWindowLongW.USER32(?,000000EC), ref: 0040DE75
    • SetTimer.USER32(?,00002000,0000000A,00000000), ref: 0040DE95
    • KillTimer.USER32(?,00002000), ref: 0040DEAE
    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0040DEC2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: LongWindow$Timer$AddressHandleKillModuleProc
    • String ID: UpdateLayeredWindow$User32.dll
    • API String ID: 401180490-1943222131
    • Opcode ID: 5b34fcf38472fd8c9e2ba7f7a6ecad224b1d3dea548ea750c41c3f51989a4856
    • Instruction ID: 71f6b2f36c4a52f79f7bc3e340d4bf822a452acba3daa97df7c7cba6d040f115
    • Opcode Fuzzy Hash: 5b34fcf38472fd8c9e2ba7f7a6ecad224b1d3dea548ea750c41c3f51989a4856
    • Instruction Fuzzy Hash: 36210231A00B41AFDB205BB4DC44F577BA9BFA1751F18083AF596FA2D0CB799808C798
    Function 005660A3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005660AA
    • std::_Lockit::_Lockit.LIBCPMT ref: 005660B4
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 005660CB
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • moneypunct.LIBCPMT ref: 005660EE
    • std::bad_exception::bad_exception.LIBCMT ref: 00566102
    • __CxxThrowException@8.LIBCMT ref: 00566110
    • std::_Facet_Register.LIBCPMT ref: 00566126
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmoneypunctstd::bad_exception::bad_exception
    • String ID: $=e$bad cast
    • API String ID: 3008301872-3046692957
    • Opcode ID: d6a0b41271fbbcb563cb7d3970bffb31092e0b2259bb294b855d4be3a7c08e9e
    • Instruction ID: 0143be44da5f6794645ef6e126572b75fbd62589cf871878bbb90f5636e00d33
    • Opcode Fuzzy Hash: d6a0b41271fbbcb563cb7d3970bffb31092e0b2259bb294b855d4be3a7c08e9e
    • Instruction Fuzzy Hash: 00016D7290062A9BCB11EBA4D80AABE7B79BF84750F104519F5106B292DB749A05C791
    Function 0056613C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00566143
    • std::_Lockit::_Lockit.LIBCPMT ref: 0056614D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00566164
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • moneypunct.LIBCPMT ref: 00566187
    • std::bad_exception::bad_exception.LIBCMT ref: 0056619B
    • __CxxThrowException@8.LIBCMT ref: 005661A9
    • std::_Facet_Register.LIBCPMT ref: 005661BF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmoneypunctstd::bad_exception::bad_exception
    • String ID: =e$bad cast
    • API String ID: 3008301872-3063866146
    • Opcode ID: ab48f12fd48f01e71a8ae80a6503d3ee0ce9c8f58b50805baefc378c4661c82a
    • Instruction ID: 2114713e8f8fbd35da970d4c9cccaa9e519f725a3638c286f917e62d10dc88e5
    • Opcode Fuzzy Hash: ab48f12fd48f01e71a8ae80a6503d3ee0ce9c8f58b50805baefc378c4661c82a
    • Instruction Fuzzy Hash: 30018032D00A2A9BCF11EBB4DD1AEBE7B75BF84B50F100609F510AB292DF749A05D791
    Function 00565BDB Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565BE2
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565BEC
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565C03
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • collate.LIBCPMT ref: 00565C26
    • std::bad_exception::bad_exception.LIBCMT ref: 00565C3A
    • __CxxThrowException@8.LIBCMT ref: 00565C48
    • std::_Facet_Register.LIBCPMT ref: 00565C5E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcollatestd::bad_exception::bad_exception
    • String ID: bad cast$<e
    • API String ID: 100112561-2039507310
    • Opcode ID: 0f7bba51fabda8112df696415458ce1f4bd63a14e110e7a508b38da07257e46a
    • Instruction ID: a0e372e2d804eed4f6c2fc288480e6c25aae612e6bc3d9b6675f523d1882a98f
    • Opcode Fuzzy Hash: 0f7bba51fabda8112df696415458ce1f4bd63a14e110e7a508b38da07257e46a
    • Instruction Fuzzy Hash: B201C43190072A9BCB11EBA0DC56EBE7B757F84B50F140508F5106B292EF349E449790
    Function 00565DA6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565DAD
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565DB7
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565DCE
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • messages.LIBCPMT ref: 00565DF1
    • std::bad_exception::bad_exception.LIBCMT ref: 00565E05
    • __CxxThrowException@8.LIBCMT ref: 00565E13
    • std::_Facet_Register.LIBCPMT ref: 00565E29
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmessagesstd::bad_exception::bad_exception
    • String ID: bad cast$<e
    • API String ID: 274672093-2039507310
    • Opcode ID: 85711ebb789baa484b0ae8bbe02572a3836fe97664620acd0432989e1e32ae76
    • Instruction ID: 5af8cd1d5d96ea5b792e2548871432a6c196b06c19a111b346d1d248ad5550af
    • Opcode Fuzzy Hash: 85711ebb789baa484b0ae8bbe02572a3836fe97664620acd0432989e1e32ae76
    • Instruction Fuzzy Hash: 1601C032D00A2A9BCF11EBA0DC0AABE7B79BF84750F104519F5146B2D2EF349E058B90
    Function 004BFAC0 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 368COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004BF530: __CxxThrowException@8.LIBCMT ref: 004BF6B8
      • Part of subcall function 004BF530: __CxxThrowException@8.LIBCMT ref: 004BF6E6
      • Part of subcall function 004BF530: __CxxThrowException@8.LIBCMT ref: 004BF70F
    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004C03AB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw$Ios_base_dtorstd::ios_base::_
    • String ID: ' at index $' in '$string too long$unknown conversion specifier '$unterminated conversion specifier in '
    • API String ID: 2823994529-883313935
    • Opcode ID: c52852186940f6897430cca4ec686a00a8f268a9003289e22754899fb82afd96
    • Instruction ID: 547ab7d880db8d2f9905e5533a4658b10a2854ade56fe0bbd6d9a48d418a5750
    • Opcode Fuzzy Hash: c52852186940f6897430cca4ec686a00a8f268a9003289e22754899fb82afd96
    • Instruction Fuzzy Hash: FCF1BE70D00258DFDB60DB68CC85BEEBBF5AF45314F5441AEE419A7282DB385A88CF64
    Function 0044C780 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 278COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 0044C9ED
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 13f284e05a411bd47868ddc9e31a0ca3ed0738396bd56b7b64ce0f73ac1fa5f4
    • Instruction ID: 76f8587f1ee67c7f95858e92ed895f2cb3dd791c0c1e3cb21ac42b0a13ea635a
    • Opcode Fuzzy Hash: 13f284e05a411bd47868ddc9e31a0ca3ed0738396bd56b7b64ce0f73ac1fa5f4
    • Instruction Fuzzy Hash: C4B18174A02249CFEB50CF58C4D0BAABBB1FF49714F188299E8159B392C739DD45CB94
    Function 00401820 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 240COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: DeleteFile
    • String ID: $$STR_CLOSE_TIP1$STR_CLOSE_TIP2$STR_MESSAGEBOX_TITLE$btn_start$imyfone-download.exe$switch
    • API String ID: 4033686569-2485943502
    • Opcode ID: 1397bd1f3f7871c2f6d14b76285589db4b2ae21c032986efd6b9fef8b9c16f1a
    • Instruction ID: 60a94674f7749998f1a6659bb6e41f9b5a6b067e1e915af85f44628da4f2bbd9
    • Opcode Fuzzy Hash: 1397bd1f3f7871c2f6d14b76285589db4b2ae21c032986efd6b9fef8b9c16f1a
    • Instruction Fuzzy Hash: F4A1BF70900298DFCF12EBA5CC59BEEBBB5BF15304F10056AE009772A1DB746A48CF65
    Function 00486970 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 00486AC9
    • __CxxThrowException@8.LIBCMT ref: 00486B0F
    • __CxxThrowException@8.LIBCMT ref: 00486B3D
    • __CxxThrowException@8.LIBCMT ref: 00486B66
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 4401a8c41fc851cc16cff549313a75f4778f484cfd280b3834ba6d3ef41cd7b6
    • Instruction ID: 4635a6acc5e5e6dc7afe7d6f99ebe05237c9d5cd00635d5ac3f1c66ffd04948a
    • Opcode Fuzzy Hash: 4401a8c41fc851cc16cff549313a75f4778f484cfd280b3834ba6d3ef41cd7b6
    • Instruction Fuzzy Hash: 9761BD70A002089FDB14EF98C985FAEBBF5BF44708F15845EE405AB392CB75EA45CB54
    Function 00486730 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 179COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 00486886
    • __CxxThrowException@8.LIBCMT ref: 004868CC
    • __CxxThrowException@8.LIBCMT ref: 004868FA
    • __CxxThrowException@8.LIBCMT ref: 00486923
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: db66547a1e07cf3e32ffdd5236053ad12ee95ab14f920bb64a33b77e2796d236
    • Instruction ID: fab0790e150fc8f4d35c2fd72d40464c78e71ad73f81933603f879933cf201ac
    • Opcode Fuzzy Hash: db66547a1e07cf3e32ffdd5236053ad12ee95ab14f920bb64a33b77e2796d236
    • Instruction Fuzzy Hash: 9861DD74A002089FDB10EF98C985FAEBBF5BF48708F15845EE405AB392CB79E945CB54
    Function 003FCB90 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 179COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 003FCCE6
    • __CxxThrowException@8.LIBCMT ref: 003FCD2C
    • __CxxThrowException@8.LIBCMT ref: 003FCD5A
    • __CxxThrowException@8.LIBCMT ref: 003FCD83
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: fe99bdf337155d5223da96117390c4153bf76dcd7aee18033858e037e564fcc3
    • Instruction ID: 2b374e1b53d8f465db776dce7deef65d4aef8d07cf70183d19d8967171ec4449
    • Opcode Fuzzy Hash: fe99bdf337155d5223da96117390c4153bf76dcd7aee18033858e037e564fcc3
    • Instruction Fuzzy Hash: 2E61CB74A4020C9FDB11DF98CA85FADBBF5BF48708F15906DE605AB292CB71E905CB40
    Function 003FF2E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 170timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: KillTimer_memsetswprintf
    • String ID: banner$buttonLayout$imageIndex$option_%d
    • API String ID: 1419305116-3437201922
    • Opcode ID: bad6770c89f3cf31120cc5de3dbd64271d54145220c1102f2f8e6bdb8141a596
    • Instruction ID: c09867abcc1a34a97a16b1fc09276c8bc19fe539d4bb6602ef1dad7d96b9b99c
    • Opcode Fuzzy Hash: bad6770c89f3cf31120cc5de3dbd64271d54145220c1102f2f8e6bdb8141a596
    • Instruction Fuzzy Hash: F051B671A002189FCB10EF64DC8DBEE77A5EF44304F0005AAF909BB2D1DB78AA44DB95
    Function 004862E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 0048641A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: a65d8cca416ea1c1a2721d4f8824b5d589b9629e6fcd71cab6fe20b875f8e59f
    • Instruction ID: 1b290edf5a89c49b2145d2ffc0bbcff2370cc8d7ca9f30e629b10c59195f3564
    • Opcode Fuzzy Hash: a65d8cca416ea1c1a2721d4f8824b5d589b9629e6fcd71cab6fe20b875f8e59f
    • Instruction Fuzzy Hash: F9518B70A002099FDB10DF98C985FAEBBF5BF48B08F14845EE405AB392CBB5E945CB54
    Function 004A8D40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 004A8EBA
    • __CxxThrowException@8.LIBCMT ref: 004A8EE8
    • __CxxThrowException@8.LIBCMT ref: 004A8F11
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$~K
    • API String ID: 2005118841-2604892407
    • Opcode ID: 2553d92da6a7018a6c94e7ee4ebb98c71b5a3d2a032c92561ed5ec5dac422fcf
    • Instruction ID: f2c81d1a94c0f4e23b6df51492a634efc46b795d27155c3e6f30116a176811a3
    • Opcode Fuzzy Hash: 2553d92da6a7018a6c94e7ee4ebb98c71b5a3d2a032c92561ed5ec5dac422fcf
    • Instruction Fuzzy Hash: FF51BA70A01208DFCB10DF58C985BAABBF2FF65B14F64855EE5019B392CB79E902CB44
    Function 00494B30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123networkCOMMON
    Download Yara Rule
    APIs
    • WSASetLastError.WS2_32(00000000,0000000A,?), ref: 00494B6A
    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00494B81
      • Part of subcall function 00464BA0: WSAGetLastError.WS2_32(?,004AA932,00000000), ref: 00464BD5
    • WSASetLastError.WS2_32(00000000,0000000A,?), ref: 00494BA2
    • closesocket.WS2_32(?), ref: 00494BAA
    • ioctlsocket.WS2_32(?,8004667E,?), ref: 00494C33
    • WSASetLastError.WS2_32(00000000), ref: 00494C41
    • closesocket.WS2_32(?), ref: 00494C49
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorLast$closesocket$ioctlsocketsetsockopt
    • String ID: D,]
    • API String ID: 136865605-2755246825
    • Opcode ID: 225d0a6687cd4ee7c1587b740fe76cbd2f7b6b96612594d7f644b520c67f7d26
    • Instruction ID: 8fd4bcc69286c9919c93f0b9d0e111df96c294bbd0f6f951024a8b914cdc5ce2
    • Opcode Fuzzy Hash: 225d0a6687cd4ee7c1587b740fe76cbd2f7b6b96612594d7f644b520c67f7d26
    • Instruction Fuzzy Hash: 5741D371900204AFDF10DFA4DC85F9EBBB8FF50325F14866AE9049B282DB78E985CB55
    Function 00481A90 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00481B21
    • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,9C3DCF4C,00000118,00000000), ref: 00481B45
    • VerifyVersionInfoW.KERNEL32(0000011C,00000002,00000000), ref: 00481B56
    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00481BB9
    • GetLastError.KERNEL32 ref: 00481BC6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CompletionConditionCreateErrorInfoLastMaskPortVerifyVersion_memset
    • String ID: D,]$D,]$iocp
    • API String ID: 2395855863-1831532921
    • Opcode ID: d9eebf7858ebcb5892f8d80b5dc154f6ad2b5cea9adba25270e086851aa350d4
    • Instruction ID: 28f4bfe2126d5b19fc434c8b11a7c31a7c5602532223469630fd36ac22ce2c49
    • Opcode Fuzzy Hash: d9eebf7858ebcb5892f8d80b5dc154f6ad2b5cea9adba25270e086851aa350d4
    • Instruction Fuzzy Hash: 9941ADB0940745AFE710DF28DC49B9ABBF4FB09324F10426AE405977C1D7B8A654CF94
    Function 00445A10 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94networkCOMMON
    Download Yara Rule
    APIs
    • InternetQueryOptionW.WININET(9C3DCF4C,00000000,00000000,AXD), ref: 00445A3F
    • InternetQueryOptionW.WININET(9C3DCF4C,00000000,00000000,00000000), ref: 00445A9D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: InternetOptionQuery
    • String ID: AXD$CBaseRequest::QueryInternetOpt$ERR: InternetQueryOption fail! 0x%x$ERR: new %d bytes fail!$tool\BaseRequest.cpp
    • API String ID: 2202126096-4206803086
    • Opcode ID: 111736d930c840b86b2b54f2b787c1225b4355b6ac8b6de0dad296d4b89e039e
    • Instruction ID: 15ab390444703d0493884dab996542b4ca4e788dca8499766a78126da67be130
    • Opcode Fuzzy Hash: 111736d930c840b86b2b54f2b787c1225b4355b6ac8b6de0dad296d4b89e039e
    • Instruction Fuzzy Hash: E3319571A40219ABDF21DFA4EC46FEFBB78FF69704F00405AF80576282D6795504DBA1
    Function 00446220 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 78threadwindowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0044625A
    • FormatMessageA.KERNEL32(00000800,?,00445FD2,00000400,00000000,00000104,00000000,00000000,?,00000002), ref: 0044627F
    • GetCurrentThreadId.KERNEL32 ref: 00446298
    • GetCurrentThreadId.KERNEL32 ref: 004462D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CurrentThread$FormatMessage_memset
    • String ID: ShowApiError$[Thread][%d] [%s]call %s fail %d, %s$[Thread][%d] call %s fail %d, %s$stdafx.cpp
    • API String ID: 3163461047-2031427288
    • Opcode ID: 26377d92eb49b9eb0321e1f57587b43acf5073fd858640cefa7268f8e4e0c9c5
    • Instruction ID: 8281ebd5679fee97269ebbdb51d8791cacdf62c7295055c437034dce9ae7b326
    • Opcode Fuzzy Hash: 26377d92eb49b9eb0321e1f57587b43acf5073fd858640cefa7268f8e4e0c9c5
    • Instruction Fuzzy Hash: DF21C9717402087BDB30DB59DC86FEB7BBCFB99B15F004096F648A62C1D9B15A848BA1
    Function 0047FD30 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 0047FD5D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::exception::exception.LIBCMT ref: 0047FDB8
      • Part of subcall function 0057A0A2: std::exception::_Copy_str.LIBCMT ref: 0057A0BB
    • __CxxThrowException@8.LIBCMT ref: 0047FDCD
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0047FDD7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
    • String ID: `y\$hy\$hy\$hy\
    • API String ID: 271752322-3437322813
    • Opcode ID: 5bd4328798d56423470058bee5cff7415d478298b6191512aeb9d8f15272394c
    • Instruction ID: 0107250b46f8b2462ae93f46bde21414307270ab9ee8e3530f011649b79dc433
    • Opcode Fuzzy Hash: 5bd4328798d56423470058bee5cff7415d478298b6191512aeb9d8f15272394c
    • Instruction Fuzzy Hash: 33218E718047489ED721CF69D804B8BBFF8FF18710F008A1EE85997B81D7B9A608CB95
    Function 005661D5 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005661DC
    • std::_Lockit::_Lockit.LIBCPMT ref: 005661E6
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 005661FD
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • moneypunct.LIBCPMT ref: 00566220
    • std::bad_exception::bad_exception.LIBCMT ref: 00566234
    • __CxxThrowException@8.LIBCMT ref: 00566242
    • std::_Facet_Register.LIBCPMT ref: 00566258
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmoneypunctstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 3008301872-3145022300
    • Opcode ID: 2facab87d8bde07039f2bb8722ad45bf2528267b2766ac703e733965d4c6e9f2
    • Instruction ID: 4d7fb13ac84f62d406a84766417bec804dd5b97e32c9f681cbcafa18cc8fc094
    • Opcode Fuzzy Hash: 2facab87d8bde07039f2bb8722ad45bf2528267b2766ac703e733965d4c6e9f2
    • Instruction Fuzzy Hash: 58018435D006299BCB15EBA0D81AEBD7B75BF84B50F104509F9106B292DF749E058791
    Function 0056626E Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00566275
    • std::_Lockit::_Lockit.LIBCPMT ref: 0056627F
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00566296
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • moneypunct.LIBCPMT ref: 005662B9
    • std::bad_exception::bad_exception.LIBCMT ref: 005662CD
    • __CxxThrowException@8.LIBCMT ref: 005662DB
    • std::_Facet_Register.LIBCPMT ref: 005662F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmoneypunctstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 3008301872-3145022300
    • Opcode ID: ac2c9c20a756711a0b3e0ed627f211c6cca4ffcb62b9057880db1c4b764dd5b8
    • Instruction ID: 658afc3d46f00254bee73770a50f585cf240b5e1750efacdf0aa97df72a0cbe3
    • Opcode Fuzzy Hash: ac2c9c20a756711a0b3e0ed627f211c6cca4ffcb62b9057880db1c4b764dd5b8
    • Instruction Fuzzy Hash: 6101C07290062A9BCB11EBA0DC1AABE7B75BF84B50F100518F510AB292DF749A058790
    Function 005663A0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005663A7
    • std::_Lockit::_Lockit.LIBCPMT ref: 005663B1
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 005663C8
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 005663FF
    • __CxxThrowException@8.LIBCMT ref: 0056640D
    • std::_Facet_Register.LIBCPMT ref: 00566423
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast$<e
    • API String ID: 1668375557-2039507310
    • Opcode ID: abcad94966547c443840297f04cb73dde060b88f92bcf263a53d642c9fa65388
    • Instruction ID: 099e8766e40ff149b06137cb0f4b1c4e0c29aa5e74ee2eaded6c18949c329455
    • Opcode Fuzzy Hash: abcad94966547c443840297f04cb73dde060b88f92bcf263a53d642c9fa65388
    • Instruction Fuzzy Hash: B801C03290062A9BCF11EBA0DC4AABE7B79BF84750F104519F510AB292DF349E05D790
    Function 005664D2 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005664D9
    • std::_Lockit::_Lockit.LIBCPMT ref: 005664E3
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 005664FA
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • numpunct.LIBCPMT ref: 0056651D
    • std::bad_exception::bad_exception.LIBCMT ref: 00566531
    • __CxxThrowException@8.LIBCMT ref: 0056653F
    • std::_Facet_Register.LIBCPMT ref: 00566555
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__locknumpunctstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 3335846020-3145022300
    • Opcode ID: b43cde43a45a5028c9f617ec396ee512ec050247985138d4fb67e914027ea644
    • Instruction ID: 613cb33373a2422ad8340b8a8f1648b3f65d3c9076949273007017262f1fdce8
    • Opcode Fuzzy Hash: b43cde43a45a5028c9f617ec396ee512ec050247985138d4fb67e914027ea644
    • Instruction Fuzzy Hash: C501CC3290062A9BCB11EBA4DC1AABE7B75BF94B50F500608F511AB292EF349A048790
    Function 0056656B Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00566572
    • std::_Lockit::_Lockit.LIBCPMT ref: 0056657C
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00566593
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 005665CA
    • __CxxThrowException@8.LIBCMT ref: 005665D8
    • std::_Facet_Register.LIBCPMT ref: 005665EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: (=e$bad cast
    • API String ID: 1668375557-2962396636
    • Opcode ID: b7346941058ffda8f6161861f565a72320124ef293daea3fa97ed8f0f2820387
    • Instruction ID: 652df62b1e7e69a0e83ae394952f67b3fb15ddf3d682b2cbebd687aae37a12e7
    • Opcode Fuzzy Hash: b7346941058ffda8f6161861f565a72320124ef293daea3fa97ed8f0f2820387
    • Instruction Fuzzy Hash: 0C01C03290062A9BCF11EBA0DC0AEBE7B75BF94750F504519F5116B2D2DF349E058B91
    Function 0056669D Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005666A4
    • std::_Lockit::_Lockit.LIBCPMT ref: 005666AE
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 005666C5
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 005666FC
    • __CxxThrowException@8.LIBCMT ref: 0056670A
    • std::_Facet_Register.LIBCPMT ref: 00566720
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: ,=e$bad cast
    • API String ID: 1668375557-3012865699
    • Opcode ID: 5b516fd8c40ed03723d67b81044cb79e05cbbf503c60fd728efae19f565ea4b7
    • Instruction ID: 1f090b436d985b36f09da810e9010691bacca4e60c2662b0d29e82731deaca02
    • Opcode Fuzzy Hash: 5b516fd8c40ed03723d67b81044cb79e05cbbf503c60fd728efae19f565ea4b7
    • Instruction Fuzzy Hash: B0018032D0062A9BCB11EBA0DC4AABE7B79BF84B50F140509F9106B292DF749E059791
    Function 00566736 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0056673D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00566747
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 0056675E
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00566795
    • __CxxThrowException@8.LIBCMT ref: 005667A3
    • std::_Facet_Register.LIBCPMT ref: 005667B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast$<e
    • API String ID: 1668375557-2039507310
    • Opcode ID: ce582314f214c09fa8f1343733efce9611514dffea1a7e004db6c6627d6e10a6
    • Instruction ID: 133ef9cb8aa0154afa4c3e6306a5f944d38fcf9b686e470aa2c58bf298e4b90a
    • Opcode Fuzzy Hash: ce582314f214c09fa8f1343733efce9611514dffea1a7e004db6c6627d6e10a6
    • Instruction Fuzzy Hash: DB01C03690062A9BCB11EBA0D81AEBE7B75BF84B54F100508F5106B292DF349A058791
    Function 00571929 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00571930
    • std::_Lockit::_Lockit.LIBCPMT ref: 0057193A
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00571951
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • messages.LIBCPMT ref: 00571974
    • std::bad_exception::bad_exception.LIBCMT ref: 00571988
    • __CxxThrowException@8.LIBCMT ref: 00571996
    • std::_Facet_Register.LIBCPMT ref: 005719AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmessagesstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 274672093-3145022300
    • Opcode ID: c2a3a298327c0abe68a860d4d4e1380e775670ebbfdfe796a3931b093398a3f2
    • Instruction ID: 617508a7fc404f5df4a1af26f9c140d689d3adf84faed2e2d0ca38e9df138340
    • Opcode Fuzzy Hash: c2a3a298327c0abe68a860d4d4e1380e775670ebbfdfe796a3931b093398a3f2
    • Instruction Fuzzy Hash: 81010431900A299BCB11EBA4D91AEFE7B75BF84B50F104508F5146B282DF349E059790
    Function 00563A0E Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00563A15
    • std::_Lockit::_Lockit.LIBCPMT ref: 00563A1F
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00563A36
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • codecvt.LIBCPMT ref: 00563A59
    • std::bad_exception::bad_exception.LIBCMT ref: 00563A6D
    • __CxxThrowException@8.LIBCMT ref: 00563A7B
    • std::_Facet_Register.LIBCPMT ref: 00563A91
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1512642153-3145022300
    • Opcode ID: 110079839982e31339e48bb994ba8ed06189c61fd43f8781dfbfec973c57f560
    • Instruction ID: 1d3d385e58dd9870d4bee2bdecc6bbcb05c9925bda372bf4a6f4e1e817212168
    • Opcode Fuzzy Hash: 110079839982e31339e48bb994ba8ed06189c61fd43f8781dfbfec973c57f560
    • Instruction Fuzzy Hash: 3F01CC32D0062A9BCB11EBE0DC0AABE7F75BF84720F100518F554BB2D2EF349A04A790
    Function 00571AF4 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00571AFB
    • std::_Lockit::_Lockit.LIBCPMT ref: 00571B05
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00571B1C
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • moneypunct.LIBCPMT ref: 00571B3F
    • std::bad_exception::bad_exception.LIBCMT ref: 00571B53
    • __CxxThrowException@8.LIBCMT ref: 00571B61
    • std::_Facet_Register.LIBCPMT ref: 00571B77
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmoneypunctstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 3008301872-3145022300
    • Opcode ID: caa2b27031462ab99c89a6ff383da74b2fc9e92e85a7a874ddba7eb3933e88e5
    • Instruction ID: 33c3c7d2434d63aac354f8b411ea9ebdf8585aeb1dd8388cab358c652f889fb2
    • Opcode Fuzzy Hash: caa2b27031462ab99c89a6ff383da74b2fc9e92e85a7a874ddba7eb3933e88e5
    • Instruction Fuzzy Hash: CC010432D00A2A9BCB11EBA4DC0AEFD7B75BF84750F104509F5086B292EF309A049790
    Function 00565AA9 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565AB0
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565ABA
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565AD1
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • codecvt.LIBCPMT ref: 00565AF4
    • std::bad_exception::bad_exception.LIBCMT ref: 00565B08
    • __CxxThrowException@8.LIBCMT ref: 00565B16
    • std::_Facet_Register.LIBCPMT ref: 00565B2C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1512642153-3145022300
    • Opcode ID: 49dab5cf39dbd7d25b46c9ba9ba6b5bace2bab52e17409d809a72601cc30adac
    • Instruction ID: 577afbe0ac78b1a39bc3b725edf6337ae123a11cf54653212fe1409b42a651c4
    • Opcode Fuzzy Hash: 49dab5cf39dbd7d25b46c9ba9ba6b5bace2bab52e17409d809a72601cc30adac
    • Instruction Fuzzy Hash: E501C032940A2A9BCB11EBA0DC0AEBEBB75BF84710F100509F5117B292EF349E05D791
    Function 00565B42 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565B49
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565B53
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565B6A
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • collate.LIBCPMT ref: 00565B8D
    • std::bad_exception::bad_exception.LIBCMT ref: 00565BA1
    • __CxxThrowException@8.LIBCMT ref: 00565BAF
    • std::_Facet_Register.LIBCPMT ref: 00565BC5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcollatestd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 100112561-3145022300
    • Opcode ID: 4417c00124425c37020d3a1772cc16b90fb951f1a9e0180a2c1eae8f09829e4f
    • Instruction ID: f278daba2d43d33c193e4bc268df279fead93703adf9626ff809fd6e3aa65a79
    • Opcode Fuzzy Hash: 4417c00124425c37020d3a1772cc16b90fb951f1a9e0180a2c1eae8f09829e4f
    • Instruction Fuzzy Hash: 9501C032900A2A9BCB11EBA4D80AEBE7B75BF84750F100509F5116B2A2EF749A04C790
    Function 00571B8D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00571B94
    • std::_Lockit::_Lockit.LIBCPMT ref: 00571B9E
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00571BB5
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • moneypunct.LIBCPMT ref: 00571BD8
    • std::bad_exception::bad_exception.LIBCMT ref: 00571BEC
    • __CxxThrowException@8.LIBCMT ref: 00571BFA
    • std::_Facet_Register.LIBCPMT ref: 00571C10
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmoneypunctstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 3008301872-3145022300
    • Opcode ID: a5aed608b3dfbaece0d953b6988f829f1ee8bca5781e95fe6b0b2355d715c8e4
    • Instruction ID: ab9dd7cb0216a7cfc49451a75ce4f2a0cfb42dd4501bda5b831b30ac0bc123ca
    • Opcode Fuzzy Hash: a5aed608b3dfbaece0d953b6988f829f1ee8bca5781e95fe6b0b2355d715c8e4
    • Instruction Fuzzy Hash: 3F01C472D00A3A9BCB11EBA4DC1AEFD7B797F84750F104508F5146B292DF749E049790
    Function 00565C74 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565C7B
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565C85
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565C9C
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • ctype.LIBCPMT ref: 00565CBF
    • std::bad_exception::bad_exception.LIBCMT ref: 00565CD3
    • __CxxThrowException@8.LIBCMT ref: 00565CE1
    • std::_Facet_Register.LIBCPMT ref: 00565CF7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockctypestd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 3821627282-3145022300
    • Opcode ID: c71dbebc82709d699793d85bbe20d1194ef870e56b0c58cc23485d0dc0c8072b
    • Instruction ID: 884f1e7b84959f336c2cae1996f0797f54e64d772dae81d7372bd7301b53153d
    • Opcode Fuzzy Hash: c71dbebc82709d699793d85bbe20d1194ef870e56b0c58cc23485d0dc0c8072b
    • Instruction Fuzzy Hash: A001C032D00A2A9BCF11EBA0DC0AEBE7B75BF84750F100518F911BB292EF349E058790
    Function 00565D0D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565D14
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565D1E
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565D35
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • messages.LIBCPMT ref: 00565D58
    • std::bad_exception::bad_exception.LIBCMT ref: 00565D6C
    • __CxxThrowException@8.LIBCMT ref: 00565D7A
    • std::_Facet_Register.LIBCPMT ref: 00565D90
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockmessagesstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 274672093-3145022300
    • Opcode ID: 0052e701df00eee676132c9568a1146e2af9ed7ae4696764465f1ae5cacb82ac
    • Instruction ID: 6ddb933fcefe691b435578ed052d28032c37e69bbad3a9a36ad50fe71406c6c9
    • Opcode Fuzzy Hash: 0052e701df00eee676132c9568a1146e2af9ed7ae4696764465f1ae5cacb82ac
    • Instruction Fuzzy Hash: 6701C431D00A2A9BCB21EBA4D80AABD7B757F84750F100508F5156B2D2EF349A04C790
    Function 003EED10 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003EED24
    • ShellExecuteExW.SHELL32(?), ref: 003EED67
    • LoadLibraryA.KERNEL32(wdc.dll), ref: 003EED76
    • GetProcAddress.KERNEL32(00000000,WdcRunTaskAsInteractiveUser), ref: 003EED82
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AddressExecuteLibraryLoadProcShell_memset
    • String ID: <$Dv\$WdcRunTaskAsInteractiveUser$wdc.dll
    • API String ID: 729207603-3212236406
    • Opcode ID: b6388397d34baddca0e2ab31e920cd02fb25cdc600c21857b1958e39fbaf321d
    • Instruction ID: bb0bd04b8fb4ca85dd14a0925b42978b5de6018542ccb40b16bb193e7e287d81
    • Opcode Fuzzy Hash: b6388397d34baddca0e2ab31e920cd02fb25cdc600c21857b1958e39fbaf321d
    • Instruction Fuzzy Hash: D00128B094124CAFDF01DFE4EC49BCDBFB8AB08704F008149F908AA291C7B55648DF95
    Function 003E7620 Relevance: 13.8, APIs: 9, Instructions: 269COMMON
    Download Yara Rule
    APIs
    • _memmove.LIBCMT ref: 003E7869
    • __CxxThrowException@8.LIBCMT ref: 003E78EE
    • _malloc.LIBCMT ref: 003E78F8
    • WinHttpQueryDataAvailable.WINHTTP(00000008,?), ref: 003E790F
    • _free.LIBCMT ref: 003E7931
    • _malloc.LIBCMT ref: 003E793B
    • WinHttpReadData.WINHTTP(00000008,00000000,?,?), ref: 003E7953
    • WinHttpQueryDataAvailable.WINHTTP(00000008,?,00000000,?), ref: 003E7973
    • _free.LIBCMT ref: 003E7985
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: DataHttp$AvailableQuery_free_malloc$Exception@8ReadThrow_memmove
    • String ID:
    • API String ID: 441588510-0
    • Opcode ID: 4a943988b487f3ec27431c10d9559f0865e73397885056dbac0549c950af4559
    • Instruction ID: b489794b8790f424fdcb907cda63420d865d7915baf9f5e6f3f849461db6429c
    • Opcode Fuzzy Hash: 4a943988b487f3ec27431c10d9559f0865e73397885056dbac0549c950af4559
    • Instruction Fuzzy Hash: 3BB1897050C3818FDB26DF29D849B6BBBE5BF95304F000A2DF48987292D7719948CB93
    Function 003E7A20 Relevance: 13.6, APIs: 9, Instructions: 150COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DA8
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DB9
      • Part of subcall function 003E7D50: WinHttpCloseHandle.WINHTTP(?,9C3DCF4C,?,6F756160), ref: 003E7DCA
      • Part of subcall function 003E7D50: WinHttpOpen.WINHTTP(Microsoft Internet Explorer,00000000,00000000,00000000,00000000,9C3DCF4C,?,6F756160), ref: 003E7DE0
    • _memmove.LIBCMT ref: 003E7AC4
    • __CxxThrowException@8.LIBCMT ref: 003E7B17
    • _malloc.LIBCMT ref: 003E7B21
    • WinHttpQueryDataAvailable.WINHTTP(?,?), ref: 003E7B3C
    • _free.LIBCMT ref: 003E7B57
    • _malloc.LIBCMT ref: 003E7B61
    • WinHttpReadData.WINHTTP(?,00000000,?,?), ref: 003E7B79
    • WinHttpQueryDataAvailable.WINHTTP(?,?,00000000,?), ref: 003E7B99
    • _free.LIBCMT ref: 003E7BAB
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Http$CloseDataHandle$AvailableQuery_free_malloc$Exception@8OpenReadThrow_memmove
    • String ID:
    • API String ID: 3855441584-0
    • Opcode ID: ba9e2015ddfa463c0c002d911512ac19032facef52c3ebde6cf0fa8c5db9d121
    • Instruction ID: 98a40f99a00bf087b17b59e12126babc77aac670871ad4e4d6eab0117b980fae
    • Opcode Fuzzy Hash: ba9e2015ddfa463c0c002d911512ac19032facef52c3ebde6cf0fa8c5db9d121
    • Instruction Fuzzy Hash: 9D5189715083919FDB12DF15D884B6BBBE8FF89314F004A2DF89597291D734DA04CBA2
    Function 003E8480 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E3410: _memmove.LIBCMT ref: 003E34B9
    • _memmove.LIBCMT ref: 003E88FC
      • Part of subcall function 003E3510: _memmove.LIBCMT ref: 003E35F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: Accept$Accept-Language$Connection$GET $HTTP/1.1$User-Agent
    • API String ID: 4104443479-659583226
    • Opcode ID: 9f9fa9153fba68bb12e418fc2c3fde628c678d2954554e5206626f0ae5646c49
    • Instruction ID: 8655c7b5be558f43372c8bb654199ef7d5704c060ff35e5ff39e68fa67dbeca6
    • Opcode Fuzzy Hash: 9f9fa9153fba68bb12e418fc2c3fde628c678d2954554e5206626f0ae5646c49
    • Instruction Fuzzy Hash: F1D1AC714083909FDB12DF15C881B9BBBE8BF85304F484A5DF9855B2D2DB71EA48CB92
    Function 0044CAD0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 267COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 0044CD75
    • __CxxThrowException@8.LIBCMT ref: 0044CDA3
    • __CxxThrowException@8.LIBCMT ref: 0044CDCC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: f97ae07b254ac5f8f6c3ff3f29dd27656846ae561033ba241980c9bc5bc33d5e
    • Instruction ID: 89e32e708ab34e46d5d130838f4198d9f83fab29be0f869db0d225755a7b76bb
    • Opcode Fuzzy Hash: f97ae07b254ac5f8f6c3ff3f29dd27656846ae561033ba241980c9bc5bc33d5e
    • Instruction Fuzzy Hash: 0DB19475A012458FE750CF64C4C5BAABBB1FF49714F18829AE8159B392C739EC41CB44
    Function 003FE470 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 258windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E3820: _memmove.LIBCMT ref: 003E38DC
    • MessageBoxW.USER32(0000000B,?,00000000,00000032), ref: 003FE6C7
      • Part of subcall function 003FE300: DeleteFileW.KERNEL32(00000000,?,imyfone-download.exe,9C3DCF4C), ref: 003FE35D
      • Part of subcall function 003FE300: DeleteFileW.KERNEL32(00000000), ref: 003FE36F
    Strings
    • imyfone-download.exe, xrefs: 003FE761
    • CDuiFrameWnd::DownloadFailed, xrefs: 003FE4B1
    • STR_OPERATE_TIP, xrefs: 003FE4D6
    • STR_NETWORK_ERROR, xrefs: 003FE4F9
    • D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp, xrefs: 003FE4AC
    • STR_MESSAGEBOX_TITLE, xrefs: 003FE651
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: DeleteFile$Message_memmove
    • String ID: CDuiFrameWnd::DownloadFailed$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$STR_MESSAGEBOX_TITLE$STR_NETWORK_ERROR$STR_OPERATE_TIP$imyfone-download.exe
    • API String ID: 1175062728-3906897161
    • Opcode ID: 5ab53c1029fd303dda1798adae599990522441220cd2b311cf2225d86dd30528
    • Instruction ID: d840c26b0e55360996fe38a111c6155b5564a7f9ee6b01d98444b4eb400902d8
    • Opcode Fuzzy Hash: 5ab53c1029fd303dda1798adae599990522441220cd2b311cf2225d86dd30528
    • Instruction Fuzzy Hash: 02B19070D1025CDADF11EBA4CC49BEEBBB5BF14304F0041A9E109B7291DB756A48DFA6
    Function 00404C60 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 245COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid string position$string too long
    • API String ID: 4104443479-4289949731
    • Opcode ID: bf993d0e1458a0ed99e935df3c1029985832af0176c30013f5709823df81a47a
    • Instruction ID: b76f0a77f453484fbf2aa5d213a07458faac57658f39e109124f4b33fe3bdbb1
    • Opcode Fuzzy Hash: bf993d0e1458a0ed99e935df3c1029985832af0176c30013f5709823df81a47a
    • Instruction Fuzzy Hash: 8A71B2B030061A9BCB24DE58D9C4DAA77AAFFC5740720453FEA059B285DB34E951CBE8
    Function 0044C470 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 240COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 0044C6CB
    • __CxxThrowException@8.LIBCMT ref: 0044C6F9
    • __CxxThrowException@8.LIBCMT ref: 0044C722
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 906327054d4a7cc0da290cad935dbb3c509f0ed8d75297f0bd46f2be060ccd0c
    • Instruction ID: 66a36f23e41e09ea63f6d472e03f5b940ba8a4d6f2a676abe460d156c45b239f
    • Opcode Fuzzy Hash: 906327054d4a7cc0da290cad935dbb3c509f0ed8d75297f0bd46f2be060ccd0c
    • Instruction Fuzzy Hash: 89A18D74A02214DFEB50CF54C5C0BAABBB1BF49718F298199E8059F392C779EC46CB44
    Function 003FBA50 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 202COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003F12A0: _malloc.LIBCMT ref: 003F136C
    • _free.LIBCMT ref: 003FBC7E
    • _free.LIBCMT ref: 003FBAFA
      • Part of subcall function 00579A30: RtlFreeHeap.NTDLL(00000000,00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A44
      • Part of subcall function 00579A30: GetLastError.KERNEL32(00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A56
    • _free.LIBCMT ref: 003FBB17
      • Part of subcall function 003F2A60: _free.LIBCMT ref: 003F2A73
    • _free.LIBCMT ref: 003FBC9B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast_malloc
    • String ID: code$data$message
    • API String ID: 1665461253-3046758922
    • Opcode ID: 20dc24a54e8e206f1076aa27eb3f221f5bc17c838774ee5b96c0781978ff423f
    • Instruction ID: c5ce4454ff01db4d1cf010eb0980dccd2a6e9971b54c6c1a124dce7696d41e19
    • Opcode Fuzzy Hash: 20dc24a54e8e206f1076aa27eb3f221f5bc17c838774ee5b96c0781978ff423f
    • Instruction Fuzzy Hash: BB719EB1D0021C9BCB12EBA4D845BBEBB74FF54704F098068E60A7B255EB71AD46CB91
    Function 004B88C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 164COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 004B8A64
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 9e04fba37b0b5704314dcd5fe0cc1008d259b73253db297ac5319701c65a6587
    • Instruction ID: 9cb8556aea3ae2b9d22735a5aa44190d754c2c04958efea8f648830d57a5e707
    • Opcode Fuzzy Hash: 9e04fba37b0b5704314dcd5fe0cc1008d259b73253db297ac5319701c65a6587
    • Instruction Fuzzy Hash: 6F517970A00209DFDB14DF98C985FEEBBB9BF48B04F14415EE501AB391DBB4AA04CB65
    Function 004BF530 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 004BF6B8
    • __CxxThrowException@8.LIBCMT ref: 004BF6E6
    • __CxxThrowException@8.LIBCMT ref: 004BF70F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 683663e99aa04d179234ed16b0dbd67716f316be05914033138324c2d24a70f4
    • Instruction ID: 7e89349a49c610bddb41778b8d745bff261f2daff0c53de5c98acb771d07b53f
    • Opcode Fuzzy Hash: 683663e99aa04d179234ed16b0dbd67716f316be05914033138324c2d24a70f4
    • Instruction Fuzzy Hash: 21514C74A012089FCB10CF58D985FAABBF1FF04718F64856EE4199B3A2C775E90ACB54
    Function 00400FB0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00400FED
    • SHBrowseForFolderW.SHELL32(9C3DCF4C), ref: 004010E4
    • _memset.LIBCMT ref: 004010FE
    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040110E
    • CoTaskMemFree.OLE32(00000000), ref: 00401115
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$BrowseFolderFreeFromListPathTask
    • String ID: @$STR_SELECT_FOLDER
    • API String ID: 1724956207-1706863500
    • Opcode ID: 8e63ea9359229e88eb07c7180dfa86b92c8b4a01d4a5fe6792ffba0ec938cd08
    • Instruction ID: 4c244eac5289252581cba6e4196fd8a3b696b9774062b237f487c447b3aa533f
    • Opcode Fuzzy Hash: 8e63ea9359229e88eb07c7180dfa86b92c8b4a01d4a5fe6792ffba0ec938cd08
    • Instruction Fuzzy Hash: 2A4141B19002699BDB60DF64CC89BDDB7B8FF44314F4001EAE609A7291DB745B88CF59
    Function 004ED110 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • __wgetenv.LIBCMT ref: 004ED138
    • _swscanf.LIBCMT ref: 004ED161
      • Part of subcall function 0057F827: _vscan_fn.LIBCMT ref: 0057F83B
    • _strtoul.LIBCMT ref: 004ED170
      • Part of subcall function 0057F7FD: strtoxl.LIBCMT ref: 0057F81D
    • ___from_strstr_to_strchr.LIBCMT ref: 004ED1CE
    • _strtoul.LIBCMT ref: 004ED1EB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _strtoul$___from_strstr_to_strchr__wgetenv_swscanf_vscan_fnstrtoxl
    • String ID: %I64i$OPENSSL_ia32cap
    • API String ID: 4263465749-1470193844
    • Opcode ID: 4398aa2e95153364d249b3cb314d37d91637996d26558ab03c185d6414f9e0f7
    • Instruction ID: bef3a50291fc207fa723907b4252f038dacd724dc81524d830edd77fcf59a5ba
    • Opcode Fuzzy Hash: 4398aa2e95153364d249b3cb314d37d91637996d26558ab03c185d6414f9e0f7
    • Instruction Fuzzy Hash: 6031F9B1D443826FF700DF56AC4271B7BD9AB80346F15847EE84886281EB7899898756
    Function 00403C40 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 00403CF2
    • __CxxThrowException@8.LIBCMT ref: 00403D20
    • __CxxThrowException@8.LIBCMT ref: 00403D49
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 4127a571a3e139ad1f126ba553b876426153a9b347026781184de653a064020c
    • Instruction ID: 67cadd8a24a4ae0f0e7a7de09b1c9a6fa4a39a6131085b243352cc3c6fbc6cf9
    • Opcode Fuzzy Hash: 4127a571a3e139ad1f126ba553b876426153a9b347026781184de653a064020c
    • Instruction Fuzzy Hash: EF31B030A40208AFC710DF54DD86FAABBF9FF04B19F40546AF401A76D1CBB5AA04CA05
    Function 0057AD1F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • FindCompleteObject.LIBCMT ref: 0057AD40
    • FindMITargetTypeInstance.LIBCMT ref: 0057AD79
      • Part of subcall function 0057A9DF: PMDtoOffset.LIBCMT ref: 0057AA71
    • FindVITargetTypeInstance.LIBCMT ref: 0057AD80
    • PMDtoOffset.LIBCMT ref: 0057AD91
    • std::bad_exception::bad_exception.LIBCMT ref: 0057ADBA
    • __CxxThrowException@8.LIBCMT ref: 0057ADC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Find$InstanceOffsetTargetType$CompleteException@8ObjectThrowstd::bad_exception::bad_exception
    • String ID: Bad dynamic_cast!
    • API String ID: 1565299582-2956939130
    • Opcode ID: d74b4ac8fcbf0c70be50bb5db48117964a9a7a0d92dd6a38de19ccd57ee3bac1
    • Instruction ID: 0f2c439e09269657614d371e9310a83489da2a51f6f3d45e93c8289845d891b0
    • Opcode Fuzzy Hash: d74b4ac8fcbf0c70be50bb5db48117964a9a7a0d92dd6a38de19ccd57ee3bac1
    • Instruction Fuzzy Hash: 0721EBB2A00205DFCB21DFA8ED45AAE7F79BFC8711F158409F80993181DB75D940EB52
    Function 0056600A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00566011
    • std::_Lockit::_Lockit.LIBCPMT ref: 0056601B
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00566032
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00566069
    • __CxxThrowException@8.LIBCMT ref: 00566077
    • std::_Facet_Register.LIBCPMT ref: 0056608D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: 58934bd6386982f610aefef2e4a3c9a1d61725db8b6be2761fd8d66e0fa30296
    • Instruction ID: 8336eb78e897d43a0b7f579663e22f31e1f058d512321da59db5568960236142
    • Opcode Fuzzy Hash: 58934bd6386982f610aefef2e4a3c9a1d61725db8b6be2761fd8d66e0fa30296
    • Instruction Fuzzy Hash: E40184319006299BCB25EBA0DC0AABE7B757F84B60F140519F5146B292DF749E058791
    Function 00566307 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0056630E
    • std::_Lockit::_Lockit.LIBCPMT ref: 00566318
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 0056632F
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00566366
    • __CxxThrowException@8.LIBCMT ref: 00566374
    • std::_Facet_Register.LIBCPMT ref: 0056638A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: ce825379d62b54b1a31d7bb40a07c7758f608f6f5cbcaab15f6edb49b7730616
    • Instruction ID: 64e05610a6c52d270f12f298e45fcd0cbd7cccd7ad8261a012888b7fa1bba8d0
    • Opcode Fuzzy Hash: ce825379d62b54b1a31d7bb40a07c7758f608f6f5cbcaab15f6edb49b7730616
    • Instruction Fuzzy Hash: 1F01C431E006299BCB11EBA0D80AEBD7B75BF84750F100608F5146B2D2EF349E05CB91
    Function 00566439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00566440
    • std::_Lockit::_Lockit.LIBCPMT ref: 0056644A
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00566461
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00566498
    • __CxxThrowException@8.LIBCMT ref: 005664A6
    • std::_Facet_Register.LIBCPMT ref: 005664BC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: e530e6fa199862b4e615544d6e4ccbacce8a09d4d40d32c778aab1d8db98667d
    • Instruction ID: 8fde3f9865f2d66d35f54ae85538edad6f93e6852c69ae9f470ba668570005ac
    • Opcode Fuzzy Hash: e530e6fa199862b4e615544d6e4ccbacce8a09d4d40d32c778aab1d8db98667d
    • Instruction Fuzzy Hash: 8E01C03290062E9BCF11EBA0D85AABE7F75BF84B51F104509F5146B292DF749E048B91
    Function 00566604 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0056660B
    • std::_Lockit::_Lockit.LIBCPMT ref: 00566615
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 0056662C
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00566663
    • __CxxThrowException@8.LIBCMT ref: 00566671
    • std::_Facet_Register.LIBCPMT ref: 00566687
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: e0f7ecdc339ebd6063b2391a3eccdf510b63660686856d61a272ea90ebcb1e4b
    • Instruction ID: 9db3b8ba3582fdc71a6929caa01b0d3e42b16c7fbdcbd5f36f6dffeaa4f13376
    • Opcode Fuzzy Hash: e0f7ecdc339ebd6063b2391a3eccdf510b63660686856d61a272ea90ebcb1e4b
    • Instruction Fuzzy Hash: 5701C032D0062A9BCB11EFB0DC0AEBE7B75BF84B50F104609F510AB292DF349A0487A1
    Function 005719C2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005719C9
    • std::_Lockit::_Lockit.LIBCPMT ref: 005719D3
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 005719EA
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00571A21
    • __CxxThrowException@8.LIBCMT ref: 00571A2F
    • std::_Facet_Register.LIBCPMT ref: 00571A45
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: c39f2795ca162faab3f6cc35b24920faabdc331f89504d8f97ca924d0861f837
    • Instruction ID: 0f70c183b24f00bdb5017b058b904653259f8396735b27a9a0fcbba931f5e1cc
    • Opcode Fuzzy Hash: c39f2795ca162faab3f6cc35b24920faabdc331f89504d8f97ca924d0861f837
    • Instruction Fuzzy Hash: EF01C432900A2A9BCB11EBA8EC0AABE7F757F84751F108508F9146B292DF749A04D790
    Function 00571A5B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00571A62
    • std::_Lockit::_Lockit.LIBCPMT ref: 00571A6C
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00571A83
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00571ABA
    • __CxxThrowException@8.LIBCMT ref: 00571AC8
    • std::_Facet_Register.LIBCPMT ref: 00571ADE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: 267dd31b7b4886ef7cb3cd83c9225ab758fc16db4a898edb4fd769eac9d1b5e6
    • Instruction ID: 6cfe68aefe6ee71b2bc8ba3718f12f7cc05e0b998ced7564b336b204787dafb8
    • Opcode Fuzzy Hash: 267dd31b7b4886ef7cb3cd83c9225ab758fc16db4a898edb4fd769eac9d1b5e6
    • Instruction Fuzzy Hash: 1701C432900A2A9BCB11EBA4D80AEFE7F797F84750F144509F514AB2D2DF349E049794
    Function 00571C26 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00571C2D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00571C37
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00571C4E
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00571C85
    • __CxxThrowException@8.LIBCMT ref: 00571C93
    • std::_Facet_Register.LIBCPMT ref: 00571CA9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: 77273d121e1f9c76d7e649e134f25bd73cb4a5c63359c1b0fda33d54ff7d7074
    • Instruction ID: 54f91a5018749733e073aa7ad5f18642ff83488183508f55eec1b940a1440976
    • Opcode Fuzzy Hash: 77273d121e1f9c76d7e649e134f25bd73cb4a5c63359c1b0fda33d54ff7d7074
    • Instruction Fuzzy Hash: B001D631D006299BCB12EBA4DC1AEFE7B79BF84B50F104509F5186B2D2DF349E059790
    Function 00571CBF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00571CC6
    • std::_Lockit::_Lockit.LIBCPMT ref: 00571CD0
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00571CE7
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00571D1E
    • __CxxThrowException@8.LIBCMT ref: 00571D2C
    • std::_Facet_Register.LIBCPMT ref: 00571D42
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: 13199a3791faa7146513f88599bdee203a8ade273fe84f53cf580707f3b77171
    • Instruction ID: 0fed33e774aec02f7eaba77e6a253f5c59038787bbd90c2324e336144d32744d
    • Opcode Fuzzy Hash: 13199a3791faa7146513f88599bdee203a8ade273fe84f53cf580707f3b77171
    • Instruction Fuzzy Hash: D301C431D0062A9BCB21EBA4E80AEFE7B797F94750F104509F9146F292DF749A049B90
    Function 00565E3F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565E46
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565E50
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565E67
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00565E9E
    • __CxxThrowException@8.LIBCMT ref: 00565EAC
    • std::_Facet_Register.LIBCPMT ref: 00565EC2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: 9e6cb1b0b5dd9fd58513c6239da58de9a7c97c3b1f02ca0f5997fdfc4c97c60f
    • Instruction ID: be0451ee1dea9f94a6d87b8230ac6b92e1ee07ab62dff041060ce53e53ec4552
    • Opcode Fuzzy Hash: 9e6cb1b0b5dd9fd58513c6239da58de9a7c97c3b1f02ca0f5997fdfc4c97c60f
    • Instruction Fuzzy Hash: B001AD32D00A2A9BCF11EBA4D80AABE7B79BF84751F104509F5106B292EF74DE048B90
    Function 00565ED8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565EDF
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565EE9
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565F00
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00565F37
    • __CxxThrowException@8.LIBCMT ref: 00565F45
    • std::_Facet_Register.LIBCPMT ref: 00565F5B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: bb9609026cb2a3be510032d0d22d80c1bb1da2b2344313c4f359d443ccbf623f
    • Instruction ID: 8bf793d06f54abe9b4c845d9d8fddd504e433f8c5d3fc389b2290ed21c13d563
    • Opcode Fuzzy Hash: bb9609026cb2a3be510032d0d22d80c1bb1da2b2344313c4f359d443ccbf623f
    • Instruction Fuzzy Hash: 6301C072900A2A9BCF11EBA0DC0AEBEBB75BF84B50F140518F5106B292EF749A048790
    Function 00565F71 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00565F78
    • std::_Lockit::_Lockit.LIBCPMT ref: 00565F82
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • int.LIBCPMT ref: 00565F99
      • Part of subcall function 003F25E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F25F1
    • std::bad_exception::bad_exception.LIBCMT ref: 00565FD0
    • __CxxThrowException@8.LIBCMT ref: 00565FDE
    • std::_Facet_Register.LIBCPMT ref: 00565FF4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 1668375557-3145022300
    • Opcode ID: 1126f6bf1837a236557a43d70c433b6d6523eefe69ed83796f3f1f1933d96251
    • Instruction ID: 3af328ecc42be164cd71a69b4b51b7080db0bc9c8601bc099b10a17de1a0dc9e
    • Opcode Fuzzy Hash: 1126f6bf1837a236557a43d70c433b6d6523eefe69ed83796f3f1f1933d96251
    • Instruction Fuzzy Hash: 9801D272D00A2A9BCB11EBA4DC0AEBEBB75BF84750F100618F5116B2D2EF349E058790
    Function 00420B37 Relevance: 12.1, APIs: 8, Instructions: 140COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00420B83
    • _malloc.LIBCMT ref: 00420B8F
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00420BA7
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00420BC8
    • _malloc.LIBCMT ref: 00420BD4
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00420BE8
    • _malloc.LIBCMT ref: 00420C49
    • _memmove.LIBCMT ref: 00420C53
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$_malloc$_memmove
    • String ID:
    • API String ID: 3455049887-0
    • Opcode ID: 5970fc17c26ceb5bd1f642e71cb1de744a4980e0fd56906ba2791561f36a5e79
    • Instruction ID: 4b11985dd3c82cf815b04fe2fc648ba505de9dbd391ef8cc15fc16d1c36f0d61
    • Opcode Fuzzy Hash: 5970fc17c26ceb5bd1f642e71cb1de744a4980e0fd56906ba2791561f36a5e79
    • Instruction Fuzzy Hash: FB416BB1A042657FDF288F28AC40ABA7BA9EB45320F808357F8548B256C774AD0097A4
    Function 00419251 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • GetClipBox.GDI32(?,?), ref: 00419297
    • CreateRectRgnIndirect.GDI32(?), ref: 004192A7
    • CreateRectRgnIndirect.GDI32(?), ref: 004192B3
    • CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 004192CD
    • CombineRgn.GDI32(?,?,00000000,00000001), ref: 004192E7
    • CombineRgn.GDI32(?,?,?,00000001), ref: 004192F4
    • SelectClipRgn.GDI32(?,?), ref: 004192FD
    • DeleteObject.GDI32(00000000), ref: 0041930E
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CreateRect$ClipCombineIndirect$DeleteObjectRoundSelect
    • String ID:
    • API String ID: 3239266809-0
    • Opcode ID: bc14b464d1793b99dcebcb7ebf8752b0e0a7cc13b918629a4718de055b51f071
    • Instruction ID: 94b40d749db70dece2fb31dbeff9a45342d3d626abf655edc99b5c36928ab444
    • Opcode Fuzzy Hash: bc14b464d1793b99dcebcb7ebf8752b0e0a7cc13b918629a4718de055b51f071
    • Instruction Fuzzy Hash: 7D31E472900A09AFCF01CFA4ED848EEBBBAFF49310B100116F905B7210D772BA55DBA1
    Function 003E8940 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 307COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: Accept$Accept-Language$Connection$HTTP/1.1$User-Agent
    • API String ID: 4104443479-3765525134
    • Opcode ID: 1eb57ca7595c6fc57af0e1417a99ca6a87aa0177c1af954b340bdae460b22c84
    • Instruction ID: f440c40450a99b6b0b031781a82b5f18a3271437b1420cad0a33914664442ff3
    • Opcode Fuzzy Hash: 1eb57ca7595c6fc57af0e1417a99ca6a87aa0177c1af954b340bdae460b22c84
    • Instruction Fuzzy Hash: DBC1ACB05083919FDB12DF15C845B5BBBE9BF85314F484A1DF085AB2D2CB74E948CBA2
    Function 003E4B60 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 301COMMON
    Download Yara Rule
    APIs
    • _memmove.LIBCMT ref: 003E4BBC
      • Part of subcall function 003E4A00: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E4A99
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
    • String ID: invalid string position$string too long
    • API String ID: 2765667529-4289949731
    • Opcode ID: cdc219763980455e9df7a67a5a672ba1d4adc3e40baf8335caa55f04af2c110f
    • Instruction ID: 9ce8e59152f769b2a7ec5c828c7aa21975dce8e213d226526f14f61433010ece
    • Opcode Fuzzy Hash: cdc219763980455e9df7a67a5a672ba1d4adc3e40baf8335caa55f04af2c110f
    • Instruction Fuzzy Hash: 6691B7317102699BCB25DE5EECC09AFB7AAFFCC7107204A2EE545C7681D731E9148B90
    Function 003F39B0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 203COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: 3?$0000$0000
    • API String ID: 4104443479-3367009666
    • Opcode ID: cec12dbfbe251f6bf4539abe4fe58b0f71be523df9ce0e56f0236487f2ccfaf5
    • Instruction ID: c5d8eae551c14fd48607cbfb870a204a512be11e81b38e0b20ea64b19992ce1b
    • Opcode Fuzzy Hash: cec12dbfbe251f6bf4539abe4fe58b0f71be523df9ce0e56f0236487f2ccfaf5
    • Instruction Fuzzy Hash: 4E51053770410C9BCB25CE5DE8825EAF799FB84325B59416AEE4EC7201E732EA158690
    Function 004028E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 196COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$swprintf
    • String ID: language\$option_%d$pr_%d.png
    • API String ID: 1874130743-2360460721
    • Opcode ID: b0b9d5c3bdd2db1dd459aa7fff73ca4769ab7aa0b215c17d3b77f1e9f7f2cdf6
    • Instruction ID: 7440098cf8386418537b9c0ac7876d336e1492e835406664ed8322580641ed67
    • Opcode Fuzzy Hash: b0b9d5c3bdd2db1dd459aa7fff73ca4769ab7aa0b215c17d3b77f1e9f7f2cdf6
    • Instruction Fuzzy Hash: C871A070904259AACB20EB64CD49BDDB7B4AF15314F1041EEE519B32C2DB786B88CF69
    Function 00411A52 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 157COMMON
    Download Yara Rule
    APIs
    • ScreenToClient.USER32(00000000,?), ref: 00411A83
    • GetClientRect.USER32(00000000,?), ref: 00411A95
    • IsZoomed.USER32(00000000), ref: 00411AA3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Client$RectScreenZoomed
    • String ID: Button$Option$Text
    • API String ID: 1298762932-3941267017
    • Opcode ID: c7ce92d0e6490f2b56dfd2b3857866fd542caf394f58e27c7bed48573c115483
    • Instruction ID: de83b31f6bbed254f6c3fb99c6c90fded098aee9139e700613eebc440bb776b1
    • Opcode Fuzzy Hash: c7ce92d0e6490f2b56dfd2b3857866fd542caf394f58e27c7bed48573c115483
    • Instruction Fuzzy Hash: CA518D31E0464A9FCF00DFA9D885AEEBBF5EF04355F10442AE611FB291E778A981CB54
    Function 0044A940 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0044A94F
    • __snprintf.LIBCMT ref: 0044A9FA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ExchangeInterlocked__snprintf
    • String ID: D,]$D,]$Unknown error (%d)$winsock
    • API String ID: 1070266261-4219314038
    • Opcode ID: 7abb2b20edb8867a0a870fe1a0cdbc4d2b4f9af7ad8a9b6de5ebccf7bd41cb9d
    • Instruction ID: cf335f55a1da28cea05f2db4bca7f844eeca915309eb27fa40e85a153d3f4044
    • Opcode Fuzzy Hash: 7abb2b20edb8867a0a870fe1a0cdbc4d2b4f9af7ad8a9b6de5ebccf7bd41cb9d
    • Instruction Fuzzy Hash: 5E31D775D00248AFDB14DF68D845BAEBBF9FB45314F00856EE805A7342DB749904CBA5
    Function 0040DBBB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CountFocusTick
    • String ID: killfocus$setfocus
    • API String ID: 3897604831-1991930995
    • Opcode ID: 378c5ed0723cc1f86e43d1eb37fa53fa6514128e496ad62d3e21e3407db0796c
    • Instruction ID: 2d3db25cd570eb23ccfc1ef252f98344e556b77bd80e4bdbc09066651028daa1
    • Opcode Fuzzy Hash: 378c5ed0723cc1f86e43d1eb37fa53fa6514128e496ad62d3e21e3407db0796c
    • Instruction Fuzzy Hash: 43316F71A002499FDF149F54C888FAE7BB5AF44700F048479ED0ABB291CB79A949DBA4
    Function 003F1060 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 003F108D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 003F10B0
    • std::bad_exception::bad_exception.LIBCMT ref: 003F1131
    • __CxxThrowException@8.LIBCMT ref: 003F113F
    • std::_Facet_Register.LIBCPMT ref: 003F1155
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 7dabe562fcff5cb683cfa472677c043ef1e8c7eb612366640e4dec6aa786091d
    • Instruction ID: 8245792dbef1307d2dae17fcccace69af90440791a93e1a5503fead16a646f2a
    • Opcode Fuzzy Hash: 7dabe562fcff5cb683cfa472677c043ef1e8c7eb612366640e4dec6aa786091d
    • Instruction Fuzzy Hash: 79312236D00619CFCB12DF54EC41ABEBBB9FB46764F014159EA00A73A1DB31AC00CB81
    Function 003FC0D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 003FC0FD
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 003FC120
    • std::bad_exception::bad_exception.LIBCMT ref: 003FC1A1
    • __CxxThrowException@8.LIBCMT ref: 003FC1AF
    • std::_Facet_Register.LIBCPMT ref: 003FC1C5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 638310e56a02b9244898a7e198c9b65518c07cb27ac00b63ecee2d9848d0dfde
    • Instruction ID: d4182ca8d9e85e8c4c1d0924d20779ebc2e8ed5c4ea4802bc95b6c8f020fd272
    • Opcode Fuzzy Hash: 638310e56a02b9244898a7e198c9b65518c07cb27ac00b63ecee2d9848d0dfde
    • Instruction Fuzzy Hash: A731227295061DDFCB12DFA4DD81EAEBBB5FF45768F11416AE910A7292DB30AD00CB80
    Function 004B8100 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004B812D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 004B8150
    • std::bad_exception::bad_exception.LIBCMT ref: 004B81D1
    • __CxxThrowException@8.LIBCMT ref: 004B81DF
    • std::_Facet_Register.LIBCPMT ref: 004B81F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 75a7343321c69bbb5eb112b1767cbbfdb5d6a0bfd957ee8602f77888addf5ef1
    • Instruction ID: 8e4a6477bfc0d47e282880cda9030fe77a9e3dfdc9819d273637528c5e72a6d3
    • Opcode Fuzzy Hash: 75a7343321c69bbb5eb112b1767cbbfdb5d6a0bfd957ee8602f77888addf5ef1
    • Instruction Fuzzy Hash: 3C3101769006158FCB10DF58DC41EEABBB9FB45764F10452EE800AB392DB34AD02CBA1
    Function 003F1180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 003F11AD
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 003F11D0
    • std::bad_exception::bad_exception.LIBCMT ref: 003F1251
    • __CxxThrowException@8.LIBCMT ref: 003F125F
    • std::_Facet_Register.LIBCPMT ref: 003F1275
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: c19147b81dce04a187997b3b782830780759ea02f4a0bf31ffd18094b09b49a0
    • Instruction ID: 5745cddc5e4dc65f126c91215235e94e5ce566f033d69aee822169c000ee1e6b
    • Opcode Fuzzy Hash: c19147b81dce04a187997b3b782830780759ea02f4a0bf31ffd18094b09b49a0
    • Instruction Fuzzy Hash: F2310376D00619DFCB12DF94EC41EAEBBB5FB45364F110A29E900AB291EB30AD01CB91
    Function 004B8220 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004B824D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 004B8270
    • std::bad_exception::bad_exception.LIBCMT ref: 004B82F1
    • __CxxThrowException@8.LIBCMT ref: 004B82FF
    • std::_Facet_Register.LIBCPMT ref: 004B8315
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 648804efaec065afdabbc96bfa036909d7bbe36b0930b5c479bd182b80bca657
    • Instruction ID: 0c276de97f343ff0f1805ea0bd43551233af6bcebaa4fb96bcf3446830464e98
    • Opcode Fuzzy Hash: 648804efaec065afdabbc96bfa036909d7bbe36b0930b5c479bd182b80bca657
    • Instruction Fuzzy Hash: 51313136900A15CFCB14DF94D845AAABBB8FB56B20F00016EEC04A7391DB30AC01CFA1
    Function 004B8340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004B836D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 004B8390
    • std::bad_exception::bad_exception.LIBCMT ref: 004B8411
    • __CxxThrowException@8.LIBCMT ref: 004B841F
    • std::_Facet_Register.LIBCPMT ref: 004B8435
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 9478af0021618acda561d97f0ed4f06e8e0d15d16fd1f2475059e815c3e3a3b3
    • Instruction ID: 1b4145c4f49c5094a2358be7ef19763f5f8ff5e82648cf4cf0752791f50cc24f
    • Opcode Fuzzy Hash: 9478af0021618acda561d97f0ed4f06e8e0d15d16fd1f2475059e815c3e3a3b3
    • Instruction Fuzzy Hash: 0D310332900615DFCB10DF64DC41AAEBBB9FB45714F00066EE801A7391EF35AC01CBA1
    Function 00472A50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 00472A7D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 00472AA0
    • std::bad_exception::bad_exception.LIBCMT ref: 00472B21
    • __CxxThrowException@8.LIBCMT ref: 00472B2F
    • std::_Facet_Register.LIBCPMT ref: 00472B45
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 200b678530c08fba1ce937ffb7d32f9fae4c06bfecd238da0f83e11c9e939d57
    • Instruction ID: d410120f00551221373da07ff22a782f2a5317ff718099006132402a515de4b2
    • Opcode Fuzzy Hash: 200b678530c08fba1ce937ffb7d32f9fae4c06bfecd238da0f83e11c9e939d57
    • Instruction Fuzzy Hash: 203120329006159FCB20DF54DE81EAEBBB4FF55320F10456AE809A73A1DB74AD01CB80
    Function 00404A80 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00403790: std::locale::_Init.LIBCPMT ref: 004037F3
      • Part of subcall function 003F1180: std::_Lockit::_Lockit.LIBCPMT ref: 003F11AD
      • Part of subcall function 003F1180: std::_Lockit::_Lockit.LIBCPMT ref: 003F11D0
    • __CxxThrowException@8.LIBCMT ref: 00404B47
    • std::ios_base::_Addstd.LIBCPMT ref: 00404B84
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: LockitLockit::_std::_$AddstdException@8InitThrowstd::ios_base::_std::locale::_
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 3350815121-948832811
    • Opcode ID: 66af94f5ba9c7153a31aee0c8964fdfd29cee2a840012b58003af70bfbf23583
    • Instruction ID: abb31017195aaf33bbfbcbf7ce672e69c26b394b6f528e1c0bc5852a86aeac83
    • Opcode Fuzzy Hash: 66af94f5ba9c7153a31aee0c8964fdfd29cee2a840012b58003af70bfbf23583
    • Instruction Fuzzy Hash: AE31E0B0641648AFC710EF94CD46FAABBF5FF84B14F00452AE602AB6D1DB78E904CB55
    Function 003FBFB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 003FBFDD
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 003FC000
    • std::bad_exception::bad_exception.LIBCMT ref: 003FC081
    • __CxxThrowException@8.LIBCMT ref: 003FC08F
    • std::_Facet_Register.LIBCPMT ref: 003FC0A5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: 4510e1067846e0b05f5e102d7de679274906ba0a3573766288651d7c969c10bc
    • Instruction ID: d88fb1f0a3317306519d41ffc3005c2c06616cacf46f3a71b8ebc138b32bfa43
    • Opcode Fuzzy Hash: 4510e1067846e0b05f5e102d7de679274906ba0a3573766288651d7c969c10bc
    • Instruction Fuzzy Hash: B531447290021ECFCB12DF54DD81AAEBBB4FB45724F010119E914A7291DF31AD02CB81
    Function 0055F6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 0055F6FD
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::_Lockit::_Lockit.LIBCPMT ref: 0055F723
    • std::bad_exception::bad_exception.LIBCMT ref: 0055F7A7
    • __CxxThrowException@8.LIBCMT ref: 0055F7B6
    • std::_Facet_Register.LIBCPMT ref: 0055F7CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
    • String ID: bad cast
    • API String ID: 153433846-3145022300
    • Opcode ID: fd1dd7f332af42ba55c05dac0c27e0cd6d8af510a8fc7d12ea0b7eb3253fec11
    • Instruction ID: 2990a570bc02cd401be4fb2512cbdf63a23fff6fbb7fcb4f2f3d2b03146c5b9a
    • Opcode Fuzzy Hash: fd1dd7f332af42ba55c05dac0c27e0cd6d8af510a8fc7d12ea0b7eb3253fec11
    • Instruction Fuzzy Hash: FB31E3769047118FC711DF14DC54F5ABBE5FB89725F004A2AFC559B291E730AC09CB92
    Function 004048E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 00404996
    • __CxxThrowException@8.LIBCMT ref: 004049C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 2efac0ad19098978463babdf44a57cabb40c949319188e0f5a0bc7b4659a5a84
    • Instruction ID: 77ca5ba07984d37e2df034f4410fe8c858983e8580ae14843bb62a339430d167
    • Opcode Fuzzy Hash: 2efac0ad19098978463babdf44a57cabb40c949319188e0f5a0bc7b4659a5a84
    • Instruction Fuzzy Hash: 7D31ADB06002089FCB10DF68D985FAABBF4BF48B28F54556AE502B73D2CB75A900CB54
    Function 00403FC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 00404014
    • __CxxThrowException@8.LIBCMT ref: 0040403A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: dj\$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
    • API String ID: 2005118841-948832811
    • Opcode ID: 86884cb0cfe106ced843c3f17b0cf28a1f68bd8c2f157c120dab7dc0197c3e9e
    • Instruction ID: a62afea0b2a012b04fbf021ee807d3a46d0bd5083b347d034143462ab7f4f668
    • Opcode Fuzzy Hash: 86884cb0cfe106ced843c3f17b0cf28a1f68bd8c2f157c120dab7dc0197c3e9e
    • Instruction Fuzzy Hash: 582128B16003086FCB14EF58DD12FBFBBA99B94B00F00415EEA0077282DBB55A0587A6
    Function 00407A1D Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00407A3F
    • GetWindowLongW.USER32(?,000000F0), ref: 00407A76
    • GetMenu.USER32(?), ref: 00407A82
    • GetWindowLongW.USER32(?,000000EC), ref: 00407A98
    • GetWindowLongW.USER32(?,000000F0), ref: 00407AA1
    • AdjustWindowRectEx.USER32(?,00000000,?,00000000), ref: 00407AA8
    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000016,?,?,?), ref: 00407ACC
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Window$Long$Rect$AdjustClientMenu
    • String ID:
    • API String ID: 1765799542-0
    • Opcode ID: c7dcc68188784c8c08813bc64b1f8b207cbccabc301ad3a0458f359270b854f0
    • Instruction ID: e2a21c0b997a77e96ae33a07ecf78d348a857d543351095164eb98a00ef03556
    • Opcode Fuzzy Hash: c7dcc68188784c8c08813bc64b1f8b207cbccabc301ad3a0458f359270b854f0
    • Instruction Fuzzy Hash: 6F213271A0460AAFDF10DFA9CD84DAFB7B9FF45720B108229B465E2191DB31EE14DB11
    Function 00407CD6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • SetPropW.USER32(?,WndX), ref: 00407CF6
    • GetPropW.USER32(?,WndX), ref: 00407D19
    • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00407D39
    • SetPropW.USER32(?,WndX,00000000), ref: 00407D56
    • DefWindowProcW.USER32(?,?,?,?), ref: 00407D74
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Prop$ProcWindow$Call
    • String ID: WndX
    • API String ID: 1029653574-1375107400
    • Opcode ID: eb4d247f422d95b78a3fc32aecb63938583a235a7ece813c7fca90e1245fdb19
    • Instruction ID: d3e5372228ce5571fe15ab142cd570e8557ea9565b96f717dcc5ff7e47f2c057
    • Opcode Fuzzy Hash: eb4d247f422d95b78a3fc32aecb63938583a235a7ece813c7fca90e1245fdb19
    • Instruction Fuzzy Hash: 21115931604615BFCB218F54DC88F7B7BB9FF48B61F004029F946A7292C779AC11AB66
    Function 004078FD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62registryCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00407910
    • GetClassInfoExW.USER32(00000000,00000000), ref: 0040792C
    • GetClassInfoExW.USER32(00000000,00000000), ref: 00407948
    • RegisterClassExW.USER32(00000030), ref: 00407978
    • GetLastError.KERNEL32(?,?,?), ref: 00407983
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Class$Info$ErrorLastRegister_memset
    • String ID: 0
    • API String ID: 3690237952-4108050209
    • Opcode ID: 3abeb76fcf7126c224ee15083f600df46b5778aabfed18129cbd90967461e4bb
    • Instruction ID: 8da3cd5298f355b20bc6a2ad916e1a5c1c772480f136b649a70f3102befd4b01
    • Opcode Fuzzy Hash: 3abeb76fcf7126c224ee15083f600df46b5778aabfed18129cbd90967461e4bb
    • Instruction Fuzzy Hash: 5511B2B4A102149FEB10AFB9D888DAFBBFCFF08354B00443AF405E3281DB3599048B66
    Function 003FE910 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005775E3: _malloc.LIBCMT ref: 005775FB
    • CreateThread.KERNEL32(00000000,00000000,003FEA50,00000000,00000000,00000000), ref: 003FE981
    Strings
    • CDuiFrameWnd::UpdateWindowSate, xrefs: 003FE9BC
    • CDuiFrameWnd::DownloadSuccess, xrefs: 003FE927
    • D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp, xrefs: 003FE922, 003FE9B7
    • UpdateWindowSate:kWindow_Installing, xrefs: 003FE9AB
    • switch, xrefs: 003FE990
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CreateThread_malloc
    • String ID: CDuiFrameWnd::DownloadSuccess$CDuiFrameWnd::UpdateWindowSate$D:\Jenkins\workspace\MF_Downloader\UI\MFDownloader\Window\DuiFrameWnd.cpp$UpdateWindowSate:kWindow_Installing$switch
    • API String ID: 3334740953-927857206
    • Opcode ID: 5a8c2bb58422aca30f764d8a846539f187bfbe33e269f20ba216d4983d65776f
    • Instruction ID: 052080a64028e05ce7f186933814460a6f306adf71b5bb2d65d3669c78bb2d05
    • Opcode Fuzzy Hash: 5a8c2bb58422aca30f764d8a846539f187bfbe33e269f20ba216d4983d65776f
    • Instruction Fuzzy Hash: 4F110A31385314BEE7615BA1CC0BFABBAD6BB80B14F10411DF5482A1C2DBF96540C6E5
    Function 003F1BF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 003F1C1D
      • Part of subcall function 0056283C: __lock.LIBCMT ref: 0056284D
    • std::exception::exception.LIBCMT ref: 003F1C78
      • Part of subcall function 0057A0A2: std::exception::_Copy_str.LIBCMT ref: 0057A0BB
    • __CxxThrowException@8.LIBCMT ref: 003F1C8D
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F1C94
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
    • String ID: `y\$hy\
    • API String ID: 271752322-849383625
    • Opcode ID: 17e42c98987e9a0e89b4ab824f18d174b9e814775bc786633370719aee8896c3
    • Instruction ID: 449566d8f6551eba45afeeccf2d10590ee0b990df17bb7c0192375c8dc11153f
    • Opcode Fuzzy Hash: 17e42c98987e9a0e89b4ab824f18d174b9e814775bc786633370719aee8896c3
    • Instruction Fuzzy Hash: E0218E70804B489ED720CF69D804B9BBFF8FF19710F008A1EE85993B81D7B5A608CB95
    Function 0040E051 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(User32.dll), ref: 0040E072
    • GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 0040E082
    • GetWindowLongW.USER32(00000000,000000EC), ref: 0040E096
    • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0040E0C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: LongWindow$AddressHandleModuleProc
    • String ID: SetLayeredWindowAttributes$User32.dll
    • API String ID: 1792074081-2510956139
    • Opcode ID: 681528c34c8a6a22ffadceb8d55d2d07c1eddafbd9252d84caf9e242d47a37ca
    • Instruction ID: fa659972f877d40f6b2e088266ca4b5fcdb99953d3da447a71015987f35aed02
    • Opcode Fuzzy Hash: 681528c34c8a6a22ffadceb8d55d2d07c1eddafbd9252d84caf9e242d47a37ca
    • Instruction Fuzzy Hash: 13016432200A646FCB301736CC49F677A98BF90311F00493EF297E22E1CEFA4814A721
    Function 003F2230 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003F2234
      • Part of subcall function 00562EF9: _setlocale.LIBCMT ref: 00562F12
    • _free.LIBCMT ref: 003F2244
      • Part of subcall function 00579A30: RtlFreeHeap.NTDLL(00000000,00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A44
      • Part of subcall function 00579A30: GetLastError.KERNEL32(00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A56
    • _free.LIBCMT ref: 003F225B
    • _free.LIBCMT ref: 003F2272
    • _free.LIBCMT ref: 003F2289
    • _free.LIBCMT ref: 003F22A0
    • _free.LIBCMT ref: 003F22B7
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
    • String ID:
    • API String ID: 3515823920-0
    • Opcode ID: 26d4107ce1b1575a755036d9fb703e84fcfbba12363428843720522b2a5b1f7d
    • Instruction ID: 6ec996e4da597f88a34b0cb21029794409bd60b7883791a0d6d1a98ae68ea247
    • Opcode Fuzzy Hash: 26d4107ce1b1575a755036d9fb703e84fcfbba12363428843720522b2a5b1f7d
    • Instruction Fuzzy Hash: D201E1F1A017119BEA309E25E849B2776E86F10704F048938E44B87A41E775F508DBA2
    Function 00418E55 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • CreatePen.GDI32(?,?), ref: 00418E83
    • SelectObject.GDI32(?,00000000), ref: 00418E96
    • GetStockObject.GDI32(00000005), ref: 00418E9C
    • SelectObject.GDI32(?,00000000), ref: 00418EA6
    • RoundRect.GDI32(?,?,?,?,?,00000000,?), ref: 00418EBF
    • SelectObject.GDI32(?,00000000), ref: 00418EC9
    • DeleteObject.GDI32(?), ref: 00418ECE
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Select$CreateDeleteRectRoundStock
    • String ID:
    • API String ID: 1454345155-0
    • Opcode ID: 50e66ac5e937d98d13fbc2ec2ea3726901d45ba9718425b2e80385bf1da45590
    • Instruction ID: c02184f01d8f0b8fa55e9bf95b04ca63d2afe33bd81b5ecbf5b7d36d83fea111
    • Opcode Fuzzy Hash: 50e66ac5e937d98d13fbc2ec2ea3726901d45ba9718425b2e80385bf1da45590
    • Instruction Fuzzy Hash: 5A011E35500119BFCF055FA5DC0CCAA3FA6FF88351B008115FA09A6160C736D966EFA0
    Function 0057E9E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • __getptd_noexit.LIBCMT ref: 0057E9E4
      • Part of subcall function 0058C129: GetLastError.KERNEL32(00000001,00000000,005810CA,00579AEF,?,?,0057A197,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 0058C12B
      • Part of subcall function 0058C129: __calloc_crt.LIBCMT ref: 0058C14C
      • Part of subcall function 0058C129: __initptd.LIBCMT ref: 0058C16E
      • Part of subcall function 0058C129: GetCurrentThreadId.KERNEL32 ref: 0058C175
      • Part of subcall function 0058C129: SetLastError.KERNEL32(00000000,0057A197,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 0058C18D
    • __calloc_crt.LIBCMT ref: 0057EA07
    • __get_sys_err_msg.LIBCMT ref: 0057EA25
    • __invoke_watson.LIBCMT ref: 0057EA42
    Strings
    • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0057E9EF, 0057EA15
    • Operation not permitted, xrefs: 0057E9F7
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
    • String ID: Operation not permitted$Visual C++ CRT: Not enough memory to complete call to strerror.
    • API String ID: 109275364-3972167996
    • Opcode ID: e17c198c413bc13a71624260fcb661b00f713ce53f162ad96b6ec77e9c5b53dd
    • Instruction ID: cae5d4b5d998a327caaa046e5c46c07cf95073cd42c8a6401e29d082ea6ad285
    • Opcode Fuzzy Hash: e17c198c413bc13a71624260fcb661b00f713ce53f162ad96b6ec77e9c5b53dd
    • Instruction Fuzzy Hash: A1F024321407126BEB32761ABC0B52B7FADFF987A0B4040A6FE4DA6543EA309C002290
    Function 00418DD8 Relevance: 10.5, APIs: 7, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • CreatePen.GDI32(?,?), ref: 00418E06
    • SelectObject.GDI32(?,00000000), ref: 00418E19
    • GetStockObject.GDI32(00000005), ref: 00418E1F
    • SelectObject.GDI32(?,00000000), ref: 00418E29
    • Rectangle.GDI32(?,?,?,?,?), ref: 00418E3C
    • SelectObject.GDI32(?,00000000), ref: 00418E46
    • DeleteObject.GDI32(00000000), ref: 00418E4B
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Select$CreateDeleteRectangleStock
    • String ID:
    • API String ID: 2689421921-0
    • Opcode ID: e613ff0829f122e03adf4324cb23d946607fac990a31b4986a461a1dd8622a14
    • Instruction ID: f76abb939ae1810956f1eedb615da5d1e02f082048cf2817ca84894b5956a237
    • Opcode Fuzzy Hash: e613ff0829f122e03adf4324cb23d946607fac990a31b4986a461a1dd8622a14
    • Instruction Fuzzy Hash: 23014435100119BFCF055F65DC0DCAA3FAAFF88352B004015F909E6160C736D966EFA0
    Function 00445F70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • WinHttpQueryHeaders.WINHTTP(?,20000005,00000000,00000000,?,?), ref: 00445FA6
    • GetModuleHandleA.KERNEL32(wininet.dll,CWinHttpRequest::GetUrlFileSize), ref: 00445FBA
    • GetLastError.KERNEL32(00000000), ref: 00445FC1
      • Part of subcall function 00446220: _memset.LIBCMT ref: 0044625A
      • Part of subcall function 00446220: FormatMessageA.KERNEL32(00000800,?,00445FD2,00000400,00000000,00000104,00000000,00000000,?,00000002), ref: 0044627F
      • Part of subcall function 00446220: GetCurrentThreadId.KERNEL32 ref: 00446298
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CurrentErrorFormatHandleHeadersHttpLastMessageModuleQueryThread_memset
    • String ID: CWinHttpRequest::GetUrlFileSize$WinHttpQueryHeaders$wininet.dll
    • API String ID: 2684312013-3104951660
    • Opcode ID: 063a3a31d62892a0745def62e7830e6932dab210f2bfce8d3d051bca7b0b36a9
    • Instruction ID: 773f7116805564d49b7c42b43d5af1bb40192b5fe9c29fd50e77f90382f8c84f
    • Opcode Fuzzy Hash: 063a3a31d62892a0745def62e7830e6932dab210f2bfce8d3d051bca7b0b36a9
    • Instruction Fuzzy Hash: F20186B1900208BFDB14EF94DC09F9ABBB8EB24704F10408AED0193341EA75AB18DA65
    Function 003E8D60 Relevance: 9.5, APIs: 6, Instructions: 459COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID:
    • API String ID: 4104443479-0
    • Opcode ID: 862013d33d35dd55262ff829b861c27c2741ad04e66b72d5d01469bbd916501e
    • Instruction ID: 98b89e7f6073d1c4cb2a4368ac065ca798ab91858ee08f05b703bcb8ce6b9d55
    • Opcode Fuzzy Hash: 862013d33d35dd55262ff829b861c27c2741ad04e66b72d5d01469bbd916501e
    • Instruction Fuzzy Hash: 511239B04087819FE731DF29D849B5BBBE5FB95300F440E2DE19A87291DB71A948CB93
    Function 0049C430 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,9C3DCF4C,000001A0,0046B7CB,00000008,00000000,004634D0,0046B7CB,00000000,0046B7CB), ref: 0049C461
    • type_info::operator==.LIBCMT ref: 0049C4A4
    • LeaveCriticalSection.KERNEL32(00000008,?,9C3DCF4C,000001A0), ref: 0049C4BC
    • EnterCriticalSection.KERNEL32(00000008,00000008,00000000,004634D0), ref: 0049C4E4
    • type_info::operator==.LIBCMT ref: 0049C515
    • LeaveCriticalSection.KERNEL32(?), ref: 0049C546
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeavetype_info::operator==
    • String ID:
    • API String ID: 262606368-0
    • Opcode ID: 9afea8fdee1e037a6fc2309f9a95e545a4c2a96f2804227d4a57704979d46b55
    • Instruction ID: 65482523744b4ccee26d4d98d9e614ec1d01350c0385c336c885d271ea9ed642
    • Opcode Fuzzy Hash: 9afea8fdee1e037a6fc2309f9a95e545a4c2a96f2804227d4a57704979d46b55
    • Instruction Fuzzy Hash: 38417975B00615AFDF24CF68C9D4B6BBBB4BF44B50F19846AE8159B341C738E900CBA1
    Function 003F9FB0 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?), ref: 003F9FDA
    • _memset.LIBCMT ref: 003FA00E
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 003FA029
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 003FA047
    • _memset.LIBCMT ref: 003FA05D
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,9C3DCF4C,00000000,00000000,00000000,00000000), ref: 003FA078
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$_memset
    • String ID:
    • API String ID: 3545102435-0
    • Opcode ID: 651c0e84b6314e050532b33702c1dd9bb2c642f3b15fdbb7e4dbe5a62dbc33b1
    • Instruction ID: 1d1c033caa04eb993731c8dc2c0c892455a242b864efda047953d781d0cea097
    • Opcode Fuzzy Hash: 651c0e84b6314e050532b33702c1dd9bb2c642f3b15fdbb7e4dbe5a62dbc33b1
    • Instruction Fuzzy Hash: 0831F771600306BFFB215F28DC06F7A7BA9EF85710F204619F609AB2C1D7B16A0487A5
    Function 0041F563 Relevance: 9.1, APIs: 6, Instructions: 104fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000003,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,?,0041D0BD,00000003,?,00000001,?), ref: 0041F5B4
    • GetCurrentProcess.KERNEL32(00000001,00000000,00000000,00000002,?,00000000,00000000,?,0041D0BD,00000003,?,00000001,?,0041D11C,00000003,?), ref: 0041F5D8
    • GetCurrentProcess.KERNEL32(00000003,00000000,?,00000000,00000000,?,0041D0BD,00000003,?,00000001,?,0041D11C,00000003,?,?,?), ref: 0041F5DE
    • DuplicateHandle.KERNEL32(00000000,?,00000000,00000000,?,0041D0BD,00000003,?,00000001,?,0041D11C,00000003,?,?,?), ref: 0041F5E1
    • GetFileType.KERNEL32(00000001,?,00000000,00000000,?,0041D0BD,00000003,?,00000001,?,0041D11C,00000003,?,?,?), ref: 0041F5FC
    • SetFilePointer.KERNEL32(00000001,00000000,00000000,00000001,?,00000000,00000000,?,0041D0BD,00000003,?,00000001,?,0041D11C,00000003,?), ref: 0041F659
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: File$CurrentProcess$CreateDuplicateHandlePointerType
    • String ID:
    • API String ID: 3364526186-0
    • Opcode ID: d908ab291573205ea4a030fa3751cc7bce164f45a4728c2341d6eab0cc3db8b5
    • Instruction ID: f161add4d53780544891a41510fd700261e00a3e068baf0fab8c57526f7413a7
    • Opcode Fuzzy Hash: d908ab291573205ea4a030fa3751cc7bce164f45a4728c2341d6eab0cc3db8b5
    • Instruction Fuzzy Hash: 0D31ADB1640345AFDB208F28DC45AAB7BE9EB19710F14492AF85AD7360D274D88ACB64
    Function 0042A7C3 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 313COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: bad Image Descriptor$missing color table$outofmem$unknown code
    • API String ID: 4104443479-681994351
    • Opcode ID: edf55fdb18802270fdd488e694eb6ca908767f6690608329acb11c6b63424ec5
    • Instruction ID: 6ab24654f476c9733889d6e080753598470aaed92c916ded6e45acf2106dfc45
    • Opcode Fuzzy Hash: edf55fdb18802270fdd488e694eb6ca908767f6690608329acb11c6b63424ec5
    • Instruction Fuzzy Hash: 7EB10570700621EFCB18DE25E481BB6B7A4FF06700F94856BED598B241D738A865CB6F
    Function 00418D27 Relevance: 9.1, APIs: 6, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • CreatePenIndirect.GDI32(00000000), ref: 00418D76
    • SelectObject.GDI32(?,00000000), ref: 00418D80
    • MoveToEx.GDI32(?,?,?,00000000), ref: 00418D9F
    • LineTo.GDI32(?,?,?), ref: 00418DB1
    • SelectObject.GDI32(?,00000000), ref: 00418DBB
    • DeleteObject.GDI32(00000000), ref: 00418DC2
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Object$Select$CreateDeleteIndirectLineMove
    • String ID:
    • API String ID: 191790629-0
    • Opcode ID: 4a078e0581dbe1c409c35ab6c6c765cb5e548cb7e1f0ea18365af88debd56d56
    • Instruction ID: e8961adb845e463c89612ca58a6c858156defdeec24307e194e91307d26cc7be
    • Opcode Fuzzy Hash: 4a078e0581dbe1c409c35ab6c6c765cb5e548cb7e1f0ea18365af88debd56d56
    • Instruction Fuzzy Hash: FB21C775900119AFCB00DFA8DC899AEBBF9FF48311F00815AF905E7260D7359A59EBA1
    Function 00408275 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 004082A6
      • Part of subcall function 00579A68: __FF_MSGBANNER.LIBCMT ref: 00579A7F
      • Part of subcall function 00579A68: __NMSG_WRITE.LIBCMT ref: 00579A86
      • Part of subcall function 00579A68: RtlAllocateHeap.NTDLL(01230000,00000000,00000001,00000001,?,?,?,0057A197,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579AAB
    • _wcscpy.LIBCMT ref: 004082B2
    • _wcscat.LIBCMT ref: 004082BA
    • _wcscat.LIBCMT ref: 004082CF
    • _free.LIBCMT ref: 004082E2
    • _wcscat.LIBCMT ref: 004082EC
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscat$AllocateHeap_free_malloc_wcscpy
    • String ID:
    • API String ID: 1624937444-0
    • Opcode ID: 1d2bcac33045a14175a237c09c8693365936f868aa29c3241a24db472d495727
    • Instruction ID: bb56b771064ce1bd6e21218cdc9b394adfef5cc4523d6b26b4cb0a943a3253a5
    • Opcode Fuzzy Hash: 1d2bcac33045a14175a237c09c8693365936f868aa29c3241a24db472d495727
    • Instruction Fuzzy Hash: DC0196B2400201AAE6247F24E949C57BBEDFBD4350761483EF1C992142EF365841E769
    Function 00409E1D Relevance: 9.0, APIs: 6, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • SelectObject.GDI32(?), ref: 00409E4C
    • GetTextMetricsW.GDI32(?,0064F024), ref: 00409E5B
    • SelectObject.GDI32(?,00000000), ref: 00409E68
    • SelectObject.GDI32(?,?), ref: 00409E8C
    • GetTextMetricsW.GDI32(?,00000000), ref: 00409E9D
    • SelectObject.GDI32(?,00000000), ref: 00409EAA
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ObjectSelect$MetricsText
    • String ID:
    • API String ID: 3697559710-0
    • Opcode ID: dbd5760d2701c73ca18d71deaf3549558aa0c8d5929d63b396ea55b9005d3849
    • Instruction ID: 048ebdd39b848a1bd68a60dfc6d2357efb4e0e93fe7dd55b1e04644677e45251
    • Opcode Fuzzy Hash: dbd5760d2701c73ca18d71deaf3549558aa0c8d5929d63b396ea55b9005d3849
    • Instruction Fuzzy Hash: 09014C350001049FCF51AF50DC88BD23B6AFF94310F0980B6ED49AA16ACB760D49DB65
    Function 003E6A70 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid string position$string too long
    • API String ID: 4104443479-4289949731
    • Opcode ID: 4b71b7734c408eb2b6daa39fe7d6293f2c19440ef99b5233dbea1621b84e9a48
    • Instruction ID: 4f99118052971f2c9b9b45caacaaac611f41470322cacbe773581c28ec92510c
    • Opcode Fuzzy Hash: 4b71b7734c408eb2b6daa39fe7d6293f2c19440ef99b5233dbea1621b84e9a48
    • Instruction Fuzzy Hash: 026104717102559FDB29CF1ED882A6E7BA6EFA4380B24862DE855CB3C1D731ED508B90
    Function 004A8060 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171networkCOMMON
    Download Yara Rule
    APIs
    • WSASetLastError.WS2_32(00000000,?,8FAFD21E,?), ref: 004A8125
    • select.WS2_32(00000100,00000001,00000000,00000000,00000000), ref: 004A8140
    • WSAGetLastError.WS2_32 ref: 004A817A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorLast$select
    • String ID: D,]$D,]
    • API String ID: 1043644060-3924630449
    • Opcode ID: 8f12eddf757439784529d6461512c94d4704dcb213e26cf344805df8c5e53e6e
    • Instruction ID: 9f3843f2f9039badabeb9e57c68f6b70f98ab166390f2939913c2108773dc1dc
    • Opcode Fuzzy Hash: 8f12eddf757439784529d6461512c94d4704dcb213e26cf344805df8c5e53e6e
    • Instruction Fuzzy Hash: 08719F75A002088FCB24CF18EC457DABBF5FB5A324F1045AED94AA7352DF749A858F50
    Function 004B9860 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __Getcvt.LIBCPMT ref: 004B98A1
      • Part of subcall function 00562FF0: ____lc_codepage_func.LIBCMT ref: 00563007
      • Part of subcall function 00562FF0: ____mb_cur_max_func.LIBCMT ref: 00563010
      • Part of subcall function 00562FF0: ____lc_locale_name_func.LIBCMT ref: 00563018
    • __Getcvt.LIBCPMT ref: 004B98FC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Getcvt$____lc_codepage_func____lc_locale_name_func____mb_cur_max_func
    • String ID: ,$false$true
    • API String ID: 4247442312-760133229
    • Opcode ID: 7c1cf768d0ffa9e7177f2ec54a0ce84746317236f318725ea5aa1cd55b8e38a6
    • Instruction ID: e1e3c15bf4cb0340620993e5fcef966d223762b4139cfcdb324c2e912d82b88c
    • Opcode Fuzzy Hash: 7c1cf768d0ffa9e7177f2ec54a0ce84746317236f318725ea5aa1cd55b8e38a6
    • Instruction Fuzzy Hash: F451C0B1D00348DEDB11CF94C885BEEBBB8FF49704F14416AE815AB341E735AA46CBA1
    Function 0040CBEA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134keyboardCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CountStateTick_wcsstr
    • String ID: J@$RichEdit
    • API String ID: 1310091763-911363330
    • Opcode ID: d886c896d74d9c387fcd706d81fdd64e0159f1ca5b98dde53d38664d0a5d7334
    • Instruction ID: 6f0a561d6b27c18ae1115a4066a4e3448389b38477226f5204315b2e7d8fe2dc
    • Opcode Fuzzy Hash: d886c896d74d9c387fcd706d81fdd64e0159f1ca5b98dde53d38664d0a5d7334
    • Instruction Fuzzy Hash: FB41BF34600705DFDB24DF74D488BEA7BA1BF48300F108A7EE85AAB391EB34A945CB55
    Function 004144E6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • SetBkColor.GDI32(?), ref: 00414539
    • ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 0041454C
    • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 00414595
    • DeleteObject.GDI32(00000000), ref: 004145DF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ColorCreateDeleteObjectSectionText
    • String ID: (
    • API String ID: 2482505015-3887548279
    • Opcode ID: f04b2220073b2839a10589428a631c4ea9d99f9ff10e3cd81355c2a106ebc3d7
    • Instruction ID: d196b92a86c2914069e29e66dfe9b95e45dcd7acfe6309cc9598ca739f0152b1
    • Opcode Fuzzy Hash: f04b2220073b2839a10589428a631c4ea9d99f9ff10e3cd81355c2a106ebc3d7
    • Instruction Fuzzy Hash: 02318B71D01218BBDB10CFA6DC88DEFBFB9EF8A310F10411AF919B6250DA345A45DBA4
    Function 0048F250 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • std::locale::_Init.LIBCPMT ref: 0048F28B
      • Part of subcall function 00562DD9: __EH_prolog3.LIBCMT ref: 00562DE0
      • Part of subcall function 00562DD9: std::_Lockit::_Lockit.LIBCPMT ref: 00562DEA
      • Part of subcall function 00562DD9: std::locale::_Setgloballocale.LIBCPMT ref: 00562E06
    • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 0048F2F8
      • Part of subcall function 00563D1D: __EH_prolog3.LIBCMT ref: 00563D24
      • Part of subcall function 00563D1D: int.LIBCPMT ref: 00563D64
      • Part of subcall function 00563D1D: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00563D6C
      • Part of subcall function 00563D1D: int.LIBCPMT ref: 00563DC2
      • Part of subcall function 00563D1D: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00563DCA
      • Part of subcall function 00563D1D: int.LIBCPMT ref: 00563E20
      • Part of subcall function 00563D1D: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00563E28
      • Part of subcall function 00563D1D: int.LIBCPMT ref: 00563E97
    • __CxxThrowException@8.LIBCMT ref: 0048F34A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::locale::_$Locimp::_$AddfacLocimp_$H_prolog3$Exception@8InitLockitLockit::_MakelocSetgloballocaleThrowstd::_
    • String ID: bad locale name$5]
    • API String ID: 3875781478-4250441589
    • Opcode ID: d50eae4f51a408ec310f98433f6a142df847cce665091028d99bd894a5cffc31
    • Instruction ID: 3c32c9650880c45c686d1669be6da79150b083ff86d1587c4156944cff2c1f88
    • Opcode Fuzzy Hash: d50eae4f51a408ec310f98433f6a142df847cce665091028d99bd894a5cffc31
    • Instruction Fuzzy Hash: 38310330A04109AFDB10EFA8C885FAEBBB5EF16310F1444AAE805DB391E7769D09CB55
    Function 0040E83C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Parent$LongWindow
    • String ID: d$d
    • API String ID: 3872341914-1303137945
    • Opcode ID: 7111348c7d52931c3502d6a1cd9991f5b709bff25952b021b7638809b9e0ab99
    • Instruction ID: 0a90ec10e75fbfefadcf96d018ba48ab87ccaa2efd7062df0a2feb97a4dc77e8
    • Opcode Fuzzy Hash: 7111348c7d52931c3502d6a1cd9991f5b709bff25952b021b7638809b9e0ab99
    • Instruction Fuzzy Hash: BC31EF35600204ABCF15BF62C8418AE7BAAAF85384710883FF847AB3D1DA39DD55EB44
    Function 004457E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00445A10: InternetQueryOptionW.WININET(9C3DCF4C,00000000,00000000,AXD), ref: 00445A3F
    • InternetSetOptionW.WININET(00000000,?,?,00000004), ref: 004458B4
    • GetLastError.KERNEL32 ref: 004458BE
    Strings
    • CBaseRequest::InternetSetOpt, xrefs: 004458D6
    • ERR: InternetSetOption fail! 0x%x, xrefs: 004458C5
    • tool\BaseRequest.cpp, xrefs: 004458D1
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: InternetOption$ErrorLastQuery
    • String ID: CBaseRequest::InternetSetOpt$ERR: InternetSetOption fail! 0x%x$tool\BaseRequest.cpp
    • API String ID: 3980908186-1089527847
    • Opcode ID: e885fe0cd142088fe74b2bf4f384fef9b788f72b607919b5225b6b1c93a6d055
    • Instruction ID: 61d10181193ed663b4b753b97ef496106c5df34fefc4e240af7a119b88128335
    • Opcode Fuzzy Hash: e885fe0cd142088fe74b2bf4f384fef9b788f72b607919b5225b6b1c93a6d055
    • Instruction Fuzzy Hash: FC31ADB1900609EFEF10DF94D885BEFBBB8EF49324F10402AE910B7282D7755A44CBA5
    Function 0041146C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00411476
      • Part of subcall function 00407630: IsWindow.USER32(00000000), ref: 00407639
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: H_prolog3_Window
    • String ID: closebtn$maxbtn$minbtn$restorebtn
    • API String ID: 2696129371-318950520
    • Opcode ID: 62698be94f7dc7ad0b63c94b732ce31940bb588fa4333b6d01381af64b884f7e
    • Instruction ID: 6f9ffc090aa6dfcd181c239df31f784123a3faf6ab3f619b16a0872e6230441a
    • Opcode Fuzzy Hash: 62698be94f7dc7ad0b63c94b732ce31940bb588fa4333b6d01381af64b884f7e
    • Instruction Fuzzy Hash: 97118A30640118A6DB24DB61CD06FED7B72BF80B48F0440AEB6593B1E3DF741E86D659
    Function 0057A420 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
    • String ID:
    • API String ID: 1559183368-0
    • Opcode ID: cf55316e8b523b0fe092cde6718dcae5f489298fe9c78f7c868b6204eb2b568f
    • Instruction ID: 5bd653ba7eb2459a039ae675064f794ed683bfbb116321bbf046d42a0c0b81bf
    • Opcode Fuzzy Hash: cf55316e8b523b0fe092cde6718dcae5f489298fe9c78f7c868b6204eb2b568f
    • Instruction Fuzzy Hash: 68519871A007059BDF249F69A88856E7FB6BFC0320F14C729F83D962D1D7B19D50AB42
    Function 00445D20 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,00000000,?,003FD70F,?,00000000), ref: 00445D5C
    • WinHttpReadData.WINHTTP(?,?,00001000,?), ref: 00445D8D
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00445DC6
    • WinHttpReadData.WINHTTP(?,?,00001000,00000000), ref: 00445DE6
    • CloseHandle.KERNEL32(00000000), ref: 00445DF5
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: DataFileHttpRead$CloseCreateHandleWrite
    • String ID:
    • API String ID: 1165887302-0
    • Opcode ID: 35f8fe6315d74144c4225b4d0a741de645bfddb76f0d98b44e8d7ffc94c87127
    • Instruction ID: 99ce1e7762ecc2c8f3c07ba6cfbe9c00315e728e943b8a3fe95f34daa695cae6
    • Opcode Fuzzy Hash: 35f8fe6315d74144c4225b4d0a741de645bfddb76f0d98b44e8d7ffc94c87127
    • Instruction Fuzzy Hash: E621B375A00558AFEB21CF14DC49FEA73BCEF08701F508196B544D7191DBB4AE889B64
    Function 0040A04E Relevance: 7.6, APIs: 5, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0040A06D
    • __itow.LIBCMT ref: 0040A07B
      • Part of subcall function 0057C22C: _xtow@16.LIBCMT ref: 0057C24D
    • SelectObject.GDI32(?,00000000), ref: 0040A0D1
    • GetTextMetricsW.GDI32(?,00000000), ref: 0040A0E5
    • SelectObject.GDI32(?,00000000), ref: 0040A0F5
      • Part of subcall function 00409E1D: SelectObject.GDI32(?), ref: 00409E4C
      • Part of subcall function 00409E1D: GetTextMetricsW.GDI32(?,0064F024), ref: 00409E5B
      • Part of subcall function 00409E1D: SelectObject.GDI32(?,00000000), ref: 00409E68
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ObjectSelect$MetricsText$__itow_memset_xtow@16
    • String ID:
    • API String ID: 2432869640-0
    • Opcode ID: 224211341f8a6c3c59b2987f732c7686e369acaa559e2f00a787f4e6f2c3db59
    • Instruction ID: edf829914d76de33024be3595e6dda7d4a822d083839da89c6e357b95144327b
    • Opcode Fuzzy Hash: 224211341f8a6c3c59b2987f732c7686e369acaa559e2f00a787f4e6f2c3db59
    • Instruction Fuzzy Hash: 57118E71600208AFDB10EFA5DC85FDA7BA9EB58300F00407AFA08B7292DF719D588B65
    Function 004191D1 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • GetClipBox.GDI32(0040B551,?), ref: 00419201
    • CreateRectRgnIndirect.GDI32(?), ref: 00419211
    • CreateRectRgnIndirect.GDI32(?), ref: 0041921A
    • CombineRgn.GDI32(00000000,00000000,?,00000001), ref: 00419226
    • SelectClipRgn.GDI32(0040B551,?), ref: 00419230
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ClipCreateIndirectRect$CombineSelect
    • String ID:
    • API String ID: 4086972238-0
    • Opcode ID: 18ecb1032044ebcd28eaca201820b56a2e3f99147247d41a5c22f0bae7a43a8b
    • Instruction ID: 30f4ecb99c0dfd3a2749d026354426202753af4f4cce1058f534b3cea8404732
    • Opcode Fuzzy Hash: 18ecb1032044ebcd28eaca201820b56a2e3f99147247d41a5c22f0bae7a43a8b
    • Instruction Fuzzy Hash: B9110072900A09AFCB01DFA5DD488EBBBB9FF49310B104155F905B7110D771BA59CBE1
    Function 005896E8 Relevance: 7.6, APIs: 5, Instructions: 52registrythreadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RegisterWaitForSingleObject.KERNEL32(00000000,?,00000000,005AD226,000000FF,0000000C), ref: 005896FF
    • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,0059AF93,?,?,?,?,?,005865C2,000000FF,00000001), ref: 00589709
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00589728
    • __CxxThrowException@8.LIBCMT ref: 00589736
    • SetThreadAffinityMask.KERNEL32(?,?), ref: 00589769
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AffinityConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastMaskObjectRegisterSingleThreadThrowWait
    • String ID:
    • API String ID: 2773543435-0
    • Opcode ID: d493291c8b2b74273323ef382a5d4c67bd1acc0baf793a1c70ff2752e1266f57
    • Instruction ID: fbd8ec63c8f96ecff313d7c814b2eaaecb7dc2d88f11d534a4c2c54333c1a930
    • Opcode Fuzzy Hash: d493291c8b2b74273323ef382a5d4c67bd1acc0baf793a1c70ff2752e1266f57
    • Instruction Fuzzy Hash: A8019E3511420ABBCF01BFA4DC09EAE3FADFF49710F204565B919E51A1DA32DA10AB51
    Function 00408528 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • vswprintf.LIBCMT ref: 00408539
      • Part of subcall function 0057BF9F: __vsnwprintf_l.LIBCMT ref: 0057BFB0
    • _malloc.LIBCMT ref: 00408548
      • Part of subcall function 00579A68: __FF_MSGBANNER.LIBCMT ref: 00579A7F
      • Part of subcall function 00579A68: __NMSG_WRITE.LIBCMT ref: 00579A86
      • Part of subcall function 00579A68: RtlAllocateHeap.NTDLL(01230000,00000000,00000001,00000001,?,?,?,0057A197,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579AAB
    • _memset.LIBCMT ref: 00408553
    • vswprintf.LIBCMT ref: 00408564
      • Part of subcall function 004082FA: _free.LIBCMT ref: 0040832D
      • Part of subcall function 004082FA: _wcsncpy.LIBCMT ref: 0040836A
    • _free.LIBCMT ref: 0040857A
      • Part of subcall function 00579A30: RtlFreeHeap.NTDLL(00000000,00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A44
      • Part of subcall function 00579A30: GetLastError.KERNEL32(00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A56
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Heap_freevswprintf$AllocateErrorFreeLast__vsnwprintf_l_malloc_memset_wcsncpy
    • String ID:
    • API String ID: 2224802427-0
    • Opcode ID: c1da4308e9f02d9af917e0e70c26264ce553810c4cc210468d7086516128ffef
    • Instruction ID: b752ee8d3e0521ad1038ea6f4023bc837b47d8d9600d0b5af477e579981c721c
    • Opcode Fuzzy Hash: c1da4308e9f02d9af917e0e70c26264ce553810c4cc210468d7086516128ffef
    • Instruction Fuzzy Hash: F4F0247210021A7FEB00AF64EC46FEB775DFF84364F004625FA1A961C2EA31A900C7B4
    Function 00589834 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • TlsSetValue.KERNEL32(00000000,003FA452,00000000,003FA452,00000000,?,-00000003,003FA452,7591DF10,?,?,?,?,005865C2,000000FF,00000001), ref: 00589840
    • GetLastError.KERNEL32(?,?,?,?,005865C2,000000FF,00000001,003FA452,?,?,00564F7E,?,?,?,00000001,00000001), ref: 0058984A
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00589866
    • __CxxThrowException@8.LIBCMT ref: 00589874
    • UnregisterWait.KERNEL32(?), ref: 00589880
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowUnregisterValueWait
    • String ID:
    • API String ID: 4170064228-0
    • Opcode ID: ee8a5397b71c506da6817aea801e7288e06adb67446b91af484fc064ca2bb52f
    • Instruction ID: aa318f3b716eb499bcc580809724e2131c010eb9cdc51f039adccfdefcb5d634
    • Opcode Fuzzy Hash: ee8a5397b71c506da6817aea801e7288e06adb67446b91af484fc064ca2bb52f
    • Instruction Fuzzy Hash: EDF0A03440410EABCF007FA2EC099BB7FACFB01741F048455BC1CD1162EB32DA18AB95
    Function 00495D90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 288COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00496120: SetEvent.KERNEL32(00000000), ref: 004961E6
    • SetEvent.KERNEL32(00000000,00000004,?,?,.cfg,00000004,?,.tmp,00000004,00000000), ref: 00496052
    • SetEvent.KERNEL32(00000000,?,00000004,?,?,.cfg,00000004,?,.tmp,00000004,00000000), ref: 004960AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Event
    • String ID: .cfg$.tmp
    • API String ID: 4201588131-2831898985
    • Opcode ID: 079a1b78cde65f7932d619536b0b3ca6501af3e673cc49eb8101a05351bc743d
    • Instruction ID: 77e3b00f753b37174bc39f588ce07f6c596e28114b05895aa0fc55997651c3e9
    • Opcode Fuzzy Hash: 079a1b78cde65f7932d619536b0b3ca6501af3e673cc49eb8101a05351bc743d
    • Instruction Fuzzy Hash: E6C1B070D04349DFDF11DBA8C888BDEBBB5BF05314F24416AE415AB381DB79AA48CB94
    Function 004B2750 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227COMMON
    Download Yara Rule
    APIs
    • std::exception::exception.LIBCMT ref: 004B27DA
    • std::exception::exception.LIBCMT ref: 004B282B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::exception::exception
    • String ID: `y\$string too long
    • API String ID: 2807920213-3546482692
    • Opcode ID: cd739991903f0009cc6572fe2569d838f3f2092c78045c00a802a4c908864852
    • Instruction ID: c643562ded35069730953fa4680e7e39b28ce3a4b692c2119f440cd0e521c4dc
    • Opcode Fuzzy Hash: cd739991903f0009cc6572fe2569d838f3f2092c78045c00a802a4c908864852
    • Instruction Fuzzy Hash: 1C910070A04289DFDB14CF68CA84B9ABBB5FF16314F10066AE0559B381C7B9E944CBA5
    Function 0043D6A7 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0043D6AE
      • Part of subcall function 00407E68: _malloc.LIBCMT ref: 00407E83
      • Part of subcall function 005775E3: _malloc.LIBCMT ref: 005775FB
      • Part of subcall function 004338BF: _memset.LIBCMT ref: 00433901
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _malloc$H_prolog3_memset
    • String ID: TreeNode$align$left
    • API String ID: 1155900004-2292253626
    • Opcode ID: 79a2eaca4d99c512eba3d514f2cde3c58e73119e703fd974aa7af517ef3a9aa1
    • Instruction ID: 99e7f58ca1b6962de9b8a8a13d972e56808fb2ed94a2519c83aa2049f1ef94df
    • Opcode Fuzzy Hash: 79a2eaca4d99c512eba3d514f2cde3c58e73119e703fd974aa7af517ef3a9aa1
    • Instruction Fuzzy Hash: 14819174B016429FE708DF74D448BA9FBA2BF88304F1441AEE459AB3A1CB766D20CB55
    Function 004306E2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset
    • String ID: bad codelengths$bad sizes
    • API String ID: 2102423945-2666559174
    • Opcode ID: e2d6a1576e7ea136478c24e385fefd9f218c32508ab62b4d2c62556ed7b8e8ce
    • Instruction ID: ad467de9e35bd788f019dc168c601f58f46b90033dcff730c4a924ced883d944
    • Opcode Fuzzy Hash: e2d6a1576e7ea136478c24e385fefd9f218c32508ab62b4d2c62556ed7b8e8ce
    • Instruction Fuzzy Hash: 4961CF71A002198BDB18CE29CC917ADB7B1FF89305F1481BEE95DD3342EA389985CF54
    Function 003E41B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E4A00: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E4A99
    • _memmove.LIBCMT ref: 003E4265
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
    • String ID: XE>$invalid string position$string too long
    • API String ID: 2765667529-2215234922
    • Opcode ID: 43acaf250a12bdc5ebbf1366a1e57d50b98cbf39c4cd53f13df65574d7fee98b
    • Instruction ID: a08cfa0405c61a4ace5e47b72bde25f782e0cc3f11ef8d5a4b21a6305b73bae2
    • Opcode Fuzzy Hash: 43acaf250a12bdc5ebbf1366a1e57d50b98cbf39c4cd53f13df65574d7fee98b
    • Instruction Fuzzy Hash: 5B41FD323107658B8725DE9DE8C086AB3EAFFD87103214B2EF645CB690D731E84587A4
    Function 004358B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcsstr
    • String ID: IListItem$ListHeader$ListHeaderItem
    • API String ID: 1512112989-3411355835
    • Opcode ID: f65d8e42329dcf107cc8ca7c08ee5891e62b9197d1fc6bb3fa2b7516c707a208
    • Instruction ID: abf13b8cd6c35cb0b2870a592a27baba27c06fcfe5ebad58dd8f81dc897ed491
    • Opcode Fuzzy Hash: f65d8e42329dcf107cc8ca7c08ee5891e62b9197d1fc6bb3fa2b7516c707a208
    • Instruction Fuzzy Hash: 67416D70300A009FD718DF26C898A2ABBE6FF89315B14056EE257DB7A1CB35EC41CB54
    Function 00403630 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __Getcvt.LIBCPMT ref: 0040366E
      • Part of subcall function 00562FF0: ____lc_codepage_func.LIBCMT ref: 00563007
      • Part of subcall function 00562FF0: ____mb_cur_max_func.LIBCMT ref: 00563010
      • Part of subcall function 00562FF0: ____lc_locale_name_func.LIBCMT ref: 00563018
    • __Getcvt.LIBCPMT ref: 004036A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Getcvt$____lc_codepage_func____lc_locale_name_func____mb_cur_max_func
    • String ID: false$true
    • API String ID: 4247442312-2658103896
    • Opcode ID: d0965761d7b83e2540ff4acaa08e791c6cfd8ae7bab4e79d780f6e6277b85674
    • Instruction ID: e40875d144eebdd6b44585024f98fa1d13c50a90718aa60eecc02a28ae3c8637
    • Opcode Fuzzy Hash: d0965761d7b83e2540ff4acaa08e791c6cfd8ae7bab4e79d780f6e6277b85674
    • Instruction Fuzzy Hash: E0413672D046859FCB21CF68C84076BBFA4FB85310F1485AED8445B346D77AAA04CBA1
    Function 0042E05B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free_memset
    • String ID: bad file$too large
    • API String ID: 287624719-3799606378
    • Opcode ID: 23ef972d6e4f15995163602605690d70901aa96b1ab7a2019a0deaaf3806e60b
    • Instruction ID: f18317f4fcc02d0101b3253142ff3d3cc5787e83922efaf13993581fd0be53ca
    • Opcode Fuzzy Hash: 23ef972d6e4f15995163602605690d70901aa96b1ab7a2019a0deaaf3806e60b
    • Instruction Fuzzy Hash: E031D671300235BFD7149F26EC81F7B77A8FF05754F90412BF90892241D7B99861CAAA
    Function 00561BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(9C3DCF4C,?,00000000,?,?), ref: 00561C07
    • __CxxThrowException@8.LIBCMT ref: 00561D17
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorException@8LastThrow
    • String ID: D,]$boost::filesystem::status
    • API String ID: 1006195485-3038181781
    • Opcode ID: dcc5915149ef5b295d56e389379e30b5e4bb728471da8960fc468f8d4a60a829
    • Instruction ID: 78b1d4d7ae0f2fa02475a5a57bd157c4c6c52ef5e10e18b3a900a71005c53336
    • Opcode Fuzzy Hash: dcc5915149ef5b295d56e389379e30b5e4bb728471da8960fc468f8d4a60a829
    • Instruction Fuzzy Hash: F541E171A04B408FC730DF18C884A2BBFF5FF96710F04892EE5558B292DBB49844CB92
    Function 004357A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcsstr
    • String ID: IListItem$ListHeader$ListHeaderItem
    • API String ID: 1512112989-3411355835
    • Opcode ID: 6f473e45a82e503f53e89859ea4822585794d2923968af33c172ae545c3ca40a
    • Instruction ID: 77bb316f3acc30746ddf927d5ce91b1a71cf607952b24dc288cc732e8e70e74a
    • Opcode Fuzzy Hash: 6f473e45a82e503f53e89859ea4822585794d2923968af33c172ae545c3ca40a
    • Instruction Fuzzy Hash: E7314B70700A01AFD70C9F25D898E29BBE5FF89305B14006DE616DBBA1CB35EC60CBA5
    Function 0041AAB1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041ABCD: _memset.LIBCMT ref: 0041ABEE
      • Part of subcall function 0041ABCD: GetObjectW.GDI32(?,0000005C,?), ref: 0041AC19
      • Part of subcall function 0041ABCD: GetDeviceCaps.GDI32(00000000), ref: 0041AC5B
      • Part of subcall function 0041ABCD: _wcscpy.LIBCMT ref: 0041ACB5
      • Part of subcall function 0041ACCF: _memset.LIBCMT ref: 0041ACE0
    • LoadLibraryW.KERNEL32(msftedit.dll,?,?,?), ref: 0041AB62
    • GetProcAddress.KERNEL32(00000000,CreateTextServices), ref: 0041AB72
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$AddressCapsDeviceLibraryLoadObjectProc_wcscpy
    • String ID: CreateTextServices$msftedit.dll
    • API String ID: 2821896656-260715840
    • Opcode ID: c0452f9622e298c0cad836937ef4f45084c459291fa44f1f6e07cf96f41d4d23
    • Instruction ID: 4355d2ed2835bd95a2798ba22a9147af888baf4158e4d63adcd8ce4f49f09729
    • Opcode Fuzzy Hash: c0452f9622e298c0cad836937ef4f45084c459291fa44f1f6e07cf96f41d4d23
    • Instruction Fuzzy Hash: 3E31EC312057459FD320CF64C805BA7B7E9EF44704F000A1EEA5AC7280D778FA98CBAA
    Function 0041199E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • IsZoomed.USER32(?), ref: 004119B8
    • MonitorFromWindow.USER32(00000000,00000002), ref: 004119E2
    • GetMonitorInfoW.USER32(00000000), ref: 004119E9
      • Part of subcall function 00408841: OffsetRect.USER32(?,?,?), ref: 0040884B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Monitor$FromInfoOffsetRectWindowZoomed
    • String ID: (
    • API String ID: 1941046686-3887548279
    • Opcode ID: 6d6f169d07899bda1571919f367ebecc6a7ed66658c4fa67e12c1bd2532e9364
    • Instruction ID: e205644fd0ad86b5bb680977cff061c62f3c59379021e6cb14bcc60e8dafdeea
    • Opcode Fuzzy Hash: 6d6f169d07899bda1571919f367ebecc6a7ed66658c4fa67e12c1bd2532e9364
    • Instruction Fuzzy Hash: D7212172A01109AFCF04DFA5D995DEEB7B8FF15300F14446AF506E7291DE34AA04CB55
    Function 00411CA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • IsZoomed.USER32(00000000), ref: 00411CD8
    • IsZoomed.USER32(00000000), ref: 00411CF7
      • Part of subcall function 00407AE3: SendMessageW.USER32(00000000,?,?,?), ref: 00407AF2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Zoomed$MessageSend
    • String ID: maxbtn$restorebtn
    • API String ID: 239802086-341968062
    • Opcode ID: 2099f0f6c012698391aeaeeaaf73d9fc28c2733348d36c5b4a847c3d9582aec8
    • Instruction ID: 7c45ce6acc5ec3dcc84b4227811867e4dec957a75b720842d325131919b8c6b1
    • Opcode Fuzzy Hash: 2099f0f6c012698391aeaeeaaf73d9fc28c2733348d36c5b4a847c3d9582aec8
    • Instruction Fuzzy Hash: 36110A367003146BCF105F66DC44BAEBBA9AF84750F54452AF905EB7D1CB78ED808B94
    Function 0040EF42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F00), ref: 0040EF58
    • SetCursor.USER32(00000000), ref: 0040EF5F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Cursor$Load
    • String ID: menu$timer
    • API String ID: 1675784387-2593718399
    • Opcode ID: 90e96d5e3d8232603796deb9940a302b3ad8fdbbbcfdfb4a56607dd2fee1b3b8
    • Instruction ID: 685a6cc9b813de1e6c8ede6920e147ea79fd66630a5b678df39c1aa13365e516
    • Opcode Fuzzy Hash: 90e96d5e3d8232603796deb9940a302b3ad8fdbbbcfdfb4a56607dd2fee1b3b8
    • Instruction Fuzzy Hash: 26118C31208302FFDB245B96CC44FA6BB65AB55711F10083BF246672D1C3B9E8729B9A
    Function 00423AAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _wcscmp
    • String ID: Container$IContainer
    • API String ID: 856254489-2633171450
    • Opcode ID: 802d7d7e05b98dacda505e07b10c42a89094e1b7b7e323b97dd334862e7c7c60
    • Instruction ID: 029a90822ed5d95b0595dea6eb44c037c1f4cc7142f609ae02c1f44875642e3d
    • Opcode Fuzzy Hash: 802d7d7e05b98dacda505e07b10c42a89094e1b7b7e323b97dd334862e7c7c60
    • Instruction Fuzzy Hash: 07E0E53134432A6A8A185D14F80295BAEB8AB507B6790803BFC8595240EBAEEA419198
    Function 00419FFB Relevance: 6.2, APIs: 4, Instructions: 228windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: IntersectRect$CaretFocus
    • String ID:
    • API String ID: 3821461340-0
    • Opcode ID: c9ab78c57531cfaec825aafaf6ef3d5b48586b96cb3fff58c87c27bef22e7298
    • Instruction ID: 5a67f2afc1520e313187e7d5330a5dca87f845bedba35e920ea86b29ca7b33ed
    • Opcode Fuzzy Hash: c9ab78c57531cfaec825aafaf6ef3d5b48586b96cb3fff58c87c27bef22e7298
    • Instruction Fuzzy Hash: 7E818130A01205DFDF24CFA4C884AEA77F5AF59300F1444AEE846AB352CB369D99CB57
    Function 00564B5B Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __Getcvt.LIBCPMT ref: 00564BB3
    • MultiByteToWideChar.KERNEL32(004B80E1,00000009,00000000,00000002,00000000,00000000,00000000,00000001,00000000), ref: 00564C01
    • MultiByteToWideChar.KERNEL32(004B80E1,00000009,004B994F,03087EC0,00000000,00000000,00000000,00000001,00000000), ref: 00564C77
    • MultiByteToWideChar.KERNEL32(004B80E1,00000009,004B994F,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00564C9F
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$Getcvt
    • String ID:
    • API String ID: 3195005509-0
    • Opcode ID: 0729ff306510941bee2fdb1e82dfa6eafe328de4010659be5dcdd2c1f08304d3
    • Instruction ID: 7cff47ca3e56a6f02bcd04cbbbdb88835b7fc65e65ed8bcedb0288d05b962b46
    • Opcode Fuzzy Hash: 0729ff306510941bee2fdb1e82dfa6eafe328de4010659be5dcdd2c1f08304d3
    • Instruction Fuzzy Hash: 3241AD31A0434AAFEB218FA4D884B6ABFB9BF46710F148869F8519B290D771DC94DF50
    Function 0057A691 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
    • String ID:
    • API String ID: 2782032738-0
    • Opcode ID: 8eca6c1e9947a7c61f684b368565cd8c3232d9019a85a16c9d98d3948468a18a
    • Instruction ID: b1abb37bdb7466ae74a085ca6af710605c0740dca545a1c11059b6589754d5c5
    • Opcode Fuzzy Hash: 8eca6c1e9947a7c61f684b368565cd8c3232d9019a85a16c9d98d3948468a18a
    • Instruction Fuzzy Hash: 7641D234A00706ABDB2C9FA9E8845AE7FB5FFC0360B24C52DE81DC7240EA70DD41AB51
    Function 00562060 Relevance: 6.1, APIs: 4, Instructions: 123fileCOMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,9C3DCF4C,00000000,003FDF89,?,00000000,9C3DCF4C,005C28F0,000000FF,0048EBB7,9C3DCF4C,?,00000000,00000000,00000000,000000FF), ref: 005620AB
    • CreateFileW.KERNEL32(?,?,?,?,?,00000000,00000007,00000000,00000003,02000000,00000000), ref: 00562111
    • CloseHandle.KERNEL32(00000000), ref: 00562182
    • CloseHandle.KERNEL32 ref: 00562193
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CloseFileHandle$AttributesCreate
    • String ID:
    • API String ID: 1279197413-0
    • Opcode ID: 6b57057066e723fe648261d021ae294061b957fd442c3c86abda8cb2d27f8364
    • Instruction ID: a3e6dd377432fbd7e1a036057a9bdd27470acf69234cf1fbc760088bf1faba4e
    • Opcode Fuzzy Hash: 6b57057066e723fe648261d021ae294061b957fd442c3c86abda8cb2d27f8364
    • Instruction Fuzzy Hash: D2419F70509741DFD310DF28DC49B1ABBF4FB8A724F044A2DF95997291D7359904CB52
    Function 003F2390 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID:
    • API String ID: 4104443479-0
    • Opcode ID: 7bb0e96c2e88eedad4452e903dc7e497b2e728c94604f45bcf06594d198f53a5
    • Instruction ID: b70074e744d7784a369d8f7d56c507ad90c424ed4bf99f20326322f9bfb8ef31
    • Opcode Fuzzy Hash: 7bb0e96c2e88eedad4452e903dc7e497b2e728c94604f45bcf06594d198f53a5
    • Instruction Fuzzy Hash: F63192727010189BCB24DE6DED8596BBBA9EB89311708866AE948DB305DA71FD10C790
    Function 00430B5F Relevance: 6.1, APIs: 4, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00430B66
      • Part of subcall function 0040EB3C: __EH_prolog3.LIBCMT ref: 0040EB43
      • Part of subcall function 0040EB3C: _memset.LIBCMT ref: 0040ECE7
      • Part of subcall function 0040EB3C: _memset.LIBCMT ref: 0040ECF6
      • Part of subcall function 00409027: __EH_prolog3.LIBCMT ref: 0040902E
    • _memset.LIBCMT ref: 00430D3B
    • _memset.LIBCMT ref: 00430D49
    • _memset.LIBCMT ref: 00430D57
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$H_prolog3
    • String ID:
    • API String ID: 2144794740-0
    • Opcode ID: d9ca4acfaf8894d00908802ed299237a28e091e67e652447877a03f8b2d66585
    • Instruction ID: 744a83d0b994377e0e57ad5c3d6a64e31e84ec4d519445897c5a975106c284ad
    • Opcode Fuzzy Hash: d9ca4acfaf8894d00908802ed299237a28e091e67e652447877a03f8b2d66585
    • Instruction Fuzzy Hash: 73513C74405B84DED725EBB5C146BDABBE0AF55308F40485ED4AE23283DB793608DB26
    Function 0057F4A0 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0057F4D6
    • __isleadbyte_l.LIBCMT ref: 0057F504
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 0057F532
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 0057F568
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: 6829ef4d20b2b18980367431eb42ced07cfb406d500eb281657f79b06ce18795
    • Instruction ID: 81ba25418acf0f3bda43f5d1d18f126ea466d9703ac20a80df7dd10a1f17aa22
    • Opcode Fuzzy Hash: 6829ef4d20b2b18980367431eb42ced07cfb406d500eb281657f79b06ce18795
    • Instruction Fuzzy Hash: 2B31AF31600246AFDF21CE64E849ABB7FEAFF41310F158429E86D871A1E730D850EB90
    Function 0041ABCD Relevance: 6.1, APIs: 4, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0041ABEE
    • GetObjectW.GDI32(?,0000005C,?), ref: 0041AC19
    • GetDeviceCaps.GDI32(00000000), ref: 0041AC5B
    • _wcscpy.LIBCMT ref: 0041ACB5
      • Part of subcall function 00409ED2: _memset.LIBCMT ref: 00409EF3
      • Part of subcall function 00409ED2: __itow.LIBCMT ref: 00409F01
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset$CapsDeviceObject__itow_wcscpy
    • String ID:
    • API String ID: 3720170408-0
    • Opcode ID: 5c5654d453bde5a1ed4db58e284c859e4d04d8cb775fd3c8c45ebcfd1a118c74
    • Instruction ID: 00b04c9e894a8e7cda168bfc4a39e64299d20f528a3da161526fda61f43587ef
    • Opcode Fuzzy Hash: 5c5654d453bde5a1ed4db58e284c859e4d04d8cb775fd3c8c45ebcfd1a118c74
    • Instruction Fuzzy Hash: F231E671A04215AFDB14DF74C8496AEBBF5FF49300F00426EE90AD7282DB38A954CBD1
    Function 0043AF2D Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0043AF34
      • Part of subcall function 00422B20: __EH_prolog3.LIBCMT ref: 00422B27
      • Part of subcall function 00422B20: _memset.LIBCMT ref: 00422B93
      • Part of subcall function 00409027: __EH_prolog3.LIBCMT ref: 0040902E
      • Part of subcall function 00435512: __EH_prolog3.LIBCMT ref: 00435519
    • _memset.LIBCMT ref: 0043B013
    • _memset.LIBCMT ref: 0043B0B0
    • _memset.LIBCMT ref: 0043B0C2
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: H_prolog3_memset
    • String ID:
    • API String ID: 2828583354-0
    • Opcode ID: 3410fc50bbeb2300d814b439f617ccd0d21fcabc7dc3ff29b29e3b3bfd37a52c
    • Instruction ID: 6eb751a286e9a3c053320154c4f761551e6d48aef7e117a29596afbeef82fab5
    • Opcode Fuzzy Hash: 3410fc50bbeb2300d814b439f617ccd0d21fcabc7dc3ff29b29e3b3bfd37a52c
    • Instruction Fuzzy Hash: 204137B0A01B42AEE308DF7984867D9FBA4BF44304F50435EE16D97282DB753624DB96
    Function 0041C8E9 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CreateDirectory_wcscat_wcscpy_wcsncpy
    • String ID:
    • API String ID: 1009494372-0
    • Opcode ID: 4c350b80f6df7b4d5e403891d277def5fa26c76be415590a2967c5449247c598
    • Instruction ID: eacb97bd6456f22939d47a69e9f05f42ce39f6e2c800e38ece67412144fe4f6b
    • Opcode Fuzzy Hash: 4c350b80f6df7b4d5e403891d277def5fa26c76be415590a2967c5449247c598
    • Instruction Fuzzy Hash: 86113FF291121C5BCF20AB64DC89AFFB7BCEF84710F1044ABF94993141DA349E818765
    Function 003FA0D0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,003FA1C0,9C3DCF4C), ref: 003FA0FB
    • _malloc.LIBCMT ref: 003FA105
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 003FA126
    • _free.LIBCMT ref: 003FA163
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharMultiWide$_free_malloc
    • String ID:
    • API String ID: 3826319649-0
    • Opcode ID: db005594486b783b9c035b875ee2d8451f433b5446ad262e5801c338037b307e
    • Instruction ID: ad348197568ff747e5b4cdd3b7cb79fd82339a8b812c635c07149d25afd3c39e
    • Opcode Fuzzy Hash: db005594486b783b9c035b875ee2d8451f433b5446ad262e5801c338037b307e
    • Instruction Fuzzy Hash: 2D11C4B1204754BFEB214F189C0AF66BBA8DB81B20F20421DFA5A5B3C1D7B16904D7A6
    Function 00449B50 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • PostQueuedCompletionStatus.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,?,?,0046334C,00000000,0000000C,00000000,00000000), ref: 00449B8D
    • EnterCriticalSection.KERNEL32(?,?,0046334C,00000000,0000000C,00000000,00000000), ref: 00449B9B
    • InterlockedExchange.KERNEL32(?,00000001), ref: 00449BE7
    • LeaveCriticalSection.KERNEL32(?,?,0046334C,00000000,0000000C,00000000,00000000), ref: 00449BF1
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
    • String ID:
    • API String ID: 4018804020-0
    • Opcode ID: b996068dc25afd77e5f2792e285e19684021118cb85d2883ac7f00d1d47ca950
    • Instruction ID: 6e910e342b73b3161edf6c02655bcc38b70eb62ed0594f58ee00643143e6e7e3
    • Opcode Fuzzy Hash: b996068dc25afd77e5f2792e285e19684021118cb85d2883ac7f00d1d47ca950
    • Instruction Fuzzy Hash: B5213370601692AFEB208F15E984B93BBE8FF04B04F1400AAE805CBB44D374F915EBA5
    Function 00496510 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000018,9C3DCF4C,0000000A,?,005BE708,000000FF,?,00494E81,?,?,00000001), ref: 00496540
    • LeaveCriticalSection.KERNEL32(00000018,00494E81,000003E3,?,?,?,000003E3), ref: 004965C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: D,]$D,]
    • API String ID: 3168844106-3924630449
    • Opcode ID: b4b89726c18ff6ddddf64969767866be4b71dc52285ce09096230f011984936f
    • Instruction ID: 11591e0bd3642601a934eed1c480ce7a32e7c3e74ef829f835749b81130189e2
    • Opcode Fuzzy Hash: b4b89726c18ff6ddddf64969767866be4b71dc52285ce09096230f011984936f
    • Instruction Fuzzy Hash: 53117275904644EFCB01DF98D844ADEBFF9FB5A324F00052AE801A7352DB795605CBA4
    Function 003F1E70 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 003F1E8A
      • Part of subcall function 00579A30: RtlFreeHeap.NTDLL(00000000,00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A44
      • Part of subcall function 00579A30: GetLastError.KERNEL32(00000000,?,0058C189,00000000,00000001,00000000,?,?,?,0057A0C0,0056271F,?), ref: 00579A56
    • _free.LIBCMT ref: 003F1EB1
    • _free.LIBCMT ref: 003F1EC9
    • _free.LIBCMT ref: 003F1EE8
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: c691cf9a287914a8543d54a46cc903bfb707c5d831cbabc1e89711eef4719867
    • Instruction ID: a2d0adb44dd08c6bf1bcfdef33d89363f37c20e4a62ce5d4f253e95bc35b015d
    • Opcode Fuzzy Hash: c691cf9a287914a8543d54a46cc903bfb707c5d831cbabc1e89711eef4719867
    • Instruction Fuzzy Hash: 4C01C872802925978B126F54BC05A3BBF65BEF532071A8198ED1C27615D731FC11DAD1
    Function 004447A0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • _xtime_get.LIBCPMT ref: 004447D9
      • Part of subcall function 00563691: __Xtime_get_ticks.LIBCPMT ref: 005636A8
      • Part of subcall function 00563691: __aulldvrm.LIBCMT ref: 005636B6
    • __Xtime_diff_to_millis2.LIBCPMT ref: 004447E6
      • Part of subcall function 00563589: _xtime_diff.LIBCPMT ref: 0056359B
    • Concurrency::wait.LIBCMT ref: 004447EC
      • Part of subcall function 0057E8A0: __EH_prolog3.LIBCMT ref: 0057E8A7
    • __Thrd_sleep.LIBCPMT ref: 00444806
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::waitH_prolog3Thrd_sleepXtime_diff_to_millis2Xtime_get_ticks__aulldvrm_xtime_diff_xtime_get
    • String ID:
    • API String ID: 233342065-0
    • Opcode ID: 98d2573f24e8d953cc2a7ccb4310e239525d6ca4e3eaa2a8ead05aa3d5e0e50b
    • Instruction ID: fd8b7fbc49366b3643a2215269c5d45d6a049b0cf53fa1948b947aa658ef37cc
    • Opcode Fuzzy Hash: 98d2573f24e8d953cc2a7ccb4310e239525d6ca4e3eaa2a8ead05aa3d5e0e50b
    • Instruction Fuzzy Hash: 03018872D0024D5ACF00EBF4E94B9EE77BCAF49304F500595F90AA7142EE359B14C7A1
    Function 00589403 Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,?,?,-00000003,003FA452), ref: 00589429
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00589445
    • __CxxThrowException@8.LIBCMT ref: 00589453
    • CreateThread.KERNEL32(006394D4,?,?,?,?,?), ref: 0058946E
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8LastThreadThrow
    • String ID:
    • API String ID: 4022716757-0
    • Opcode ID: e74bbe715591e0624df212c1666560e4d8c0c9a598606cdc14cdb189277c7975
    • Instruction ID: a22206406e07306d79eb14c672b617fcaa2667fb78769dcee7f46059e1552c90
    • Opcode Fuzzy Hash: e74bbe715591e0624df212c1666560e4d8c0c9a598606cdc14cdb189277c7975
    • Instruction Fuzzy Hash: 56F0863114410AAADF117EA09C06FBA3F5DBB04740F448455FE18951A2E672D9216791
    Function 0059A3A4 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCMT ref: 0059A3C7
      • Part of subcall function 005AC19B: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCMT ref: 005AC1C2
      • Part of subcall function 005AC19B: Concurrency::details::InternalContextBase::PrepareForUse.LIBCMT ref: 005AC1D9
      • Part of subcall function 005AC19B: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCMT ref: 005AC23C
      • Part of subcall function 005AC19B: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCMT ref: 005AC244
    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 0059A3DF
    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0059A3E9
    • __CxxThrowException@8.LIBCMT ref: 0059A409
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::Context$Base::$Internal$Scheduler$AvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushThrowVirtualWork
    • String ID:
    • API String ID: 2737591251-0
    • Opcode ID: 2dcc02c9bfa19dc72712ebe23553dc8d4a73f6772b265e13be294809c96587b3
    • Instruction ID: c60c40d41711f48d145ccd24c9f356d32e684e64334a69da37f65f0097d99f93
    • Opcode Fuzzy Hash: 2dcc02c9bfa19dc72712ebe23553dc8d4a73f6772b265e13be294809c96587b3
    • Instruction Fuzzy Hash: C0F0F631A0061A67CF25B625981A57EFF69BFD0B10B00055AF81153252DFA09E0287E3
    Function 0059C813 Relevance: 6.0, APIs: 4, Instructions: 32COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005A2C8D
    • Concurrency::details::_NonReentrantLock::_Acquire.LIBCMT ref: 005A2C9A
    • Concurrency::details::Etw::Etw.LIBCMT ref: 005A2CBA
    • Concurrency::details::Etw::RegisterGuids.LIBCMT ref: 005A2CE0
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::Etw::$AcquireConcurrency::details::_GuidsH_prolog3Lock::_ReentrantRegister
    • String ID:
    • API String ID: 3171971413-0
    • Opcode ID: 6abdbcf4384a2d957c0bf946282872b8d4f4982ec36b5ccb88b447f82257178e
    • Instruction ID: 157bc0482ab420afb91d6b5fc0dfb8dce5f5b958f6147a6c1fccee77326ad796
    • Opcode Fuzzy Hash: 6abdbcf4384a2d957c0bf946282872b8d4f4982ec36b5ccb88b447f82257178e
    • Instruction Fuzzy Hash: C4F08970648306ABEF10ABBCAC1B73D2D93B78572BF505558A4055A1C1DFF48D849611
    Function 0059BB62 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 005897D7: TlsAlloc.KERNEL32(?,-00000003,003FA452), ref: 005897DD
      • Part of subcall function 005897D7: GetLastError.KERNEL32 ref: 005897E8
      • Part of subcall function 005897D7: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00589804
      • Part of subcall function 005897D7: __CxxThrowException@8.LIBCMT ref: 00589812
    • TlsAlloc.KERNEL32(?,-00000003,003FA452), ref: 005AD5C5
    • GetLastError.KERNEL32 ref: 005AD5D5
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 005AD5F1
    • __CxxThrowException@8.LIBCMT ref: 005AD5FF
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
    • String ID:
    • API String ID: 3103352999-0
    • Opcode ID: cfb8103105cc39cfd70aa45fc46aab2ae1001a177933349e66872006c1090b74
    • Instruction ID: 00dd292e8b30c6fc428b06dd408a6484f0df132df7479482a848b1742201b027
    • Opcode Fuzzy Hash: cfb8103105cc39cfd70aa45fc46aab2ae1001a177933349e66872006c1090b74
    • Instruction Fuzzy Hash: 80E0657480420A9BC710FBB46C0A97E3EB9BA49719F540A96F826D2992EE6485049B72
    Function 0058962A Relevance: 6.0, APIs: 4, Instructions: 26COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00597C63,0000FFFF,00000000,?,00000000), ref: 00589634
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00597C63,0000FFFF,00000000,?,00000000,?), ref: 0058963E
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 0058965D
    • __CxxThrowException@8.LIBCMT ref: 0058966B
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
    • String ID:
    • API String ID: 3016159387-0
    • Opcode ID: 0e378dd936c14b5d3e37b8a27ecebba0b6c3ed18ac56a41f99b821005714ef16
    • Instruction ID: aa347c7de75c3ea86e78b6587c8cb06952bd32c6f9c29c208262f298701a0a14
    • Opcode Fuzzy Hash: 0e378dd936c14b5d3e37b8a27ecebba0b6c3ed18ac56a41f99b821005714ef16
    • Instruction Fuzzy Hash: CEE0927460010E97CB10FBB1DD0AABF77FCBA00700F504591BC15E2142FA24DF089766
    Function 00563344 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0056334B
    • std::_Cnd_initX.LIBCPMT ref: 0056335C
      • Part of subcall function 005633DB: __Cnd_init.LIBCPMT ref: 005633E2
    • std::_Cnd_waitX.LIBCPMT ref: 00563372
      • Part of subcall function 00563477: __Mtx_init.LIBCPMT ref: 00563481
    • std::_Cnd_initX.LIBCPMT ref: 00563387
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Cnd_initstd::_$Cnd_waitH_prolog3Mtx_init
    • String ID:
    • API String ID: 57613580-0
    • Opcode ID: 84ea647b488a317b94ce2ecc5a5b6ca0734ef69f37ae0cc328ca213459b9aa10
    • Instruction ID: 156b44b4428f9d7917937afe2bce61d8be46bf15442ba629febc57ff8febcd3f
    • Opcode Fuzzy Hash: 84ea647b488a317b94ce2ecc5a5b6ca0734ef69f37ae0cc328ca213459b9aa10
    • Instruction Fuzzy Hash: 59F027318041969ADB01E79484097EEFF60BF41304F044048F4542B283DBF96745C7E2
    Function 005897D7 Relevance: 6.0, APIs: 4, Instructions: 23memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • TlsAlloc.KERNEL32(?,-00000003,003FA452), ref: 005897DD
    • GetLastError.KERNEL32 ref: 005897E8
    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00589804
    • __CxxThrowException@8.LIBCMT ref: 00589812
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
    • String ID:
    • API String ID: 3103352999-0
    • Opcode ID: 74a7d84924cd35418953758e1b20347000881b89c545c988198482f74a23d4f4
    • Instruction ID: edcc76f4b48f0e6003b8a44cd38ac0588742cedd9652b0d8dc7b3f4e0f80f568
    • Opcode Fuzzy Hash: 74a7d84924cd35418953758e1b20347000881b89c545c988198482f74a23d4f4
    • Instruction Fuzzy Hash: 0DE0863440010A4BCB10BBB46C4D9BF7AACBA01711F544B55B876F11D2DA64990497A2
    Function 00428E90 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 269COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free
    • String ID: outofmem
    • API String ID: 269201875-748900114
    • Opcode ID: 67c3c0b822b6bf7843b8ded3bbf38e58fdef96aea2f9fba32a9d87dde1147def
    • Instruction ID: 5e3ec8500b868e0d39d8724518b646ab11c1df01c8037ba3b75247f1569a025c
    • Opcode Fuzzy Hash: 67c3c0b822b6bf7843b8ded3bbf38e58fdef96aea2f9fba32a9d87dde1147def
    • Instruction Fuzzy Hash: 5AA1FA347093B68ECB16CF1894005AEFFB1AE6530078986CFD8D59B343C639BA45DB69
    Function 0042D3D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 184COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset
    • String ID: bad dist$bad huffman code
    • API String ID: 2102423945-3023303583
    • Opcode ID: 1ebe9b3c611f9f18461bc6607241dd60d62ba6ed7400ae12ae4a39462588f0ec
    • Instruction ID: 6f5bbeadb32c6bb06b003d892ba995cb96f3b13030d5478ff0c99fdbba8690a7
    • Opcode Fuzzy Hash: 1ebe9b3c611f9f18461bc6607241dd60d62ba6ed7400ae12ae4a39462588f0ec
    • Instruction Fuzzy Hash: 4B516930B00B21AFD724DF26E8C096A77E5EF54318B94C43FE84686641DB78E985C799
    Function 003E1120 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid string position$string too long
    • API String ID: 4104443479-4289949731
    • Opcode ID: 6014600addae8ddb9b07e795f7fab17dcc1905bf8f72e4bce7d9d2c71b2449da
    • Instruction ID: dc2c13da36a838617c81db1c3ec4d13cd71f388fd247b8beffab35ef16651329
    • Opcode Fuzzy Hash: 6014600addae8ddb9b07e795f7fab17dcc1905bf8f72e4bce7d9d2c71b2449da
    • Instruction Fuzzy Hash: 6A412A323043A08FD726995EEC40A5AF7EAEB91751B20462AF691CB7C1C372DC4183A5
    Function 004AC110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmovestd::exception::exception
    • String ID: $D]
    • API String ID: 3745751609-1103794278
    • Opcode ID: 83a3b05637dada8cb9ea597efe496a9df2e7b1293ecb53dd799e90129847d8f1
    • Instruction ID: 0dae9797df72ebc270cffecacf29001457294b9cf682e2812fb123aff5c3e24f
    • Opcode Fuzzy Hash: 83a3b05637dada8cb9ea597efe496a9df2e7b1293ecb53dd799e90129847d8f1
    • Instruction Fuzzy Hash: D0514BB56002058FCB14CF68C584B9ABBF5FF4A308F2042AAE8149F356D776E905CB94
    Function 003E3410 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 003E1400: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E1490
    • _memmove.LIBCMT ref: 003E34B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memmove
    • String ID: invalid string position$string too long
    • API String ID: 2765667529-4289949731
    • Opcode ID: 07cb7c4c0c5832044677707888f2c94218d6664bfaf35f7c61b99c5055c6ad41
    • Instruction ID: c25bf58771b5d16e92f7d2444292942b3d52e6aee7fe5125cdea4d024a12ee86
    • Opcode Fuzzy Hash: 07cb7c4c0c5832044677707888f2c94218d6664bfaf35f7c61b99c5055c6ad41
    • Instruction Fuzzy Hash: 87410B323002619BD7278E5FE8C896AB7AAEF91710B204B2EE551CB7C1C771DD408BA5
    Function 00428968 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memset
    • String ID: bad code lengths
    • API String ID: 2102423945-2280806279
    • Opcode ID: 55b8994f5e748210b9fa37313a1c6a291477bcd723f6b5f0159374476ed2b1d6
    • Instruction ID: 225f4e9faf76512b6cbae54b0acd12e25847d286fd249f0a314b70068de15644
    • Opcode Fuzzy Hash: 55b8994f5e748210b9fa37313a1c6a291477bcd723f6b5f0159374476ed2b1d6
    • Instruction Fuzzy Hash: 8951D470E0161A8FDB04CF69D8816AEBBB1FF84304F64807FD455E7341EA34AA46CB91
    Function 003E42C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: XE>$string too long
    • API String ID: 4104443479-666960500
    • Opcode ID: a94dcb052b890aa5263384bb3c9dc09d8c21469688839da055ef6ea8160a5211
    • Instruction ID: dccdd9043c66f49a12d001868ada03af1ada9d80066cf376e213461f2a02cf3c
    • Opcode Fuzzy Hash: a94dcb052b890aa5263384bb3c9dc09d8c21469688839da055ef6ea8160a5211
    • Instruction Fuzzy Hash: 9831FA363146658B8735DE9EE88086EF3AAFFC97113214B2EF146C7690D731D85487A4
    Function 003E0F90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid string position$string too long
    • API String ID: 4104443479-4289949731
    • Opcode ID: 151cce950361eddee8127c9ec56294869500f7b22e6f464d3720d8d7e149cfb2
    • Instruction ID: 94061ba3387ba0e00dd430a353952ccf5f62d2e4a185695664a9c1d74e3f4c94
    • Opcode Fuzzy Hash: 151cce950361eddee8127c9ec56294869500f7b22e6f464d3720d8d7e149cfb2
    • Instruction Fuzzy Hash: BF31C7323047A18BD7269E5DE840B5AF7A6FBD1761F10072FE5558B2C1D7B29C80C7A1
    Function 003EFBF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-3916222277
    • Opcode ID: f3420e2f1d5bb1899088771efcb73df93100ebe75a093c96af73dd2514f73d69
    • Instruction ID: 319d6902c210838d6ed2c2442b2f308d2b0206a57f9a9f1bf413886cf3a5d294
    • Opcode Fuzzy Hash: f3420e2f1d5bb1899088771efcb73df93100ebe75a093c96af73dd2514f73d69
    • Instruction Fuzzy Hash: EB413770D0429DAFDB11DFA9D848BDEBFB5FF49304F204269E805AB281D7B56944CB90
    Function 004B1670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(00000000), ref: 004B179B
    • SetEvent.KERNEL32(?,?,00000000), ref: 004B17A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CloseEventHandle
    • String ID: D,]
    • API String ID: 827626419-2755246825
    • Opcode ID: 8ccdc8c3851fa69468221a2719961149772e95f5de431d5bde59be0dc2de24c7
    • Instruction ID: 6fa0e8f5ab854f61bc1ad92da4e3a3d6d4d5b6912d0bdd0389ef6cabbb6865bb
    • Opcode Fuzzy Hash: 8ccdc8c3851fa69468221a2719961149772e95f5de431d5bde59be0dc2de24c7
    • Instruction Fuzzy Hash: 6741CF759006069FDB15CF68C854B9BBBF4FB06328F54426AE805A7361DB38E902CBE4
    Function 005617B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __CxxThrowException@8.LIBCMT ref: 005618A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Exception@8Throw
    • String ID: D,]$D,]
    • API String ID: 2005118841-3924630449
    • Opcode ID: b1a35afaf74884c89214f2b125124b3354474c479b48b15409b2b4ec6610beac
    • Instruction ID: 97c968914af9af8a4772b26c0ef17caaf104c5dd2f8ce6cb593cdf6f1d07520e
    • Opcode Fuzzy Hash: b1a35afaf74884c89214f2b125124b3354474c479b48b15409b2b4ec6610beac
    • Instruction Fuzzy Hash: 63318E75908781DFC321DF28D880A1BBBE5FB96724F10492DF44687322DB34E841CB62
    Function 003E6650 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E1400: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 003E1490
    • _memset.LIBCMT ref: 003E66D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_memset
    • String ID: invalid string position$string too long
    • API String ID: 72078329-4289949731
    • Opcode ID: e78d33da6d59d7cf441c2834f795f7464f3cbf392efb7b8d41dcb7270873256d
    • Instruction ID: 1e900ed80608dde8cffb6a5742666a12959409d0c01ca20acfc251374d5aa140
    • Opcode Fuzzy Hash: e78d33da6d59d7cf441c2834f795f7464f3cbf392efb7b8d41dcb7270873256d
    • Instruction Fuzzy Hash: 8621DA323206A08BC7235E1D940156AFBA9DBF27A0F150A5FE5D18B3D2C7719845C7B1
    Function 0042DDDB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: read past buffer$zlib corrupt
    • API String ID: 4104443479-1132150665
    • Opcode ID: 288a28fe77c87f9cbcde0971b45d274964512cbf7d4090a21dd3364e687d10ad
    • Instruction ID: 9be560661b4df8624e5ce60249104a95c16aa302dc082602ff7fab122ba0a161
    • Opcode Fuzzy Hash: 288a28fe77c87f9cbcde0971b45d274964512cbf7d4090a21dd3364e687d10ad
    • Instruction Fuzzy Hash: F931F731E00A219FC7348E26E85197BBBE1FFA1314365882FE4DA8B601D638E846CB55
    Function 003E7FA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E4460: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,9C3DCF4C), ref: 003E44D4
      • Part of subcall function 003E4460: _memset.LIBCMT ref: 003E4509
      • Part of subcall function 003E4460: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 003E4526
    • WinHttpAddRequestHeaders.WINHTTP(?,?,?,A0000000,`auo,9C3DCF4C,6F756160,?,00000000), ref: 003E8018
    • WinHttpSendRequest.WINHTTP(?,?,000000FF,?,?,?,00000000,?,00000000), ref: 003E804C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ByteCharHttpMultiRequestWide$HeadersSend_memset
    • String ID: `auo
    • API String ID: 4174494511-3694295154
    • Opcode ID: 8141349b333469376ea77ddc93f0bb2c54059eb9f3d954c842c8086bcc260323
    • Instruction ID: 5a8df0d1f0335ef8e6d094ee0e176f802cac369cb1e7aee9d3b7c380727963d0
    • Opcode Fuzzy Hash: 8141349b333469376ea77ddc93f0bb2c54059eb9f3d954c842c8086bcc260323
    • Instruction Fuzzy Hash: EF21FD71D04159EFCF15DF55DC45BAEBBB8FB09324F104229E416A22D0DB31AE09CBA0
    Function 004AA8F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81networkCOMMON
    Download Yara Rule
    APIs
    • WSASetLastError.WS2_32(00000000,?,?), ref: 004AA8FA
    • WSARecv.WS2_32(?,?,00000000,00000200,?,00000000,00000000), ref: 004AA926
      • Part of subcall function 00464BA0: WSAGetLastError.WS2_32(?,004AA932,00000000), ref: 00464BD5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: ErrorLast$Recv
    • String ID: D,]
    • API String ID: 3000205240-2755246825
    • Opcode ID: e1d65e60ab23c34918def95fc57dcd3f7d1db5337406fa22286584f955c98eab
    • Instruction ID: 024d8eb2f8732171fa1c35af81f7031dca370dae0be47efdb07f0387e5dbbcf6
    • Opcode Fuzzy Hash: e1d65e60ab23c34918def95fc57dcd3f7d1db5337406fa22286584f955c98eab
    • Instruction Fuzzy Hash: 5621F6B1500205ABDB10DF94D884B6FBBB8FB5A320F20056AF90567791C7789D60CB96
    Function 00404BA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: invalid string position$string too long
    • API String ID: 4104443479-4289949731
    • Opcode ID: f11ee1d65870f89e80584310444473fee1d6af0409b64ab1cfef5c7b0b14f000
    • Instruction ID: c9e15d4a24fe0f03931a2b73b964ec384d3d9169cba48bc591c42abcf053d0f9
    • Opcode Fuzzy Hash: f11ee1d65870f89e80584310444473fee1d6af0409b64ab1cfef5c7b0b14f000
    • Instruction Fuzzy Hash: CC21F0713042549BD7349E5CD884E9BBBAAEBC5710B200A2FE251DB7C2CB74E84187A4
    Function 00411894 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
    Download Yara Rule
    APIs
    • MonitorFromWindow.USER32(00000000,00000002), ref: 004118D1
    • GetMonitorInfoW.USER32(00000000), ref: 004118D8
      • Part of subcall function 00408841: OffsetRect.USER32(?,?,?), ref: 0040884B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Monitor$FromInfoOffsetRectWindow
    • String ID: (
    • API String ID: 1360704185-3887548279
    • Opcode ID: 4f1d87f67992d98cec097e3ef0cfaf54cae5245a7ffd6db6d1e3727aeeee3bfc
    • Instruction ID: 7a4d2955f4fdd0e5588181c77f416bcbc9c2cdc9e118ac7b5956004988e1bde5
    • Opcode Fuzzy Hash: 4f1d87f67992d98cec097e3ef0cfaf54cae5245a7ffd6db6d1e3727aeeee3bfc
    • Instruction Fuzzy Hash: FD31B971E002099FCF04DFA5D9859EEBBF8FF08304F10456AE905E7291EB74AA05CB65
    Function 004B5A90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 004B5B04
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,9C3DCF4C,00000000), ref: 004B5B1A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: FileModuleName_memset
    • String ID: HK
    • API String ID: 158409099-1033881993
    • Opcode ID: 437131370f15d7a448205d100e319d896ab23bea3468769292b67d7992fd9bab
    • Instruction ID: 257bc269dbb3e6678023a03f381985097a94641c3e1fe6b0c45a782f924cd6a9
    • Opcode Fuzzy Hash: 437131370f15d7a448205d100e319d896ab23bea3468769292b67d7992fd9bab
    • Instruction Fuzzy Hash: 7B21D6B0D442589FDB14DF64DC49BEAB7B8FF04714F00069EE40997281EB756A84CBE1
    Function 004EEA20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID:
    • String ID: .\crypto\err\err.c$Operation not permitted
    • API String ID: 0-803583318
    • Opcode ID: f6c911af79c431c232b3c47dd22e4c99eb06fc2dc9872a0740156a6e334b9341
    • Instruction ID: 51f21122b8342d97707a6a25357964b01278249cd9ab05259843a289c529ed67
    • Opcode Fuzzy Hash: f6c911af79c431c232b3c47dd22e4c99eb06fc2dc9872a0740156a6e334b9341
    • Instruction Fuzzy Hash: 61118475FC034166FB30261A6C47F6A6942A751B1EF04006BFB08393C2E2FA15858656
    Function 0041B2A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(00000000), ref: 0041B304
    • SendMessageW.USER32(00000000), ref: 0041B338
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: LongMessageSendWindow
    • String ID: textchanged
    • API String ID: 3360111000-1330398090
    • Opcode ID: 73d3eb105b412cdee8ffb23c90db84f577ca82ee0d96e9d1c51e8250b6302a46
    • Instruction ID: ea42798ffaf0ccce7b4bd3396943cc891d0ff0d6d9724ff8ff73a9e4ea9d9b8f
    • Opcode Fuzzy Hash: 73d3eb105b412cdee8ffb23c90db84f577ca82ee0d96e9d1c51e8250b6302a46
    • Instruction Fuzzy Hash: F211D671B002109FDB14AB69C88CAAE7BD9EB89310F104266F41DCB3D0DB7DDC85CA55
    Function 00561920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(?,00000000,9C3DCF4C,9C3DCF4C,?,?,?,?,0048E7DA,9C3DCF4C,00000000,9C3DCF4C,00444F63,?), ref: 0056194C
    • GetLastError.KERNEL32(?,?,?,0048E7DA,9C3DCF4C,00000000,9C3DCF4C,00444F63,?), ref: 00561956
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: AttributesErrorFileLast
    • String ID: boost::filesystem::file_size
    • API String ID: 1799206407-1937220381
    • Opcode ID: 5a38d8f0b26d8796e426f28e2b4ad9d1e0ea99f42eacc01a3b00490ad666b8b0
    • Instruction ID: 6df42a057efff5a4452d8fadca2c050e0eb0e95d6e90586ca14ff9a507db5abb
    • Opcode Fuzzy Hash: 5a38d8f0b26d8796e426f28e2b4ad9d1e0ea99f42eacc01a3b00490ad666b8b0
    • Instruction Fuzzy Hash: 4D1123326146005BD6149B29DD0AB7B7BE8FFC9764F880B48F489D71C2E234D940C696
    Function 0040DCD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: CountFocusTick
    • String ID: killfocus
    • API String ID: 3897604831-1616503811
    • Opcode ID: b1f855868c1e1dd2d9ded4a87ae10ceb7a647148a2e0b246ea242322cfeb439d
    • Instruction ID: 76627700c2f281e19c31d41628e0e0e5985e8a520e1896d3176ae347444f4562
    • Opcode Fuzzy Hash: b1f855868c1e1dd2d9ded4a87ae10ceb7a647148a2e0b246ea242322cfeb439d
    • Instruction Fuzzy Hash: 8A213D70A003449FDB50DBB5C884FEABBF4EF48300F10886EE95AA6251D6756948CB60
    Function 003EA400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: _memmove
    • String ID: Accept-Language
    • API String ID: 4104443479-1830189671
    • Opcode ID: 815fdc8dfa630eba36eb391c0c7980ebe8492db55f8e9be4b3f40a82d784e658
    • Instruction ID: 82cc7238aed70ec22b43256a54bfb601c2ef437404a49389909cf07e73fdfb4c
    • Opcode Fuzzy Hash: 815fdc8dfa630eba36eb391c0c7980ebe8492db55f8e9be4b3f40a82d784e658
    • Instruction Fuzzy Hash: 4721D5B1504B529FD7319F29E444B12BBF8FF15304F500A59E4868BB82D3B5F558CBA2
    Function 0041326D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • GetWindowTextLengthW.USER32(?), ref: 0041328F
    • GetWindowTextW.USER32(?,?,00000001), ref: 004132AB
      • Part of subcall function 0040D871: __EH_prolog3_GS.LIBCMT ref: 0040D87B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: TextWindow$H_prolog3_Length
    • String ID: textchanged
    • API String ID: 1690947965-1330398090
    • Opcode ID: 582cbc3334aea22c9a4cb4122ac40510707a31c219812d4468cda8ee3ff6142e
    • Instruction ID: ff1aafc69ea73e3fab7baac2c4beacc8848a55bcb6948ac0f2c1eeed24448ed2
    • Opcode Fuzzy Hash: 582cbc3334aea22c9a4cb4122ac40510707a31c219812d4468cda8ee3ff6142e
    • Instruction Fuzzy Hash: 89114970600205AFD724EF69D85AEBB77E9FF49309B00096EB842976A1CB75AD08DB50
    Function 003E7C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003E7C47
    • WinHttpQueryHeaders.WINHTTP(?,00000005,00000000,?,00000030,00000000,?,6F756160), ref: 003E7C67
      • Part of subcall function 0057BF87: wcstoxl.LIBCMT ref: 0057BF95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: HeadersHttpQuery_memsetwcstoxl
    • String ID: 0
    • API String ID: 1248688156-4108050209
    • Opcode ID: 25b9d81ceef64e9e4b8571c171195713a6fc9f4fd096024e52cebfb29fc06643
    • Instruction ID: 617bfdc332460d0656bc3e0cc4013a1c967b61cd8e499487cfc0b7d11cba812c
    • Opcode Fuzzy Hash: 25b9d81ceef64e9e4b8571c171195713a6fc9f4fd096024e52cebfb29fc06643
    • Instruction Fuzzy Hash: D2115172A4120CAADB10DFA4FC45BEEB7BCEF59310F500126F905D7280EA319A18DB65
    Function 00450E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00563344: __EH_prolog3.LIBCMT ref: 0056334B
      • Part of subcall function 00563344: std::_Cnd_initX.LIBCPMT ref: 0056335C
      • Part of subcall function 00563344: std::_Cnd_waitX.LIBCPMT ref: 00563372
      • Part of subcall function 00563344: std::_Cnd_initX.LIBCPMT ref: 00563387
    • std::_Pad::_Launch.LIBCPMT ref: 00450E95
      • Part of subcall function 0056343C: std::_Thrd_startX.LIBCPMT ref: 0056344B
      • Part of subcall function 0056343C: std::_Cnd_waitX.LIBCPMT ref: 00563463
    • std::_Pad::~_Pad.LIBCPMT ref: 00450ED6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::_$Cnd_initCnd_wait$H_prolog3LaunchPad::_Pad::~_Thrd_start
    • String ID: J]
    • API String ID: 419895720-3628078388
    • Opcode ID: e8c9a4934d02d1578d2ab7f990b0641fc8aaa67f0fa40b2fa9dcfe3680a70bdd
    • Instruction ID: c4c092fa23429eb0a32b2482c5d0ffd4c7ec04a83a5cfa57eac7c9e03de1c992
    • Opcode Fuzzy Hash: e8c9a4934d02d1578d2ab7f990b0641fc8aaa67f0fa40b2fa9dcfe3680a70bdd
    • Instruction Fuzzy Hash: CD213A35A001099FCB10CF68C544B9EBBF4FB49728F20855AE819A7391DB35AA09CF94
    Function 003E7CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003E7CE0
    • WinHttpQueryHeaders.WINHTTP(?,00000013,00000000,?,00000030,00000000,?,?,6F756160), ref: 003E7D00
      • Part of subcall function 0057BF87: wcstoxl.LIBCMT ref: 0057BF95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: HeadersHttpQuery_memsetwcstoxl
    • String ID: 0
    • API String ID: 1248688156-4108050209
    • Opcode ID: c3f14c3475529a27be4c21f5a98801d47bf2689b626d1c9bb3f05a0c8141bf14
    • Instruction ID: 5a6e7fb19a158c64d128e28defd348e430ee90dac260643304c3d065dd30d8f7
    • Opcode Fuzzy Hash: c3f14c3475529a27be4c21f5a98801d47bf2689b626d1c9bb3f05a0c8141bf14
    • Instruction Fuzzy Hash: 3F014471D4120CBBDB10DFA0FD46BDE77BDEF48700F504166B905E6181EA60AA049755
    Function 0058D492 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0058C111: __getptd_noexit.LIBCMT ref: 0058C112
    • __lock.LIBCMT ref: 0058D4D3
    • _free.LIBCMT ref: 0058D500
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: __getptd_noexit__lock_free
    • String ID: Pld
    • API String ID: 1533244847-275412552
    • Opcode ID: 511e3a3289a3abd83fe34a5c94fb1774491ef497a64a1ef611b4df4122ad5077
    • Instruction ID: 9ac9b856feab886f99db78d64909d7c4a19957ff4befe2d32f7c60df203338d1
    • Opcode Fuzzy Hash: 511e3a3289a3abd83fe34a5c94fb1774491ef497a64a1ef611b4df4122ad5077
    • Instruction Fuzzy Hash: B1118B36E01726DBCB21BF68980562DBBF0BB45B20B15021AEC65B32D1DBB46D41CFE1
    Function 003E6580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49networkCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 003E65A0
    • HttpQueryInfoW.WININET(?,00000013,?,00000030,00000000), ref: 003E65BE
      • Part of subcall function 0057BF87: wcstoxl.LIBCMT ref: 0057BF95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: HttpInfoQuery_memsetwcstoxl
    • String ID: 0
    • API String ID: 1235691586-4108050209
    • Opcode ID: 047f4220c0fe76a18ded2a2331b4d0158b002f2859a5c5fa1e462e72f9db4de1
    • Instruction ID: 8d521849ebd862c251a49b475d63ddec16557fe7d3abdc717ebce51bd692dd91
    • Opcode Fuzzy Hash: 047f4220c0fe76a18ded2a2331b4d0158b002f2859a5c5fa1e462e72f9db4de1
    • Instruction Fuzzy Hash: 08017571E0120CBBDB10EFA0FD4ABDEB7BDEF48700F00416AB909E7181EA715A049755
    Function 003FE300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43fileCOMMON
    Download Yara Rule
    APIs
    • DeleteFileW.KERNEL32(00000000,?,imyfone-download.exe,9C3DCF4C), ref: 003FE35D
    • DeleteFileW.KERNEL32(00000000), ref: 003FE36F
      • Part of subcall function 00407FE0: _free.LIBCMT ref: 00407FE9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: DeleteFile$_free
    • String ID: imyfone-download.exe
    • API String ID: 2748082872-1821990683
    • Opcode ID: 4da91974016e68303d5932e399d353fe9ab5245ee69595de59c4a2ba9496ff96
    • Instruction ID: f2c4e3dd4fb79ddc557856e8a3dd841b49c35846eb93920e4c3ff3c11356ff7a
    • Opcode Fuzzy Hash: 4da91974016e68303d5932e399d353fe9ab5245ee69595de59c4a2ba9496ff96
    • Instruction Fuzzy Hash: 78018071904649AFCB14EF71CE46F9EB7B8FB04714F00466EA41A632C2DF386605CB59
    Function 003E7010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38timeCOMMON
    Download Yara Rule
    APIs
    • WinHttpOpen.WINHTTP ref: 003E7075
    • WinHttpSetTimeouts.WINHTTP(00000000,00000000,?,?,?), ref: 003E709C
    Strings
    • Microsoft Internet Explorer, xrefs: 003E7066
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Http$OpenTimeouts
    • String ID: Microsoft Internet Explorer
    • API String ID: 3926271993-3125735337
    • Opcode ID: 28545503509736acbbbc2fe55a3ec575d3fc5972c12bb529dc5d61be5c6ea403
    • Instruction ID: f39b33e85f1fce1a916584d11ebf9cc4f05086568c64ba7253fb11228b46da51
    • Opcode Fuzzy Hash: 28545503509736acbbbc2fe55a3ec575d3fc5972c12bb529dc5d61be5c6ea403
    • Instruction Fuzzy Hash: A001D671600B119FE7318F65D819B83BBF1BF19704F108A0DF2D69AAD0DBB5A5499F80
    Function 004644C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
    Download Yara Rule
    APIs
    • std::exception::exception.LIBCMT ref: 004644D4
      • Part of subcall function 0057A0E2: std::exception::operator=.LIBCMT ref: 0057A0F9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: std::exception::exceptionstd::exception::operator=
    • String ID: @E]$R G
    • API String ID: 1598257956-2066024580
    • Opcode ID: 0f0e9127f3ebc5b682afb2fb19411b55f53d7b540328a0056460216480a6db14
    • Instruction ID: 5c091d9872448e5e5a22da249b59e6326e538a097127ca81dd2aa7e7ca655bec
    • Opcode Fuzzy Hash: 0f0e9127f3ebc5b682afb2fb19411b55f53d7b540328a0056460216480a6db14
    • Instruction Fuzzy Hash: DDE0A5B01017149BDB309F09E408756BFE8FB05724F108A4EE8990B780D3B5AA488FD1
    Function 00562783 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::exception::exception.LIBCMT ref: 00562796
      • Part of subcall function 0057A0A2: std::exception::_Copy_str.LIBCMT ref: 0057A0BB
    • __CxxThrowException@8.LIBCMT ref: 005627AB
      • Part of subcall function 00577DD3: RaiseException.KERNEL32(?,?,4'V,?,?,?,?,?,?,?,00562734,?,00637740,?), ref: 00577E28
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3293016502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true
    • Associated: 00000000.00000002.3292987729.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293223556.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293277053.000000000063D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293297866.000000000063F000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293322008.0000000000640000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293341286.0000000000641000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293371933.0000000000646000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293387198.0000000000648000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293407554.0000000000654000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3293447143.0000000000657000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3c0000_mirrorto_setup.jbxd
    Similarity
    • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
    • String ID: `y\
    • API String ID: 757275642-733400402
    • Opcode ID: 039d87c96383d0b96ae008242c479cf8707c69d4bcca71293af3f7ecdcb539c6
    • Instruction ID: e29409c25f6bedefa0823cc0b730d979177429ba5865d88d1d8d713d0809c60f
    • Opcode Fuzzy Hash: 039d87c96383d0b96ae008242c479cf8707c69d4bcca71293af3f7ecdcb539c6
    • Instruction Fuzzy Hash: 60D01274C0020DBB8B00EFA4D449CCD7BB8AE48300B00C426B81467201D6B4A7088F85